Skip to main content

SOC 2 · Trust Services Criteria · AICPA

SOC 2 Type II on AWS — From Procurement Block to Signed Audit

Enterprise procurement asks for SOC 2 Type II in two minutes and waits six months for it. We build the AWS-native control set, evidence pipeline, and CPA-firm-ready package so the audit window is the only thing on the critical path.

Book a Free SOC 2 Readiness Assessment
See related guides ↓
Framework
Service Organization Control 2 — Type II
Version
AICPA Trust Services Criteria 2017 (amended 2022) — CC1.x through CC9.x; optional Availability, Processing Integrity, Confidentiality, Privacy categories
Regulator
American Institute of Certified Public Accountants (AICPA)
Assessor type
Licensed CPA firm — must be AICPA-member; SOC 2 Type II requires a 3–12 month observation window

Scope: Any service organization that processes customer data — typical for B2B SaaS, fintech, healthtech, and enterprise platforms.

Part of the AWS Security & Compliance hub.

Who needs this

Teams that typically engage on SOC 2 Type II on AWS

B2B SaaS founders blocked by enterprise procurement gates that require SOC 2 Type II

Series B+ startups expanding into Fortune 500 deals

Platform companies that have a SOC 2 Type I and now need Type II for renewal

Multi-product companies adding new SaaS lines under an existing SOC 2 report

Shared Responsibility

AWS Shared Responsibility for SOC 2 Type II on AWS

What AWS does, what you do, and where the line moves under this specific framework.

AWS owns

  • AWS publishes its own SOC 1, SOC 2, and SOC 3 reports through AWS Artifact — covering AWS infrastructure controls
  • AWS-side controls (physical security, hypervisor, host OS, managed-service operations) inherit into your SOC 2 via the Carve-Out Method (most common) or Inclusive Method
  • AWS attests annually under AICPA Trust Services Criteria — your auditor accepts the AWS SOC 2 report as evidence for inherited controls

Joint

  • Change management — AWS provides CloudFormation/CodePipeline; you define the SDLC
  • Vendor management — AWS provides Artifact; you maintain the third-party register
  • Backup and recovery — AWS provides Backup; you define RPO/RTO and test

You own

  • CC1 Control environment — board oversight, code of conduct, organizational structure
  • CC2 Communication and information — internal communication, customer notifications
  • CC3 Risk assessment — annual risk register, threat modelling, fraud risk
  • CC4 Monitoring activities — Security Hub findings review, internal audit, deficiency tracking
  • CC5 Control activities — IAM policies, code review, segregation of duties
  • CC6 Logical and physical access controls — IAM Identity Center, MFA, least privilege
  • CC7 System operations — vulnerability management (Amazon Inspector), incident response, change management
  • CC8 Change management — CodePipeline approval gates, IaC peer review, deployment audit trail
  • CC9 Risk mitigation — vendor risk, business continuity, insurance

Control-by-control AWS implementation

Each control mapped to the AWS service that satisfies it

Excerpts from the full control matrix we deliver in the engagement. Not exhaustive — your audit scope drives the final mapping.

CC6 — Logical and Physical Access Controls

CC6 is the largest single category in SOC 2 audits and where most SaaS companies fail their first attempt. AWS-native services map cleanly when configured.

CC6.1

Logical access security software, infrastructure, and architectures

AWS services
IAM Identity CenterAWS IAMIAM Access AnalyzerService Control Policies

Federated workforce SSO via Okta/Entra ID; SCPs as preventive guardrails; Access Analyzer findings auto-remediated.

CC6.2

Authorize, modify, or remove access

AWS services
IAM Identity Center SCIMAWS OrganizationsCloudTrail

SCIM provisioning from IdP — leavers removed within 24 hours of HR offboarding event; CloudTrail proves the timeline.

CC6.6

Logical access security measures

AWS services
MFA (hardware + virtual)Cognito MFAIAM Identity Center MFA enforcement

MFA required on every console session; phishing-resistant FIDO2 keys recommended for break-glass accounts.

CC6.7

Restrict the transmission of information

AWS services
VPC EndpointsPrivateLinkTLS 1.2+ enforcementAWS Network Firewall

No regulated data over public internet between AWS services; egress filtering via Network Firewall.

CC6.8

Prevention of unauthorized or malicious software

AWS services
GuardDuty Malware ProtectionAmazon InspectorAWS Signer

Agentless malware scanning on EBS; container image and Lambda code scanning; signed deployments.

CC7 — System Operations

CC7 covers detection, monitoring, and incident response — AWS-native is strong here.

CC7.1

Detect and monitor system components

AWS services
Security Hub EssentialsGuardDutyConfigCloudWatch

Security Hub aggregates findings; Config conformance pack tracks SOC 2-relevant rules; alerting via EventBridge.

CC7.2

Monitor for and detect anomalies

AWS services
GuardDuty (CloudTrail, VPC, EKS, S3, RDS, Lambda, EC2 Runtime)CloudWatch Anomaly Detection

Behavioral threat detection across the AWS estate; anomalies fed into incident response runbook.

CC7.3

Evaluate security events and respond

AWS services
Security Hub automation rulesEventBridgeStep FunctionsSystems Manager Incident Manager

Pre-built runbooks for credential exfiltration, S3 public exposure, IAM privilege escalation; documented in evidence package.

CC7.4

Respond to identified security incidents

AWS services
DetectiveCloudTrail LakeSecurity Lake (OCSF)

Detective for forensic graph; CloudTrail Lake for SQL queries over historical events; Security Lake for OCSF normalization.

CC7.5

Recover from identified security incidents

AWS services
AWS BackupAWS Elastic Disaster RecoveryPilot Light / Warm Standby patterns

Quarterly DR testing documented; backup vault locks prevent ransomware encryption of backups.

Evidence pipeline

How SOC 2 Type II on AWS evidence flows continuously

Audit Manager closed to new customers on 30 April 2026. Our pipeline is what we now ship.

AWS Config conformance pack — SOC 2

AWS-published Operational Best Practices for AICPA SOC 2 conformance pack. Deploy Org-wide via StackSets.

Security Hub Essentials

AWS Foundational Security Best Practices standard — most SOC 2 CC controls have a 1:1 finding mapping.

CloudTrail Lake

Auditable event store with SQL queries — observation-period evidence for the Type II audit window.

GRC tool integration

Vanta, Drata, or Secureframe wired to AWS read-only — control evidence dashboard your CPA firm logs into directly.

Engagement timeline

What you get, week by week

Date-bound engagement, not an open-ended retainer. Deliverables are itemised in the SOW.

1
Weeks 1–2 — Readiness Assessment
Weeks 1–2
  • TSC scope decision — Security only, or Security + Availability + Confidentiality (most common SaaS scope)
  • Control gap matrix mapped to CC1–CC9
  • Inherited-control mapping to AWS SOC 2 (Carve-Out Method)
2
Weeks 3–8 — Control Implementation
Weeks 3–8
  • AWS-native control deployment (Security Hub, Config, GuardDuty, IAM Identity Center)
  • Policy library — Information Security, Access Control, Change Management, Incident Response, Business Continuity, Vendor Management
  • GRC tool wired to AWS — Vanta/Drata/Secureframe collecting evidence
3
Months 3–12 — Type II Observation Window
3–12 months
  • Continuous control operation — typically 6 months for first Type II, 12 months for renewals
  • Quarterly internal audit and findings register
  • Evidence sampling for the CPA firm — pulled directly from GRC tool
4
Audit + Report
4–8 weeks
  • CPA firm fieldwork — typically 4–6 weeks
  • Management response to any deficiencies
  • Final SOC 2 Type II report — distributable under NDA to your enterprise prospects

Related guides

Deep-dive guides on SOC 2 Type II on AWS

From inside paid engagements — same patterns, more depth.

How to Achieve SOC 2 Type II Compliance on AWS (2026 Checklist)

SOC 2 Type II certification proves your controls are effective over 6-12 months. This guide covers the compliance roadmap, AWS security controls, documentation requirements, and audit preparation for 2026 certification.

Learn more

AWS IAM Best Practices: Least Privilege Access Control

Least privilege is a slogan. Working IAM at production scale is a different problem. Roles vs users, permission boundaries, SCPs, identity federation, and the access-control patterns that keep teams fast without leaving keys lying around.

Learn more

How to Set Up AWS Security Hub for Compliance Monitoring

AWS Security Hub aggregates security findings from 200+ sources (GuardDuty, Config, IAM Access Analyzer, Inspector). This guide covers setup, compliance standards (PCI-DSS, CIS, NIST), automated remediation, and building a compliance dashboard without hiring a SOC team.

Learn more

Implement Prowler + Security Hub on AWS (Production Checklist)

Production checklist for Prowler and AWS Security Hub — multi-account setup, scheduled scans, finding workflows, and remediation patterns on AWS.

Learn more

Who Remediates Prowler Findings? AWS Implementation Guide

Prowler finds AWS misconfigurations. This guide covers who remediates findings, IaC fix patterns, Security Hub workflows, and when to bring in AWS security consulting.

Learn more

Related frameworks

Frameworks that overlap with this one

Multi-framework scope is the norm. Most teams certify on two or three at once.

HIPAA on AWS

PHI architecture, BAA boundaries, HIPAA-eligible services, §164.312 technical safeguards, and audit-ready evidence — for healthcare platforms, telehealth, and digital-health startups.

Learn more

ISO 27001:2022 on AWS

Annex A.5–A.8 implementation, ISMS scoping, climate-change context (Amendment 1:2024), notified-body audit prep — for SaaS expanding to EU/APAC and regulated B2B vendors.

Learn more

FAQ

Frequently asked questions about SOC 2 Type II on AWS

The questions buyers ask before signing — assessor type, timeline, cost, and AWS-specific scope.

Type I vs Type II — which do we need?
Type I attests that controls are designed correctly at a point in time. Type II attests that controls operated effectively over a period — typically 6 months minimum for the first audit, 12 months for renewals. Enterprise procurement almost universally requires Type II; Type I is a useful intermediate signal during the first observation window. Plan to run Type II from the start unless you have a deal blocked on a 30-day timeline (in which case Type I buys you time to start the Type II observation period).
How long does the first SOC 2 Type II actually take?
Realistic timeline from start to signed report: 9–14 months. That breaks down as 8 weeks readiness and remediation, 6 months observation period (the AICPA minimum), and 4–8 weeks CPA firm fieldwork and report drafting. The fastest path is to run remediation in parallel with the first 8 weeks of observation if your readiness assessment shows minor gaps — but most teams underestimate the policy library and end up extending the observation period to 9 months.
Which Trust Services Criteria do we include?
Security (Common Criteria CC1–CC9) is required. The other four — Availability, Processing Integrity, Confidentiality, Privacy — are optional and bundled in based on what you process. Most SaaS platforms include Security + Availability + Confidentiality. SaaS that handles personal data add Privacy. Payment processors add Processing Integrity. Including more criteria lengthens the audit and increases CPA firm fees, so do not over-scope.
How much does the SOC 2 Type II cost on AWS?
All figures current as of May 2026. Three cost components. (1) AWS-side: $800$3,500/month for Security Hub Essentials, Config, GuardDuty, Amazon Inspector, and CloudTrail Lake at mid-market scale. (2) GRC tool: Vanta/Drata/Secureframe typically $20K–$60K/year. (3) CPA firm: $25K–$80K for first Type II, $20K–$60K for renewals — varies by firm tier and TSC scope. (4) Engagement: our SOC 2 readiness + remediation typically lands $40K–$120K depending on your starting posture. Total first-year SOC 2 Type II investment: $90K–$260K.
Can we use Vanta/Drata/Secureframe instead of a consultant?
They serve different roles. GRC tools collect and organize evidence — they do not write policies, fix IAM misconfigurations, or design your network segmentation. The pattern that works: GRC tool for evidence collection and auditor-facing dashboard, consultant (us or another) for AWS-native control implementation and policy library, CPA firm for the audit. Companies that try to skip the consultant phase usually have first audits with 15+ deficiencies — passing, but expensive in remediation cycles.
Does AWS SOC 2 mean we are SOC 2-compliant?
No — AWS SOC 2 covers AWS controls (the infrastructure your workload runs on). You still need your own SOC 2 report covering your application controls, your access management, your change management, your incident response, and your vendor management. The AWS SOC 2 report is evidence your CPA firm uses to validate inherited controls under the Carve-Out Method. It accelerates your audit; it does not replace it.

Book a Free SOC 2 Readiness Assessment

2-week read-only assessment mapped to the AICPA Trust Services Criteria. We tell you the realistic Type II timeline, scope decision, and CPA-firm options for your stage.

Book a Free SOC 2 Readiness Assessment
Back to the Security & Compliance hub