Automating SOC 2 Type II Evidence in AWS

A SOC 2 Type II audit covers a 12-month observation period. For most engineering teams, evidence collection for that period means manually exporting screenshots, running ad-hoc queries against CloudTrail, and reconstructing configuration history from memory or tickets. It takes weeks, involves multiple people, and still leaves auditors asking follow-up questions about gaps.

AWS’s native security and compliance services, when configured correctly, generate the exact evidence artifacts a SOC 2 auditor needs. The data exists — the gap is connecting the right service to the right Trust Services Criteria and making the evidence export repeatable.

CC6.1: Logical and Physical Access Controls

CC6.1 requires evidence that logical access to systems is managed, granted based on authorization, and restricted to authorized users. In AWS, this maps to IAM lifecycle management.

AWS Config as the evidence engine — AWS Config maintains a complete configuration history for every IAM resource. When an auditor asks “what access did user X have on date Y?” — AWS Config can answer it precisely, because it snapshots IAM policies and user configurations on every change and stores them with timestamps.

Enable the following AWS Config managed rules to generate continuous compliance evidence:

• iam-no-inline-policy-check — flags IAM entities with inline policies
• iam-policy-no-statements-with-admin-access — flags any managed policy containing Effect: Allow, Action: *, Resource: *
• iam-user-mfa-enabled — continuous check that all IAM users with console access have MFA enabled
• iam-root-access-key-check — verifies the root account has no active access keys
• access-keys-rotated — flags access keys older than 90 days

The Config rule evaluation history becomes your CC6.1 evidence — for any point in the 12-month period, you can export the compliance state of all IAM resources and show the auditor the exact configuration.

CC6.6: Logical Access Security Measures (Network Controls)

Security Group change history via Config — Config records every change to every security group in your account. The configuration timeline for any security group shows every inbound and outbound rule that existed at any point, with the timestamp and identity of who made each change.

VPC Flow Logs for network monitoring — Enable VPC Flow Logs in ALL mode (capturing both accepted and rejected traffic) and store in S3 with a 12-month retention policy. For CC6.6, Flow Logs provide evidence that:

• Network traffic was logged and monitored
• Rejected traffic (REJECT entries in Flow Logs) demonstrates that your security groups were actively blocking unauthorized access
• Accepted traffic records provide forensic capability if an incident occurs

Export Flow Log statistics per quarter: total bytes transferred, top source/destination pairs, rejection rates. This demonstrates active network monitoring, not just log collection.

CC6.8: Malware and Unauthorized Software Prevention

Amazon GuardDuty is the primary evidence artifact for CC6.8. GuardDuty uses machine learning and threat intelligence to detect anomalous behavior — crypto mining on EC2, unusual network connections to known malicious IPs, DNS queries to command-and-control domains, malware embedded in S3 uploads via GuardDuty Malware Protection.

For CC6.8 evidence:

1. Export the GuardDuty finding count by finding type over the 12-month period — this demonstrates the detection service was operational
2. For each High-severity finding, show the remediation audit trail in CloudTrail (what action was taken, by whom, when)
3. Export GuardDuty Malware Protection scan results — files scanned, threats detected, remediation actions

The combination of GuardDuty detection findings plus CloudTrail remediation records satisfies the “detect and respond” requirement of CC6.8.

CC7.1: System Monitoring for Security Events

Security Hub is the aggregation layer for CC7.1 evidence. Security Hub collects findings from GuardDuty, Macie, Config, IAM Access Analyzer, and Inspector into a single view with a compliance score over time.

Specifically:

• Enable the AWS Foundational Security Best Practices standard in Security Hub — it provides 200+ checks against AWS security best practices
• Enable CIS AWS Foundations Benchmark — auditors appreciate seeing this explicitly
• Export the findings summary report monthly and store in an audit evidence S3 bucket

P6.1: Privacy — Sensitive Data Protection

Amazon Macie is purpose-built for P6.1 evidence. Macie performs automated sensitive data discovery across all S3 buckets, identifying PII, financial data, and credentials.

For P6.1 evidence:

1. Export the Macie sensitive data finding count by finding type, bucket, and severity
2. Show remediation actions for any finding where PII was found unexpectedly
3. Export the S3 bucket inventory with Macie classification results — proves all buckets were in scope

Enable Macie’s Automated Sensitive Data Discovery mode (not just manual job runs). This runs continuously, ensuring there are no gaps in P6.1 coverage that point-in-time job runs would leave.

Making Evidence Collection Repeatable

Ad-hoc evidence collection doesn’t scale to annual audit cycles. Build repeatable exports:

1. S3 bucket for audit evidence — Create a dedicated audit-evidence S3 bucket with versioning, MFA delete, and a lifecycle policy retaining objects for 7 years
2. Monthly automated exports — Use EventBridge scheduled rules to trigger Lambda functions that export Security Hub summary reports, Config compliance snapshots, and GuardDuty finding statistics to the audit evidence bucket each month
3. Tag all compliance artifacts — Tag every Config rule, GuardDuty detector, and Macie job with soc2-criterion: CC6.1 so evidence is traceable to the specific criterion it satisfies

When the next audit starts, the evidence for the observation period is already in the bucket, organized by date and criterion. A 6-week evidence scramble becomes a 2-day review.

---

CloudDefender maps all security findings and compliance posture data directly to SOC 2 Trust Services Criteria, generating audit-ready evidence exports that reduce annual audit prep from weeks to hours.