SOC 2 Compliance Checklist — AWS
In the print dialog, choose Save as PDF as the destination.
Framework: AICPA Trust Services Criteria (TSC) 2017 with 2022 revised points of focus Scope: Security (mandatory) + Availability, Confidentiality (common add-ons) Status legend:
[ ]Not started ·[~]In progress ·[x]Complete
Before engaging your auditor
Do not represent any control as implemented until you have collected and retained evidence. Auditors require logs, screenshots, policy documents, and configuration exports — not just running services.
Shared Responsibility
AWS's SOC 2 report covers the infrastructure layer (physical security, hypervisor, managed service platforms). Your SOC 2 report must cover your controls — IAM, logging, network, encryption, and processes running on top of AWS. Download AWS's SOC 2 report from AWS Artifact to use as vendor evidence.
CC1 — Control Environment
| # | Item | Status | Owner |
|---|---|---|---|
| 1.1 | Document an Information Security Policy approved by management | [ ] | CISO / Compliance |
| 1.2 | Define organizational roles and security responsibilities (RACI) | [ ] | CISO |
| 1.3 | Establish a security awareness training program; track completion annually | [ ] | HR / Security |
| 1.4 | Conduct background checks for employees with access to customer data | [ ] | HR |
| 1.5 | Enable AWS Organizations with SCPs to enforce account-level guardrails | [ ] | Cloud Admin |
| 1.6 | Download AWS SOC 2 report from AWS Artifact and retain as vendor evidence | [ ] | Compliance |
Reference: AWS Artifact → · AWS Shared Responsibility Model →
CC2 — Communication and Information
| # | Item | Status | Owner |
|---|---|---|---|
| 2.1 | Publish a customer-facing security page or Trust Center | [ ] | Security / Marketing |
| 2.2 | Maintain an incident notification process (SLA for notifying customers) | [ ] | Security |
| 2.3 | Enable CloudTrail in all regions as the primary audit information source | [ ] | Cloud Admin |
| 2.4 | Document and communicate a security incident reporting channel internally | [ ] | Security |
Reference: Logging & Monitoring →
CC3 — Risk Assessment
| # | Item | Status | Owner |
|---|---|---|---|
| 3.1 | Conduct a formal risk assessment annually; document in a risk register | [ ] | Compliance |
| 3.2 | Enable Amazon Inspector for continuous vulnerability scanning (EC2, Lambda, ECR) | [ ] | Security |
| 3.3 | Enable AWS Security Hub and activate the FSBP and CIS AWS v3.0 standards | [ ] | Cloud Admin |
| 3.4 | Review Security Hub findings monthly and track remediation | [ ] | Security |
| 3.5 | Assess risks posed by third-party vendors and document mitigations | [ ] | Compliance |
Reference: Amazon Inspector → · AWS Security Hub →
CC4 — Monitoring Activities
| # | Item | Status | Owner |
|---|---|---|---|
| 4.1 | Enable AWS Config in all regions with a multi-region aggregator | [ ] | Cloud Admin |
| 4.2 | Enable GuardDuty in all regions and accounts via AWS Organizations | [ ] | Cloud Admin |
| 4.3 | Configure CloudWatch alarms for the 14 CIS benchmark monitoring controls | [ ] | Cloud Admin |
| 4.4 | Conduct a penetration test at least annually; retain the report | [ ] | Security |
| 4.5 | Perform quarterly access reviews; document and remediate excess permissions | [ ] | Security |
Reference: Logging & Monitoring →
CC5 — Control Activities
| # | Item | Status | Owner |
|---|---|---|---|
| 5.1 | Apply least-privilege IAM policies; no use of AdministratorAccess managed policy in production | [ ] | Cloud Admin |
| 5.2 | Use IAM Identity Center for all human access; no long-lived IAM user credentials for engineers | [ ] | Cloud Admin |
| 5.3 | Enforce segregation of duties — developers cannot directly deploy to production | [ ] | Engineering Lead |
| 5.4 | Require pull-request reviews and CI pipeline success before production deployments | [ ] | Engineering Lead |
| 5.5 | All infrastructure defined as code (CloudFormation, Terraform, CDK) with version control | [ ] | Cloud Admin |
Reference: IAM & Access Control →
CC6 — Logical and Physical Access Controls
CC6.1 — Logical Access Security
| # | Item | Status | Owner |
|---|---|---|---|
| 6.1.1 | Disable and remove root account access keys | [ ] | Cloud Admin |
| 6.1.2 | Enable MFA on the root account | [ ] | Cloud Admin |
| 6.1.3 | Enforce MFA for all IAM users with console access | [ ] | Cloud Admin |
| 6.1.4 | Enable IAM account password policy (min 14 chars, complexity, 90-day rotation) | [ ] | Cloud Admin |
| 6.1.5 | Enable KMS CMK rotation for all customer-managed keys | [ ] | Cloud Admin |
| 6.1.6 | Enable S3 Block Public Access at the account level | [ ] | Cloud Admin |
| 6.1.7 | Enable default EBS encryption for all volumes in all regions | [ ] | Cloud Admin |
CC6.2 — New Access Provisioning
| # | Item | Status | Owner |
|---|---|---|---|
| 6.2.1 | Use IAM Identity Center (SSO) for all engineer and operator access | [ ] | Cloud Admin |
| 6.2.2 | Document a formal access request and approval process | [ ] | Security |
| 6.2.3 | Grant access via IAM roles only; no inline policies on users | [ ] | Cloud Admin |
CC6.3 — Access Removal
| # | Item | Status | Owner |
|---|---|---|---|
| 6.3.1 | Deprovision IAM Identity Center access within 24 hours of termination | [ ] | HR / Cloud Admin |
| 6.3.2 | Rotate or disable IAM access keys within 24 hours of employee departure | [ ] | Cloud Admin |
| 6.3.3 | Flag credentials unused for 90+ days via AWS Config rule iam-user-unused-credentials-check | [ ] | Cloud Admin |
| 6.3.4 | Rotate IAM access keys at least every 90 days via Config rule access-keys-rotated | [ ] | Cloud Admin |
CC6.6 — Network Controls
| # | Item | Status | Owner |
|---|---|---|---|
| 6.6.1 | Delete or avoid using the default VPC in all regions | [ ] | Cloud Admin |
| 6.6.2 | Deploy production workloads in private subnets; public subnets for load balancers only | [ ] | Cloud Admin |
| 6.6.3 | No security group allows unrestricted inbound access (0.0.0.0/0) on admin ports (22, 3389) | [ ] | Cloud Admin |
| 6.6.4 | Enable VPC Flow Logs for all VPCs; send to CloudWatch Logs or S3 | [ ] | Cloud Admin |
| 6.6.5 | Deploy AWS WAF on all public-facing load balancers and CloudFront distributions | [ ] | Cloud Admin |
CC6.7 — Data Transmission Controls
| # | Item | Status | Owner |
|---|---|---|---|
| 6.7.1 | Enforce TLS 1.2+ on all public endpoints; disable older protocols | [ ] | Cloud Admin |
| 6.7.2 | Enable S3 bucket policies to deny non-HTTPS requests (aws:SecureTransport) | [ ] | Cloud Admin |
| 6.7.3 | Store all secrets in AWS Secrets Manager or SSM Parameter Store (SecureString); never in code | [ ] | Engineering |
| 6.7.4 | Enable Secrets Manager automatic rotation for all secrets | [ ] | Cloud Admin |
Reference: Network Security → · Encryption →
CC7 — System Operations
| # | Item | Status | Owner |
|---|---|---|---|
| 7.1 | Enable multi-region CloudTrail trail with log file validation | [ ] | Cloud Admin |
| 7.2 | Send CloudTrail logs to a dedicated, access-restricted S3 bucket | [ ] | Cloud Admin |
| 7.3 | Enable CloudTrail S3 and Lambda data events for high-sensitivity accounts | [ ] | Cloud Admin |
| 7.4 | Enable GuardDuty in all regions; configure SNS alerting for HIGH findings | [ ] | Cloud Admin |
| 7.5 | Enable Amazon Macie on S3 buckets containing sensitive or customer data | [ ] | Cloud Admin |
| 7.6 | Enable Amazon Inspector on all EC2 instances, Lambda functions, and ECR repositories | [ ] | Cloud Admin |
| 7.7 | Document and test an incident response runbook; review quarterly | [ ] | Security |
| 7.8 | Configure EventBridge rules to route GuardDuty HIGH/CRITICAL findings to a ticketing system | [ ] | Cloud Admin |
Reference: Logging & Monitoring → · Incident Response →
CC8 — Change Management
| # | Item | Status | Owner |
|---|---|---|---|
| 8.1 | All production infrastructure changes made via IaC (no manual console changes) | [ ] | Cloud Admin |
| 8.2 | Require peer review (pull request) for all IaC changes | [ ] | Engineering Lead |
| 8.3 | CI/CD pipeline runs security scans (SAST, dependency scan) before deployment | [ ] | Engineering |
| 8.4 | Enable AWS Config drift detection; alert on configuration drift from baselines | [ ] | Cloud Admin |
| 8.5 | Maintain a change log; document major infrastructure changes with rationale | [ ] | Cloud Admin |
| 8.6 | Test deployments in a staging environment before production | [ ] | Engineering |
CC9 — Risk Mitigation
| # | Item | Status | Owner |
|---|---|---|---|
| 9.1 | Maintain a vendor inventory; assess each vendor's SOC 2 / ISO 27001 status annually | [ ] | Compliance |
| 9.2 | Obtain AWS SOC 2 report annually from AWS Artifact as evidence of infrastructure vendor controls | [ ] | Compliance |
| 9.3 | Enable AWS Backup with cross-region replication for all critical data stores | [ ] | Cloud Admin |
| 9.4 | Document and test BCP/DRP; verify RTO and RPO targets can be met | [ ] | Cloud Admin |
| 9.5 | Use AWS Resilience Hub to assess application resilience against defined RPO/RTO | [ ] | Cloud Admin |
Reference: AWS Artifact → · AWS Backup →
AWS Audit Manager
AWS Audit Manager has a pre-built SOC 2 (SSAE-18) framework that automatically maps evidence from Config rules, CloudTrail, and Security Hub findings to each TSC criterion. Enable it to automate evidence collection for your audit.
Reference: AWS Audit Manager SOC 2 Framework →