How to Set Up AWS for SOC 2: IAM, CloudTrail, GuardDuty
Configure your AWS environment for SOC 2 compliance: IAM best practices, CloudTrail logging, GuardDuty threat detection, and Security Hub setup.
- Enable CloudTrail in all regions with log file validation and S3 access logging — this covers CC7.2 monitoring.
- Enable GuardDuty in all regions; route findings to Security Hub for centralised review.
- IAM: no root access keys, MFA on root, MFA on all console users, least-privilege policies.
- Enable AWS Config to record configuration changes — evidence for CC6.1 configuration management.
- CIS AWS Foundations Benchmark v2.0 via Security Hub gives you automated compliance scoring.
In this guide
Overview
AWS provides powerful native security services that, when properly configured, generate most of the automated evidence you need for SOC 2 Type II. This guide covers the core configuration required for the SOC 2 Security Trust Services Criteria — the mandatory baseline every SOC 2 audit includes.
The services covered: IAM (identity and access), CloudTrail (API logging), GuardDuty (threat detection), Security Hub (security posture management), and Config (configuration change tracking). All are in the free tier or low-cost for typical SaaS workloads.
IAM Best Practices
Root account: delete or secure all root access keys immediately. Enable MFA on the root account. Do not use root for day-to-day operations. Set a CloudWatch alarm for any root account sign-in activity.
IAM users: require MFA for all users with console access. Set a password policy: minimum length 14 characters, require uppercase, lowercase, numbers, and symbols. Enable password expiry (90 days is common for SOC 2). Deny console access for service accounts that only need API access.
Least privilege: use IAM roles for EC2 instances and Lambda functions — never embed access keys in application code. Audit IAM policies quarterly: use IAM Access Analyzer to identify unused permissions. Use AWS Organizations Service Control Policies to prevent privilege escalation in production accounts.
CloudTrail Configuration
Enable CloudTrail as a multi-region trail — this ensures all API calls across all regions are logged, not just your primary region. Create a dedicated S3 bucket for CloudTrail logs. Enable S3 server access logging on that bucket and enable S3 Object Lock for log tamper protection.
Enable log file validation — this creates a SHA-256 hash digest of each log file, allowing auditors to verify logs have not been modified. Enable CloudTrail log file encryption with a KMS customer-managed key.
Set CloudTrail log retention to at least 12 months. Use CloudWatch Logs integration to stream CloudTrail events and create metric filters and alarms for: root account usage, IAM policy changes, MFA console sign-in failures, and S3 bucket policy changes.
GuardDuty Setup
Enable GuardDuty in every AWS region where you have workloads. GuardDuty analyzes VPC Flow Logs, DNS logs, and CloudTrail events to detect threats: compromised EC2 instances, credential exfiltration, suspicious API calls from unusual locations, and cryptomining activity.
Configure GuardDuty findings to flow into Security Hub using the native integration. Create an EventBridge rule to route HIGH severity findings to your incident response channel (Slack, PagerDuty, or email). Document the alert response workflow in your Incident Response Runbook.
Review GuardDuty findings regularly — weekly minimum for SOC 2. Suppress known false positives with suppression rules. Monthly GuardDuty review records serve as evidence for CC7.3 (evaluation of security events).
Security Hub and CIS Benchmarks
Enable AWS Security Hub and activate the CIS AWS Foundations Benchmark v2.0 security standard. Security Hub runs automated checks against your AWS configuration and provides a compliance score. A score above 85% is typically sufficient for SOC 2 — target 90%+ before your audit.
Export Security Hub findings weekly using EventBridge to S3 or via the Security Hub API. These exports serve as automated SOC 2 evidence for CC7.1 (vulnerability and configuration management) throughout your observation period.
Also enable the AWS Foundational Security Best Practices standard in Security Hub — it covers additional controls beyond the CIS Benchmark.
AWS Config
Enable AWS Config in all regions. Config records configuration changes to AWS resources and provides a timeline of who changed what and when. This is essential for SOC 2 CC6.1 (logical and physical access) and CC8.1 (change management).
Enable Config Rules for key controls: restricted-ssh (no security groups with SSH open to 0.0.0.0/0), s3-bucket-public-read-prohibited, rds-storage-encrypted, cloud-trail-enabled, root-account-mfa-enabled. Failed rules generate findings that should appear in your vulnerability management process.
Set Config log retention to at least 12 months. Configure a Config delivery channel to an S3 bucket with versioning and access logging enabled.
SOC 2 AWS Checklist
IAM checklist: root MFA enabled, no root access keys, all console users have MFA, password policy configured, IAM Access Analyzer enabled, no unused IAM users with console access older than 90 days.
Logging checklist: CloudTrail enabled in all regions, log file validation on, logs encrypted with KMS, S3 access logging on CloudTrail bucket, CloudWatch Logs integration configured, retention set to 12+ months.
Detection checklist: GuardDuty enabled in all regions, Security Hub enabled with CIS Benchmark standard, AWS Config enabled in all regions with key Config Rules, alerts configured for HIGH severity findings.
Frequently Asked Questions
How much does AWS SOC 2 configuration cost?
Do we need AWS CloudTrail for SOC 2 if we use a compliance tool?
How do we handle multi-account AWS environments for SOC 2?
Is Prowler better than AWS Security Hub for SOC 2?
What AWS regions should we enable GuardDuty and CloudTrail in?
Automate your compliance today
AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.
Start for free