How It WorksPricingBlogStart Free Trial
All answers

How do I handle SOC 2 evidence for Terraform or infrastructure-as-code?

March 6, 20262 min readSOC 2 for Specific Tech Stacks

Why IaC Is Great for SOC 2

Terraform and other IaC tools create a natural audit trail. Every infrastructure change is:

  • Written as code (reviewable)
  • Committed through a PR (approved)
  • Applied through a pipeline (controlled)
  • Stored in version history (traceable)

This is stronger evidence than manual console changes, which leave only CloudTrail logs.

Evidence to Provide

Evidence TypeWhat to Capture
Terraform code repositoryGitHub repo showing .tf files with version history
PR reviews for infra changesSample PRs showing review and approval of .tf changes
Plan/apply pipelineCI/CD workflow that runs terraform plan on PR and terraform apply on merge
State managementBackend configuration (S3 + DynamoDB lock, Terraform Cloud)
Access controlsWho can run terraform apply in production
Drift detectionHow you detect manual changes outside Terraform

Mapping IaC to SOC 2 Controls

SOC 2 ControlIaC Evidence
CC8.1 (Change management)PR-based workflow for all .tf changes
CC6.1 (Access controls)IAM policies defined in code, reviewable
CC7.2 (Monitoring)CloudWatch alarms defined in Terraform
CC6.7 (Data protection)Encryption settings defined in code

Best Practices

  1. Never apply directly. Use a CI/CD pipeline for terraform apply — this ensures every change is logged and traceable.
  2. Require PR reviews. Treat Terraform PRs like application code PRs — same branch protection, same review requirements.
  3. Lock state. Use a remote backend with state locking to prevent concurrent modifications.
  4. Detect drift. Run periodic terraform plan to find manual changes made outside IaC. Document and remediate drift.

Handling Manual Changes

If someone makes a console change outside Terraform, document it as an exception:

  • What was changed and why
  • Was it imported back into Terraform state?
  • Was a follow-up PR created to codify the change?

Auditors understand that occasional manual changes happen. What matters is that you detect them and bring them back into your controlled process.

Related Questions

SOC 2 for Specific Tech Stacks

How do I document SOC 2 evidence for GitHub access controls?

Document GitHub access controls by capturing organization member lists with roles, team-level repository permissions, branch protection settings, 2FA enforcement, and audit logs. Map GitHub's permission model (Owner, Member, Outside Collaborator) to your SOC 2 access control policy.

SOC 2 for Specific Tech Stacks

How do I get SOC 2 for a Next.js app deployed on Vercel?

Getting SOC 2 for a Next.js app on Vercel means documenting your deployment pipeline (Git-based deploys), access controls (Vercel team roles, GitHub branch protection), and data handling (API routes, database connections). Vercel's built-in security features cover many infrastructure controls. You need to prove application-level controls.

SOC 2 for Specific Tech Stacks

How do I handle SOC 2 evidence for apps without SSO?

You can pass SOC 2 without SSO by implementing compensating controls: enforced MFA, strong password policies, manual access reviews, and documented onboarding/offboarding checklists. SSO is a best practice but not a SOC 2 requirement. Document why your current approach is sufficient for your risk profile.

Ready to Automate Your Compliance?

Join 50+ companies automating their compliance evidence with Screenata.

Start Free Trial →

© 2025 Screenata. All rights reserved.