SOC 2 Overview
Cloud service providers including Amazon Web Services (AWS) provide a number of security attestations and certifications, that AWS clients are able to take advantage of. One of the attestations provided by AWS is a SOC 2 report as well as SOC 1 and SOC 2 reports.
A SOC 2 report is a third-party report that are designed to provide assurances about the effectiveness of security controls as it relates to security, availability, processing integrity, confidentiality and privacy. For cloud platforms such as AWS this report provides cloud customers with independent validation that the cloud provider is a series of controls required under the SOC 2 report framework.
Companies building applications and infrastructure in AWS can leverage Amazon’s SOC 2 report as security validation for their cloud service provider and can work to independently achieve SOC 2 certification for their organization.
AWS SOC1, SOC2, and SOC3 Security Program
AWS issues SOC 1, SOC 2, and SOC3 Reports twice a year covering six month periods. AWS SOC reports are apply to a wide range AWS services. You can see the AWS services in the scope of AWS SOC reports at this link. AWS SOC Reports detail the following topics:
SOC1: A description of the AWS control environment and external audit of AWS defined controls and objectives
SOC 2: Security, Availability & Confidentiality: A description of the AWS controls environment and external audit of AWS controls that meet the AICPA Trust Services Security, Availability, and Confidentiality Principles and Criteria
SOC 2: Privacy: A description of the AWS controls environment and external audit of AWS controls that meet the AICPA Trust Services Privacy Principle and Criteria
SOC 3: Security, Availability & Confidentiality: Public facing report demonstrating AWS has met the AICPA Trust Services Security, Availability, and Confidentiality Principles and Criteria
Available AWS SOC Reports
When completing a security assessment, HIPAA risk assessment or similar, organizations may ask for a copy of the latest SOC reports from partners and vendors. AWS customers, inherit Amazon’s SOC reports when utilizing AWS services under the scope of SOC.
The following SOC reports are available from Amazon Web Services:
AWS SOC 1 Report, available to AWS customers from AWS Artifact.
AWS SOC 2 Security, Availability & Confidentiality Report, available to AWS customers from AWS Artifact.
AWS SOC 2 Security, Availability & Confidentiality Report available to AWS customers from AWS Artifact(scope includes Amazon DocumentDB only).
AWS SOC 2 Privacy Type I Report, available to AWS customers from AWS Artifact.
AWS SOC 3 Security, Availability & Confidentiality Report, publicly available as a whitepaper.
Does AWS Make My Team SOC 2 Compliant?
Although AWS provides a SOC 2 report to cloud customers, it is important to note that this report does not automatically make your organization SOC 2 compliant or SOC 2 certified.
While AWS does provide your team with a number of inherited controls for SOC 2 controls, for your organization to become SOC 2 compliant your team must go through an independent SOC 2 audit and receive your own SOC 2 report.
Your teams must have a security program that addresses all necessary controls under the SOC 2 Trust Services Criteria. A SOC 2 report should address all applicable SOC 2 criteria as they relate to your organization, independent of AWS.
Steps to Achieving SOC 2 Compliance
In order to achieve SOC 2 compliance in AWS, your team should take the following steps:
Prepare Security Program
Organizations should establish a security program that addresses SOC 2 Trust Services criteria. Teams should develop administrative policies, implement technical controls, and gather all security evidence and documentation to prepare for an audit.
- Define administrative security policies
- Set AWS security controls based on policies
- Gather cloud provider documents (SOC 2 Report, BAA, SLAs)
- Gather vendor and third-party agreements
Dash makes it easy for teams to build and maintain a SOC 2 compliance program in AWS, learn how your team can prepare and achieve SOC 2 certification.
Perform A SOC 2 Audit
Organizations must engage with a third-party audit firm to perform a SOC 2 audit. Teams should consider selecting a reputable firm that has worked with similar clients and security expertise. You may also consider reading our guide to preparing for a SOC 2 audit.
- For SOC 2 Type 2, an auditor tests the effectiveness of internal controls over a 12-month period. Teams should have security controls enabled and enforced across your cloud environment.
- Teams should be prepared to provide evidence for security configuration such as encryption, access control, backup and disaster recovery, audit logging, and intrusion detection systems.
Maintain SOC 2 Controls
After receiving a SOC 2 report organizations should continue to maintain SOC 2 controls. Teams must complete a SOC 2 audit every year in order to stay current with their SOC 2 report. For teams utilizing AWS, this means enforcing cloud security controls such as:
- Encryption data “at-rest” and “in-transit”
- Backing up data across regions and availability zones (AZs)
- Enabling audit logging across VPCs, hosts, and other cloud resources
- Review and monitoring IAM users, permissions, and roles
- Implementing intrusion detection with a service such as AWS GuardDuty.
Developing SOC 2 Controls in AWS
While achieving SOC 2 certification may appear to be daunting, your team can take steps to implement necessary security controls and achieve SOC 2 compliance in AWS.
Learn how Dash ComplyOps can help your team prepare and achieve SOC 2 certification in the cloud.
- Use Dash to create custom administrative policies built around your organization and AWS cloud environment.
- Enforce policy standards and SOC 2 security controls through Dash continuous compliance monitoring.
- Gather SOC 2 security evidence and create reports to simplify auditing and security evaluation.
- Work with an audit partner to complete a SOC 2 audit and achieve SOC 2 certification.