CloudWiki

SOC 2 is a compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. A SOC 2 report defines criteria for managing customer data based on five aspects: security, availability, processing integrity, confidentiality and privacy. The report may differ between organizations, as each organization can follow its business practices and should meet its principles of trust. The report is audited by professional audit firms to provide assurance that the controls included are in place and operate effectively. There are two types of SOC 2 reports: Type 1 describes the organization’s frameworks and whether their design complies with the relevant trust principles. Type 2 details the operational effectiveness of these frameworks.

Compliance checks for Amazon Web Services

Critical
IAM User with Admin access (*:*)
Critical
Ensure root user has mfa enabled
Critical
Ensure no root account access key exists
Warning
Ensure OpenSearch instances are spread across Multi-AZ in Production
Info
Ensure MSK (Kafka) cluster is not using an unsupported Kafka version (2.4.1)
Warning
Ensure RDS instances have Multi-AZ disabled in dev environments
Critical
Ensure IAM password policy expires passwords within 90 days or less
Warning
Ensure IAM password policy requires minimum length of 14 or greater
Warning
Ensure IAM password policy prevents password reuse
Critical
IAM User with Admin access (*:*)
Critical
Ensure there is no unrestricted inbound access to all TCP ports
Warning
Ensure that S3 Buckets are configured with "Block public access"
Critical
S3 inline policy is over permissive
Warning
Ensure IAM users receive permissions only through groups
Critical
Ensure RDS database instances are not accessible via Internet (Network and API)
Warning
Ensure VPC flow logging is enabled in all VPCs
Warning
Ensure default security groups do not allow unrestricted traffic
Warning
Ensure IAM User has no inline policy
Critical
Ensure all IAM users with console access have MFA enabled
Warning
Ensure CloudTrail logs are encrypted at rest
Warning
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Warning
Ensure S3 buckets have server access logging enabled to track access requests
Warning
Ensure data stored in the S3 bucket is securely encrypted at rest
Warning
Ensure DynamoDB tables have point in time recovery enabled
Warning
Ensure RDS instances are configured with Auto Minor Version Upgrade
Warning
Ensure RDS instances have Multi-AZ enabled in Production