AWS SOC 2 Compliance Checklist: A Detailed Guide

By Sabrina Lupșan
Wednesday, October 19, 2022
AWS SOC 2 Compliance Checklist: A Detailed Guide

SOC 2 is a compliance standard that regulates the way data security is handled within B2B (business-to-business) organizations. SOC (Service and Organization Controls) 2 is an international standard developed by AICPA (The American Institute of Certified Public Accountants). 

In this article, we will understand what requirements your company needs to fulfill to obtain the SOC 2 certifications and how to implement them correctly in your AWS environment. 

The requirements 

Firstly, the rules within SOC 2 are grouped by 5 TSC (Trust Service Criteria): 

  1. Security 
  2. Availability 
  3. Processing Integrity 
  4. Confidentiality 
  5. Privacy 

SOC 2 has 64 mandatory controls, grouped by the 5 TSC mentioned above. In this article, we will look at a few of the controls required, how to implement them in your AWS environment and how to check if your implementation is complete. 

A checklist 

Requires Additional Authentication or Credentials 

MFA (Multi-Factor Authentication) is a mechanism that adds additional steps to the authentication flow and requests supplementary credentials. These credentials can be: 

  • What you know (for example: a password) 
  • What you have (for example: a smart card) 
  • What you are (for example: a fingerprint) 

To fulfill this control, introduced under the “Security” section, you need to enable MFA when accessing the AWS Management Console. As a result, users will be prompted to enter their username and password (which is the first step, or the first factor of the authentication), and then an authentication code that is sent to their device. A biometrics-enabled device can be used instead as well. 

You can configure MFA for IAM users or the AWS account root user. 

Steps to enable MFA in your AWS environment, according to the documentation

  1. Install an authenticator app on your MFA device, use a FIDO2 device or specialized hardware devices such as TOTP tokens. 
  2. Enable the MFA device from the AWS Management Console (if using an authenticator app, you can also use AWS CLI or AWS API). 

If your company is using an external identity provider, you have to ensure that MFA is configured for access to the AWS console. 

Restricts Access 

This control, in the “Security” TSC refers to restricting traffic to and from any cloud services and assets hosted in the cloud. This includes: 

  • Closing unnecessarily open ports, 
  • Requiring authenticated access to services such as FTP, SMB, and others. 

To close an open port, follow these steps: 

  1. Log in to the AWS Management Console. 
  2. From the EC2 dashboard, on the left pane, click Security Groups. 
  3. For each security group, click the Inbound Rules tab, and remove the rules that allow access to the ports you want to close. Repeat the same for the Outbound Rules. 
  4. Remember to click save. 

Implements Boundary Protection Systems 

The third requirement we will analyze under the "Security" section of SOC refers to the usage of firewalls, DMZs (Demilitarized Zones), IDS, IPS, and others.  

It is recommended that you secure your cloud infrastructure by using these utilities in order to limit traffic as much as possible and only allow access to resources when necessary. 

To quickly deploy a firewall: 

  • Log in to the AWS Management Console, 
  • Open the Amazon VPC console, create a firewall subnet, and update your VPC Route Tables. 
  • Configure the firewall policy by accessing the Amazon VPC console navigation pane under Network Firewall. Choose Firewall policies and add any desired configurations. 

Creates and Maintains Records of System Storage Activities 

This control, located under the “Processing Integrity” criteria, checks if logging is implemented in your cloud environment.  

By logging all user activities, you can: 

  • Observe misconfigurations
  • Identify any suspicious behavior, 
  • Detect malicious attacks. 

To enable logging in your AWS infrastructure, you can use Amazon CloudTrail. This solution tracks all actions performed in your cloud environment.  

Amazon CloudTrail can be used together with Amazon CloudWatch to extend monitoring to applications and cloud assets and to analyze their health. 

Amazon CloudTrail is enabled by default in your AWS account. 

Protects Encryption Keys 

Encryption is essential to ensure confidentiality of data. In the “Confidentiality” section of SOC 2, we have controls for both encryption and key management.  

If key management is neglected, then encryption becomes useless. Keys must be generated, stored, used and destroyed safely to protect your data. 

Amazon offers a complete solution for proper key management. AWS KMS (AWS Key Management System) helps you properly deal with all of the processes in a cryptographic key’s lifecycle. 

According to AWS, this service can be used:  

  • Through the AWS Management Console,  
  • Using the AWS KMS APIs. 

Finally, check your implementations 

Besides the controls presented in this article, there are many more. 

Although so many requirements can quickly become overwhelming, Cyscale can help you easily keep track of what you’ve correctly implemented and what requires your attention on our SOC 2 compliance page. 

Many technical controls in Cyscale can be mapped to SOC 2 controls to provide visibility in your cloud environment and prove compliance. 

A few examples of controls that apply to the presented requirements (and more) are: 

  • Ensure all users have MFA configured. 
  • Ensure CloudTrail is enabled in all regions. 
  • Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (SSH). 

Interesting? Share it

Stay connected

Receive new blog posts and product updates from Cyscale

Product Playground

View a fully-populated product demo. All features - no setup, no commitment.

Schedule a Demo

Sign up for a custom demo to see how we close security gaps and help you move to the cloud.

Request a Demo >
Cloud Security and Compliance: A Guide for Your Cloud Infrastructure
CSPM ComplianceMonday, December 5, 2022

Cloud Security and Compliance: A Guide for Your Cloud Infrastructure

Author image
By Sabrina Lupșan
The New ISO 27001 2022 Version, Explained for the Cloud
News Compliance CSPMWednesday, November 23, 2022

The New ISO 27001 2022 Version, Explained for the Cloud

Author image
By Sabrina Lupșan
Understanding serverless computing: how you can use it and how to secure it
CSPMThursday, November 17, 2022

Understanding serverless computing: how you can use it and how to secure it

Author image
By Sabrina Lupșan
Cyscale Logo
Cyscale helps companies embrace their digital future by protecting apps and data in the cloud. With the innovative Security Knowledge Graph™ at its core, Cyscale helps you easily track security and compliance across your multi-cloud environment.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy


© 2022 Cyscale Limited

crunch base icon
angel icon