SOC 2 controls covered by connecting AWS

The following SOC 2 controls are automatically covered by connecting your AWS account:

  • The company maintains a list of system components, owners, and their business function.
  • The company uses logging and monitoring software to collect data from servers and endpoints, detect potential security threats and unusual system activity, and monitor system performance.
  • The company uses alerting software to notify impacted teams of potential security and availability events.
  • Production infrastructure is restricted to users with a unique account, SSH key or access key.
  • Administrative access to production servers, databases, and internal administrative tools is restricted based on the principal of least privilege. Internal user access to systems and applications with customer data requires two-factor authentication in the form of user ID/password, and one-time passcode.
  • Passwords are required to be a minimum length. 
  • Users are assigned unique IDs to access sensitive information.
  • Service data is encrypted at rest and in transit.
  • Encryption is used to protect the transmission of data over the internet.
  • System tools monitor company load balancers and notify the appropriate personnel of any events or outages based on predetermined criteria. Any issues are tracked through resolution in accordance with the Incident Response Plan.
  • The system is configured to operate across availability zones to support continuous availability.
  • Physical security controls are inherited via AWS.
  • Full backups are performed daily and retained in accordance with the Backup Policy.
  • If you use AWS GuardDuty, threat management is installed on susceptible endpoints that can access the production environment.
  • Management has implemented intrusion prevention and detection tools to monitor network traffic to the production environment.
  • Firewall configurations and security groups ensure available networking ports and protocols are restricted according to the approved business rules.
  • If you use AWS inspector, internal vulnerability scanning is performed on production infrastructure and your company remediates any deficiencies in a timely manner.

Was this article helpful?

Have more questions? Submit a request



Article is closed for comments.