SOC 2
Best for: Any technology or cloud service provider that handles customer data and needs to prove its security posture to enterprise buyers. SaaS companies, managed service providers, data centers, and IT outsourcing firms run into SOC 2 requirements during sales cycles. There is no revenue or size threshold; even a five-person startup selling to a Fortune 500 will be asked for a SOC 2 Type II report.
| Mandatory? | Voluntary โ required by enterprise procurement |
| Who validates? | Licensed CPA firm (SSAE 18) ยท No self-assessment |
| Renewal | Typically annual |
| Observation period | Type II: 3โ12 months |
๐ American Institute of Certified Public Accountants (AICPA) ยท 2017 TSC (2022 revised) Official source โ
Get Started
module "..." {
source = "soc2.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Encryption at Rest: Covers encryption configuration across API Gateway caches, Backup recovery points, and CloudFront distributions. Any service where encryption is available but not enabled will surface as a finding.
- Encryption in Transit: Checks CloudFront distribution TLS enforcement and field-level encryption settings, including whether HTTPS is required and HTTP-to-HTTPS redirect policies are in place.
- Audit Logging: Covers 11 controls across CloudTrail (multi-region trail, S3 data events for both read and write), API Gateway stage logging, AppSync field-level logging, Athena workgroup logging, Bedrock invocation logging, and CloudFront access logging.
- Backup and Recovery: Confirms backup plans exist in configured regions, enforces minimum 35-day retention, validates deletion protection on recovery points, and checks that individual recovery points meet retention requirements.
- Certificate Management: Flags ACM certificates expiring within 30 days so teams can renew before expiration triggers an availability or security event.
What you handle
- Encryption at Rest: Your encryption policy document, KMS key rotation schedules, and ensuring your encryption standards are reflected accurately in the SOC 2 system description.
- Encryption in Transit: TLS version floor decisions (e.g., requiring TLS 1.2 minimum), custom SSL certificate management, and documenting encryption-in-transit requirements in vendor agreements.
- Audit Logging: Log review cadence, SIEM integration, alert tuning, and demonstrating to the auditor that logs are reviewed on a defined schedule. Evidence of actual review is what assessors ask for.
- Backup and Recovery: RPO and RTO definitions, annual restoration testing, documented recovery procedures, and mapping backup coverage to the commitments stated in your system description.
- Certificate Management: A certificate lifecycle management process, ownership assignment for renewals, and tracking any certificates issued outside ACM.
Controls by Category
Data Retention and Backup (A1.2, A1.3) (1 control)
Evidence here centers on backup plan configuration and regional coverage. Assessors want to see plans covering all in-scope systems with retention periods that match the organization's stated commitments, deletion protections on recovery points, and backup jobs running in every region where workloads operate. The typical gap: backups are configured in the primary region but absent from disaster recovery regions.
Encryption and Data Protection (CC6.1, CC6.7, C1.1) (3 controls)
The most common finding in this category is selective encryption: some services are protected while adjacent components like API Gateway caches are left in plaintext. Assessors check TLS enforcement across all in-scope endpoints, key management practices, and whether default encryption settings are actually applied to caches and storage throughout the environment.
Logging and Monitoring (CC7.1, CC7.2, CC7.3) (4 controls)
This category draws the most scrutiny. Auditors verify that logging is enabled across all in-scope services, that logs are retained for the full review period, and that someone actually reviews them. They check CloudTrail coverage across all regions (not just the primary region), S3 data event logging for both reads and writes, and evidence of log integrity controls. Gaps for newer services like Bedrock are a frequent deficiency, particularly when teams added those services mid-period.
Additional Controls (103)
AWS CloudTrail (4)
AWS CodeBuild (1)
AWS Database Migration Service (2)
AWS Lambda (3)
AWS Step Functions (1)
Amazon CloudWatch (3)
Amazon CloudWatch Logs (1)
Amazon DynamoDB (3)
Amazon DynamoDB Accelerator (1)
Amazon EBS (3)
Amazon EC2 (8)
compliance.tf moduleEC2 instances should have EBS optimization enabledcompliance.tf moduleEC2 instances should be in a VPCcompliance.tf moduleEC2 instances should not have a public IP addresscompliance.tf moduleEC2 instances should use IMDSv2compliance.tf moduleEC2 launch templates should not assign public IPs to network interfacescompliance.tf moduleEC2 transit gateways should have auto accept shared attachments disabledAmazon ElastiCache (2)
Amazon Kinesis (3)
Amazon Neptune (1)
Amazon OpenSearch Service (2)
Amazon RDS (17)
compliance.tf moduleRDS clusters should have deletion protection enabledcompliance.tf moduleRDS DB clusters should be encrypted with CMKcompliance.tf moduleRDS DB clusters should be encrypted at restcompliance.tf moduleRDS DB instance backup should be enabledcompliance.tf moduleRDS DB instances backup retention period should be greater than or equal to 7compliance.tf moduleRDS DB instances should be integrated with CloudWatch logscompliance.tf moduleRDS DB instances should be configured to copy tags to snapshotscompliance.tf moduleRDS DB instances should have deletion protection enabledcompliance.tf moduleRDS DB instance encryption at rest should be enabledcompliance.tf moduleRDS DB instances should have iam authentication enabledcompliance.tf moduleRDS DB instances should have logging enabledcompliance.tf moduleRDS for MariaDB DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should not use public subnetcompliance.tf moduleRDS for PostgreSQL DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should prohibit public accesscompliance.tf moduleRDS for SQL Server DB instances should publish logs to CloudWatch Logscompliance.tf moduleAmazon Redshift (6)
compliance.tf moduleRedshift clusters should have automatic snapshots enabledcompliance.tf moduleRedshift cluster encryption in transit should be enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should have required maintenance settingscompliance.tf moduleRedshift clusters should prohibit public accesscompliance.tf moduleAmazon S3 (15)
compliance.tf moduleS3 buckets should have default encryption enabledcompliance.tf moduleS3 buckets should have default encryption enabled using KMScompliance.tf moduleS3 buckets should have event notifications enabledcompliance.tf moduleS3 buckets should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have logging enabledcompliance.tf moduleS3 buckets should not be accessible to all authenticated userscompliance.tf moduleS3 buckets should have object lock enabledcompliance.tf moduleS3 buckets should have object logging enabledS3 buckets should have policies that prohibit public accesscompliance.tf moduleS3 buckets should prohibit public read accesscompliance.tf moduleS3 buckets should prohibit public write accesscompliance.tf moduleS3 buckets with versioning enabled should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have versioning enabledcompliance.tf moduleS3 public access should be blocked at account levelcompliance.tf moduleAmazon SageMaker (3)
Amazon VPC (2)
Elastic Load Balancing (3)
Other (10)
compliance.tf moduleGlue jobs CloudWatch logs encryption should be enabledGlue jobs S3 encryption should be enabledMSK Connect connectors should be encrypted in transitRelated Frameworks
NIST 800-53 Rev 5 โ ๐ข High overlap (65%)
The SOC 2 Trust Services Criteria map extensively to NIST 800-53 control families. AICPA published an official mapping between TSC points of focus and NIST 800-53 controls. Organizations with an existing NIST 800-53 program will find significant reuse, particularly in the AU (Audit and Accountability), SC (System and Communications Protection), and CP (Contingency Planning) families.
ISO 27001 โ ๐ข High overlap (60%)
Both frameworks address information security management but differ in structure. ISO 27001 requires a formal ISMS with Annex A controls, while SOC 2 evaluates controls against Trust Services Criteria. Many organizations pursue both, using ISO 27001 for international markets and SOC 2 for North American enterprise buyers.
HIPAA โ ๐ก Medium overlap (35%)
SOC 2 reports can include HIPAA-relevant criteria, and the AICPA offers a SOC 2 + HIPAA combined report option. The overlap is strongest in the Security and Confidentiality categories. HIPAA adds requirements around PHI-specific safeguards and breach notification that SOC 2 does not cover on its own.