# SOC 2 on AWS — the practical checklist

A control-by-control checklist for preparing an AWS-hosted SaaS for a
SOC 2 Type I or Type II audit. Every item maps to a Trust Services
Criterion (CC = Common Criteria) and lists the AWS-side evidence an
auditor will ask for.

Use it alongside a formal audit partner (Drata, Vanta, Secureframe,
A-LIGN, Johanson) — they run the company-wide program; this checklist
is the infrastructure half.

Last updated: 2026-04-19.

---

## Access control (CC6)

- [ ] **CC6.1** — Every IAM user has MFA enabled. Root account MFA is
      enforced. Evidence: `aws iam list-virtual-mfa-devices`,
      `aws iam get-account-summary` showing `AccountMFAEnabled=1`.
- [ ] **CC6.1** — No root access keys exist. Evidence:
      `aws iam get-account-summary` showing `AccountAccessKeysPresent=0`.
- [ ] **CC6.1** — IAM password policy enforces ≥ 14 chars, complexity,
      ≥ 90-day rotation, ≥ 24-password history.
- [ ] **CC6.1** — IAM access keys older than 90 days are rotated.
      Evidence: `aws iam list-access-keys` + `CreateDate`.
- [ ] **CC6.2** — All human access flows through SSO (AWS IAM Identity
      Center or Okta/Entra). IAM users are service accounts only.
- [ ] **CC6.3** — Principle of least privilege. Evidence: every IAM
      policy reviewed; no `*` actions without scoped resources;
      wildcards on resource ARNs narrowed where practical.
- [ ] **CC6.6** — Administrative boundary. Prod-write actions gated
      behind a separate role with MFA + time-boxed access
      (session ≤ 8 hours).

## Network security (CC6 / CC7)

- [ ] **CC6.6** — No security group allows 0.0.0.0/0 on ports 22 (SSH)
      or 3389 (RDP). Evidence: `ec2:DescribeSecurityGroups` scan.
- [ ] **CC6.6** — No security group allows 0.0.0.0/0 on all ports.
- [ ] **CC6.6** — VPC flow logs enabled on every VPC, retained ≥ 90 days.
- [ ] **CC6.7** — S3 buckets are not public unless they're explicitly
      designed for public hosting. Evidence:
      `s3api:GetBucketPublicAccessBlock` returning all four `BlockPublicAcls`
      flags = true at both account and bucket level.
- [ ] **CC6.7** — S3 block-public-access enabled at the account level.

## Encryption (CC6.1 / CC6.7)

- [ ] **CC6.1** — All EBS volumes encrypted. Account-level default
      encryption on. Evidence: `aws ec2 get-ebs-encryption-by-default`.
- [ ] **CC6.1** — All RDS instances encrypted at rest
      (`StorageEncrypted=true`).
- [ ] **CC6.1** — All S3 buckets have default SSE-KMS or SSE-S3.
- [ ] **CC6.1** — KMS key rotation enabled on every customer-managed
      key (`aws kms get-key-rotation-status`).
- [ ] **CC6.7** — TLS 1.2+ required on every public endpoint.
      ALB/NLB listener policies use `ELBSecurityPolicy-TLS13-1-2-*`.

## Logging and monitoring (CC7)

- [ ] **CC7.2** — CloudTrail enabled on every region, logs to an
      append-only S3 bucket with object-lock.
- [ ] **CC7.2** — CloudTrail log-file validation enabled.
      Evidence: `aws cloudtrail describe-trails` → `LogFileValidationEnabled=true`.
- [ ] **CC7.2** — Config enabled in every region, recording all
      resource types, delivering to S3.
- [ ] **CC7.3** — CloudWatch alarms on: root account login, IAM
      policy changes, MFA disabling, unauthorised API calls.
- [ ] **CC7.3** — GuardDuty enabled in every region. Findings routed
      to a human on-call rotation.

## Change management (CC8)

- [ ] **CC8.1** — Prod deploys require pull-request review. Branch
      protection rules enforce ≥ 1 approval + passing CI.
- [ ] **CC8.1** — Infrastructure-as-code for production. No manual
      console changes in prod (or they produce a CFN drift alert).
- [ ] **CC8.1** — Release artifacts pinned by commit SHA. Rollback
      procedure documented and tested in a game day.

## Backups and disaster recovery (A1)

- [ ] **A1.2** — RDS automated backups enabled with ≥ 7-day retention.
      Cross-region copy for the primary database.
- [ ] **A1.2** — S3 versioning enabled on every bucket that stores
      mutable state.
- [ ] **A1.2** — Documented RTO and RPO per system. DR drill run
      annually with evidence.

## Incident response (CC7.4)

- [ ] **CC7.4** — On-call rotation with defined severities
      (SEV-1 / SEV-2 / SEV-3).
- [ ] **CC7.4** — Security incident runbook: who owns the investigation,
      when legal is notified, when customers are notified.
- [ ] **CC7.4** — Post-incident review (blameless) after every SEV-1.

## Data retention and disposal (P4)

- [ ] **P4.1** — Customer data deletion on request, SLA published in
      the DPA.
- [ ] **P4.2** — S3 lifecycle policies move inactive data to Glacier or
      delete per retention policy.
- [ ] **P4.2** — RDS snapshots older than retention policy are
      expired automatically.

## Vendor management (CC9.2)

- [ ] **CC9.2** — Subprocessor list published and reviewed annually.
      See `https://cloudarq.net/legal/subprocessors` for the CloudArq
      example.
- [ ] **CC9.2** — Each subprocessor has a DPA on file.
- [ ] **CC9.2** — SOC 2 / ISO 27001 report collected from every
      critical subprocessor.

---

## How CloudArq helps

CloudArq automates the AWS-side evidence collection for the controls
marked with an asterisk in the Trust Services Criteria. Every one of
the 170 CloudArq checks maps to the CC number above; exports drop into
a SOC 2 evidence folder alongside your DPA + policy set.

Free-for-life on accounts under 50 resources:
https://cloudarq.net/signup