SOC 2 · Trust Services Criteria · AICPA
SOC 2 Type II on AWS — From Procurement Block to Signed Audit
Enterprise procurement asks for SOC 2 Type II in two minutes and waits six months for it. We build the AWS-native control set, evidence pipeline, and CPA-firm-ready package so the audit window is the only thing on the critical path.
Framework
Service Organization Control 2 — Type II
Version
2017 Trust Services Criteria (latest revision: 2022) — CC1.x through CC9.x; optional Availability, Processing Integrity, Confidentiality, Privacy categories
Regulator
American Institute of Certified Public Accountants (AICPA)
Assessor type
Licensed CPA firm — must be AICPA-member; SOC 2 Type II requires a 3–12 month observation window
Scope: Any service organization that processes customer data — typical for B2B SaaS, fintech, healthtech, and enterprise platforms.
Part of the AWS Security & Compliance hub .
Who needs this
Teams that typically engage on SOC 2 Type II on AWS
Series B+ startups expanding into Fortune 500 deals
Platform companies that have a SOC 2 Type I and now need Type II for renewal
Multi-product companies adding new SaaS lines under an existing SOC 2 report
Shared Responsibility
AWS Shared Responsibility for SOC 2 Type II on AWS
What AWS does, what you do, and where the line moves under this specific framework.
AWS owns
- AWS publishes its own SOC 1, SOC 2, and SOC 3 reports through AWS Artifact — covering AWS infrastructure controls
- AWS-side controls (physical security, hypervisor, host OS, managed-service operations) inherit into your SOC 2 via the Carve-Out Method (most common) or Inclusive Method
- AWS attests annually under AICPA Trust Services Criteria — your auditor accepts the AWS SOC 2 report as evidence for inherited controls
Joint
- Change management — AWS provides CloudFormation/CodePipeline; you define the SDLC
- Vendor management — AWS provides Artifact; you maintain the third-party register
- Backup and recovery — AWS provides Backup; you define RPO/RTO and test
You own
- CC1 Control environment — board oversight, code of conduct, organizational structure
- CC2 Communication and information — internal communication, customer notifications
- CC3 Risk assessment — annual risk register, threat modelling, fraud risk
- CC4 Monitoring activities — Security Hub findings review, internal audit, deficiency tracking
- CC5 Control activities — IAM policies, code review, segregation of duties
- CC6 Logical and physical access controls — IAM Identity Center, MFA, least privilege
- CC7 System operations — vulnerability management (Inspector v2), incident response, change management
- CC8 Change management — CodePipeline approval gates, IaC peer review, deployment audit trail
- CC9 Risk mitigation — vendor risk, business continuity, insurance
Control-by-control AWS implementation
Each control mapped to the AWS service that satisfies it
Excerpts from the full control matrix we deliver in the engagement. Not exhaustive — your audit scope drives the final mapping.
CC6 — Logical and Physical Access Controls
CC6 is the largest single category in SOC 2 audits and where most SaaS companies fail their first attempt. AWS-native services map cleanly when configured.
CC6.1
Logical access security software, infrastructure, and architectures
AWS services
IAM Identity Center AWS IAM IAM Access Analyzer Service Control Policies
Federated workforce SSO via Okta/Entra ID; SCPs as preventive guardrails; Access Analyzer findings auto-remediated.
CC6.2
Authorize, modify, or remove access
AWS services
IAM Identity Center SCIM AWS Organizations CloudTrail
SCIM provisioning from IdP — leavers removed within 24 hours of HR offboarding event; CloudTrail proves the timeline.
CC6.6
Logical access security measures
AWS services
MFA (hardware + virtual) Cognito MFA IAM Identity Center MFA enforcement
MFA required on every console session; phishing-resistant FIDO2 keys recommended for break-glass accounts.
CC6.7
Restrict the transmission of information
AWS services
VPC Endpoints PrivateLink TLS 1.2+ enforcement AWS Network Firewall
No regulated data over public internet between AWS services; egress filtering via Network Firewall.
CC6.8
Prevention of unauthorized or malicious software
AWS services
GuardDuty Malware Protection Inspector v2 AWS Signer
Agentless malware scanning on EBS; container image and Lambda code scanning; signed deployments.
CC7 — System Operations
CC7 covers detection, monitoring, and incident response — AWS-native is strong here.
CC7.1
Detect and monitor system components
AWS services
Security Hub Essentials GuardDuty Config CloudWatch
Security Hub aggregates findings; Config conformance pack tracks SOC 2-relevant rules; alerting via EventBridge.
CC7.2
Monitor for and detect anomalies
AWS services
GuardDuty (CloudTrail, VPC, EKS, S3, RDS, Lambda, EC2 Runtime) CloudWatch Anomaly Detection
Behavioral threat detection across the AWS estate; anomalies fed into incident response runbook.
CC7.3
Evaluate security events and respond
AWS services
Security Hub automation rules EventBridge Step Functions Systems Manager Incident Manager
Pre-built runbooks for credential exfiltration, S3 public exposure, IAM privilege escalation; documented in evidence package.
CC7.4
Respond to identified security incidents
AWS services
Detective CloudTrail Lake Security Lake (OCSF)
Detective for forensic graph; CloudTrail Lake for SQL queries over historical events; Security Lake for OCSF normalization.
CC7.5
Recover from identified security incidents
AWS services
AWS Backup AWS Elastic Disaster Recovery Pilot Light / Warm Standby patterns
Quarterly DR testing documented; backup vault locks prevent ransomware encryption of backups.
Evidence pipeline
How SOC 2 Type II on AWS evidence flows continuously
Audit Manager closed to new customers on 30 April 2026. Our pipeline is what we now ship.
AWS Config conformance pack — SOC 2
AWS-published Operational Best Practices for AICPA SOC 2 conformance pack. Deploy Org-wide via StackSets.
Security Hub Essentials
AWS Foundational Security Best Practices standard — most SOC 2 CC controls have a 1:1 finding mapping.
CloudTrail Lake
Auditable event store with SQL queries — observation-period evidence for the Type II audit window.
GRC tool integration
Vanta, Drata, or Secureframe wired to AWS read-only — control evidence dashboard your CPA firm logs into directly.
Engagement timeline
What you get, week by week
Date-bound engagement, not an open-ended retainer. Deliverables are itemised in the SOW.
1
Weeks 1–2 — Readiness Assessment
Weeks 1–2
- TSC scope decision — Security only, or Security + Availability + Confidentiality (most common SaaS scope)
- Control gap matrix mapped to CC1–CC9
- Inherited-control mapping to AWS SOC 2 (Carve-Out Method)
2
Weeks 3–8 — Control Implementation
Weeks 3–8
- AWS-native control deployment (Security Hub, Config, GuardDuty, IAM Identity Center)
- Policy library — Information Security, Access Control, Change Management, Incident Response, Business Continuity, Vendor Management
- GRC tool wired to AWS — Vanta/Drata/Secureframe collecting evidence
3
Months 3–12 — Type II Observation Window
3–12 months
- Continuous control operation — typically 6 months for first Type II, 12 months for renewals
- Quarterly internal audit and findings register
- Evidence sampling for the CPA firm — pulled directly from GRC tool
4
Audit + Report
4–8 weeks
- CPA firm fieldwork — typically 4–6 weeks
- Management response to any deficiencies
- Final SOC 2 Type II report — distributable under NDA to your enterprise prospects
Related guides
Deep-dive guides on SOC 2 Type II on AWS
From inside paid engagements — same patterns, more depth.
How to Achieve SOC 2 Type II Compliance on AWS (2026 Checklist)
SOC 2 Type II certification proves your controls are effective over 6-12 months. This guide covers the compliance roadmap, AWS security controls, documentation requirements, and audit preparation for 2026 certification.
Learn more
AWS IAM Best Practices: Least Privilege Access Control
Least privilege is a slogan. Working IAM at production scale is a different problem. Roles vs users, permission boundaries, SCPs, identity federation, and the access-control patterns that keep teams fast without leaving keys lying around.
Learn more
How to Set Up AWS Security Hub for Compliance Monitoring
AWS Security Hub aggregates security findings from 200+ sources (GuardDuty, Config, IAM Access Analyzer, Inspector). This guide covers setup, compliance standards (PCI-DSS, CIS, NIST), automated remediation, and building a compliance dashboard without hiring a SOC team.
Learn more
Related frameworks
Frameworks that overlap with this one
Multi-framework scope is the norm. Most teams certify on two or three at once.
HIPAA on AWS
PHI architecture, BAA boundaries, HIPAA-eligible services, §164.312 technical safeguards, and audit-ready evidence — for healthcare platforms, telehealth, and digital-health startups.
Learn more
ISO 27001:2022 on AWS
Annex A.5–A.8 implementation, ISMS scoping, climate-change context (Amendment 1:2024), notified-body audit prep — for SaaS expanding to EU/APAC and regulated B2B vendors.
Learn more
FAQ
Frequently asked questions about SOC 2 Type II on AWS
The questions buyers ask before signing — assessor type, timeline, cost, and AWS-specific scope.
Type I vs Type II — which do we need?
Type I attests that controls are designed correctly at a point in time. Type II attests that controls operated effectively over a period — typically 6 months minimum for the first audit, 12 months for renewals. Enterprise procurement almost universally requires Type II; Type I is a useful intermediate signal during the first observation window. Plan to run Type II from the start unless you have a deal blocked on a 30-day timeline (in which case Type I buys you time to start the Type II observation period).
How long does the first SOC 2 Type II actually take?
Realistic timeline from start to signed report: 9–14 months. That breaks down as 8 weeks readiness and remediation, 6 months observation period (the AICPA minimum), and 4–8 weeks CPA firm fieldwork and report drafting. The fastest path is to run remediation in parallel with the first 8 weeks of observation if your readiness assessment shows minor gaps — but most teams underestimate the policy library and end up extending the observation period to 9 months.
Which Trust Services Criteria do we include?
Security (Common Criteria CC1–CC9) is required. The other four — Availability, Processing Integrity, Confidentiality, Privacy — are optional and bundled in based on what you process. Most SaaS platforms include Security + Availability + Confidentiality. SaaS that handles personal data add Privacy. Payment processors add Processing Integrity. Including more criteria lengthens the audit and increases CPA firm fees, so do not over-scope.
How much does the SOC 2 Type II cost on AWS?
Three cost components. (1) AWS-side: $800–$3,500/month for Security Hub Essentials, Config, GuardDuty, Inspector v2, and CloudTrail Lake at mid-market scale. (2) GRC tool: Vanta/Drata/Secureframe typically $20K–$60K/year. (3) CPA firm: $25K–$80K for first Type II, $20K–$60K for renewals — varies by firm tier and TSC scope. (4) Engagement: our SOC 2 readiness + remediation typically lands $40K–$120K depending on your starting posture. Total first-year SOC 2 Type II investment: $90K–$260K.
Can we use Vanta/Drata/Secureframe instead of a consultant?
They serve different roles. GRC tools collect and organize evidence — they do not write policies, fix IAM misconfigurations, or design your network segmentation. The pattern that works: GRC tool for evidence collection and auditor-facing dashboard, consultant (us or another) for AWS-native control implementation and policy library, CPA firm for the audit. Companies that try to skip the consultant phase usually have first audits with 15+ deficiencies — passing, but expensive in remediation cycles.
Does AWS SOC 2 mean we are SOC 2-compliant?
No — AWS SOC 2 covers AWS controls (the infrastructure your workload runs on). You still need your own SOC 2 report covering your application controls, your access management, your change management, your incident response, and your vendor management. The AWS SOC 2 report is evidence your CPA firm uses to validate inherited controls under the Carve-Out Method. It accelerates your audit; it does not replace it.
Book a Free SOC 2 Readiness Assessment
2-week read-only assessment mapped to the AICPA Trust Services Criteria. We tell you the realistic Type II timeline, scope decision, and CPA-firm options for your stage.