What SOC 2 evidence is needed for AWS infrastructure?
March 6, 20262 min readSOC 2 for Specific Tech Stacks
AWS Evidence by Service
| AWS Service | SOC 2 Evidence | Control |
|---|---|---|
| IAM | User list, MFA status, password policy, role policies | CC6.1 |
| S3 | Public access block, encryption, bucket policies | CC6.7 |
| RDS/Aurora | Encryption at rest, backup config, security groups | CC6.7, A1.2 |
| CloudTrail | Multi-region trail enabled, log file validation | CC7.2 |
| CloudWatch | Alarms for critical metrics, SNS notifications | CC7.2 |
| VPC | Security group rules, NACL rules, flow logs | CC6.6 |
| KMS | Key management policies, rotation settings | CC6.1 |
Priority Order for Startups
Not every AWS service needs evidence. Focus on:
- IAM (required) — Root account MFA, user MFA, least-privilege policies
- CloudTrail (required) — Proves you have audit logging
- Your database (required) — Encryption and access restrictions
- S3 (if you use it) — Public access blocks, encryption
- Security groups (required) — Network access controls
Inherited Controls from AWS
AWS has its own SOC 2 Type II report covering physical security, hardware management, and network infrastructure. You can reference this in your system description. Your auditor tests your configuration of AWS services, not AWS's underlying infrastructure.
Quick Wins
- Enable MFA on root account. This takes 5 minutes and is always tested.
- Turn on CloudTrail. Enable a multi-region trail with log file validation.
- Block public S3 access. Enable the account-level public access block.
- Review security groups. Remove any
0.0.0.0/0inbound rules that aren't necessary. - Enable RDS encryption. If not already enabled, this may require creating a new encrypted instance and migrating.
Evidence Collection Tips
- Use AWS Config for continuous compliance monitoring if your budget allows
- Screenshot the console rather than exporting JSON — auditors prefer visual evidence
- Run AWS Trusted Advisor to catch common misconfigurations before the audit