SOC 2 on AWS: a practical checklist

Who this is for

1-50 person SaaS teams running on AWS, with an enterprise prospect asking for a SOC 2 report in the next 3-6 months. If you have a dedicated compliance team running a vendor program, skim the AWS-specific rows and ignore the commentary. If you're a founder + CTO pair scrambling to pass, read top-to-bottom.

What SOC 2 actually is (one paragraph)

SOC 2 is an AICPA audit framework. A CPA firm signs a report saying your security controls operate as described, across five Trust Services Criteria: Security (CC1-CC9 — the only mandatory one), Availability (A1), Confidentiality (C1), Processing Integrity (PI1), and Privacy (P). Type I is a point-in-time snapshot. Type II covers a window — typically 3-12 months — and is what enterprise buyers expect.

Access control (CC6)

Who can touch what. Auditors always start here.

• CC6.1Every IAM user has MFA. Root MFA is enforced.
• CC6.1No root access keys. ≥14-char IAM password policy with ≥90-day rotation.
• CC6.1IAM access keys older than 90 days are rotated.
• CC6.2Human access flows through SSO (IAM Identity Center / Okta / Entra).
• CC6.3Least privilege — no `*` actions without scoped resources.
• CC6.6Prod-write actions gated behind a separate role with MFA + time-boxed access.

Network security (CC6 / CC7)

What's exposed to the internet.

• CC6.6No security group allows 0.0.0.0/0 on SSH (22) or RDP (3389).
• CC6.6No security group allows 0.0.0.0/0 on all ports.
• CC6.6VPC flow logs enabled on every VPC, retained ≥ 90 days.
• CC6.7S3 buckets are not public unless designed to be — block-public-access at both account and bucket level.

Encryption (CC6.1 / CC6.7)

Data at rest and in transit.

• CC6.1All EBS volumes encrypted; account-level default encryption on.
• CC6.1All RDS instances encrypted at rest.
• CC6.1All S3 buckets have default SSE-KMS or SSE-S3.
• CC6.1KMS key rotation enabled on every customer-managed key.
• CC6.7TLS 1.2+ required on every public endpoint (ALB/NLB listener policies).

Logging & monitoring (CC7)

You can't respond to what you can't see.

• CC7.2CloudTrail enabled in every region, append-only S3 with object-lock.
• CC7.2CloudTrail log-file validation enabled.
• CC7.2Config enabled in every region, recording all resource types.
• CC7.3CloudWatch alarms on: root login, IAM policy changes, MFA disabling, unauthorised API calls.
• CC7.3GuardDuty enabled in every region, findings routed to on-call.

Change management (CC8)

How code + infra changes reach prod.

• CC8.1Prod deploys require pull-request review; branch protection enforces ≥ 1 approval + CI pass.
• CC8.1Infrastructure-as-code for production. No untracked console changes.
• CC8.1Release artifacts pinned by commit SHA; rollback tested in a game day.

Availability (A1)

Only required if you contract for uptime.

• A1.2RDS automated backups ≥ 7-day retention; cross-region copy for primary DB.
• A1.2S3 versioning enabled on every mutable-state bucket.
• A1.2Documented RTO and RPO per system; DR drill run annually.

FAQ

How long does a SOC 2 audit take for a SaaS on AWS?

SOC 2 Type I takes 2-6 weeks once evidence is in place. Type II requires a 3-12 month observation window — the auditor watches your controls operate over that period before issuing the report.

Do we need to switch clouds to pass SOC 2?

No. SOC 2 is cloud-agnostic. AWS, Azure, and GCP all publish a SOC 2 Type II report for their own infrastructure; you inherit their physical-security and hypervisor controls and document the controls you operate on top.

Which SOC 2 trust-services criteria apply to an AWS-hosted SaaS?

Security (CC1-CC9) is required for every SOC 2. Availability (A1) is required if you commit to uptime in a customer contract. Confidentiality (C1), Processing Integrity (PI1), and Privacy (P) are elective — pick them if you handle regulated data or advertise specific claims.

Do we need a security vendor to pass SOC 2?

Not strictly, but most small teams use one of: Vanta / Drata / Secureframe for the program + evidence, plus a CPA firm (A-LIGN, Johanson, Prescient, BDO) as the auditor. CloudArq covers the AWS-infrastructure evidence side; the vendor covers policy templates, employee training, and the audit-management workflow.

What are the top-3 AWS misconfigurations that block SOC 2?

CloudTrail disabled in a region, public S3 buckets holding customer data, and security groups allowing 0.0.0.0/0 on SSH or RDP. Every one of these is a CC6.6 or CC7.2 failure and auditors will find them on day one.

How much does SOC 2 cost?

Budget $15K-40K for a Type I report from a mid-tier CPA firm for a 1-50-person company. Type II runs $25K-60K. Ongoing (renewal + continuous compliance) adds $5K-20K/year. Security vendor subscriptions add $10K-40K/year on top.