Back to Blog
How-To 10 min read

How to Set Up AWS for SOC 2: IAM, CloudTrail, GuardDuty

Configure your AWS environment for SOC 2 compliance: IAM best practices, CloudTrail logging, GuardDuty threat detection, and Security Hub setup.

Key Takeaways
  • Enable CloudTrail in all regions with log file validation and S3 access logging — this covers CC7.2 monitoring.
  • Enable GuardDuty in all regions; route findings to Security Hub for centralised review.
  • IAM: no root access keys, MFA on root, MFA on all console users, least-privilege policies.
  • Enable AWS Config to record configuration changes — evidence for CC6.1 configuration management.
  • CIS AWS Foundations Benchmark v2.0 via Security Hub gives you automated compliance scoring.

Overview

AWS provides powerful native security services that, when properly configured, generate most of the automated evidence you need for SOC 2 Type II. This guide covers the core configuration required for the SOC 2 Security Trust Services Criteria — the mandatory baseline every SOC 2 audit includes.

The services covered: IAM (identity and access), CloudTrail (API logging), GuardDuty (threat detection), Security Hub (security posture management), and Config (configuration change tracking). All are in the free tier or low-cost for typical SaaS workloads.

IAM Best Practices

Root account: delete or secure all root access keys immediately. Enable MFA on the root account. Do not use root for day-to-day operations. Set a CloudWatch alarm for any root account sign-in activity.

IAM users: require MFA for all users with console access. Set a password policy: minimum length 14 characters, require uppercase, lowercase, numbers, and symbols. Enable password expiry (90 days is common for SOC 2). Deny console access for service accounts that only need API access.

Least privilege: use IAM roles for EC2 instances and Lambda functions — never embed access keys in application code. Audit IAM policies quarterly: use IAM Access Analyzer to identify unused permissions. Use AWS Organizations Service Control Policies to prevent privilege escalation in production accounts.

CloudTrail Configuration

Enable CloudTrail as a multi-region trail — this ensures all API calls across all regions are logged, not just your primary region. Create a dedicated S3 bucket for CloudTrail logs. Enable S3 server access logging on that bucket and enable S3 Object Lock for log tamper protection.

Enable log file validation — this creates a SHA-256 hash digest of each log file, allowing auditors to verify logs have not been modified. Enable CloudTrail log file encryption with a KMS customer-managed key.

Set CloudTrail log retention to at least 12 months. Use CloudWatch Logs integration to stream CloudTrail events and create metric filters and alarms for: root account usage, IAM policy changes, MFA console sign-in failures, and S3 bucket policy changes.

GuardDuty Setup

Enable GuardDuty in every AWS region where you have workloads. GuardDuty analyzes VPC Flow Logs, DNS logs, and CloudTrail events to detect threats: compromised EC2 instances, credential exfiltration, suspicious API calls from unusual locations, and cryptomining activity.

Configure GuardDuty findings to flow into Security Hub using the native integration. Create an EventBridge rule to route HIGH severity findings to your incident response channel (Slack, PagerDuty, or email). Document the alert response workflow in your Incident Response Runbook.

Review GuardDuty findings regularly — weekly minimum for SOC 2. Suppress known false positives with suppression rules. Monthly GuardDuty review records serve as evidence for CC7.3 (evaluation of security events).

Security Hub and CIS Benchmarks

Enable AWS Security Hub and activate the CIS AWS Foundations Benchmark v2.0 security standard. Security Hub runs automated checks against your AWS configuration and provides a compliance score. A score above 85% is typically sufficient for SOC 2 — target 90%+ before your audit.

Export Security Hub findings weekly using EventBridge to S3 or via the Security Hub API. These exports serve as automated SOC 2 evidence for CC7.1 (vulnerability and configuration management) throughout your observation period.

Also enable the AWS Foundational Security Best Practices standard in Security Hub — it covers additional controls beyond the CIS Benchmark.

AWS Config

Enable AWS Config in all regions. Config records configuration changes to AWS resources and provides a timeline of who changed what and when. This is essential for SOC 2 CC6.1 (logical and physical access) and CC8.1 (change management).

Enable Config Rules for key controls: restricted-ssh (no security groups with SSH open to 0.0.0.0/0), s3-bucket-public-read-prohibited, rds-storage-encrypted, cloud-trail-enabled, root-account-mfa-enabled. Failed rules generate findings that should appear in your vulnerability management process.

Set Config log retention to at least 12 months. Configure a Config delivery channel to an S3 bucket with versioning and access logging enabled.

SOC 2 AWS Checklist

IAM checklist: root MFA enabled, no root access keys, all console users have MFA, password policy configured, IAM Access Analyzer enabled, no unused IAM users with console access older than 90 days.

Logging checklist: CloudTrail enabled in all regions, log file validation on, logs encrypted with KMS, S3 access logging on CloudTrail bucket, CloudWatch Logs integration configured, retention set to 12+ months.

Detection checklist: GuardDuty enabled in all regions, Security Hub enabled with CIS Benchmark standard, AWS Config enabled in all regions with key Config Rules, alerts configured for HIGH severity findings.

Frequently Asked Questions

How much does AWS SOC 2 configuration cost?
GuardDuty costs approximately $1–$4 per million CloudTrail events analyzed, plus VPC flow log and DNS analysis costs. For a typical SaaS startup, total GuardDuty cost is $10–$50/month. Security Hub is $0.0010 per compliance check. CloudTrail is free for one trail (additional trails cost $2 per 100,000 events).
Do we need AWS CloudTrail for SOC 2 if we use a compliance tool?
Yes. CloudTrail is not optional for SOC 2. Compliance automation tools like AuditPath read CloudTrail logs and configuration data, but they do not replace CloudTrail — they depend on it. CloudTrail is the source of audit trail evidence that satisfies CC7.2 monitoring requirements.
How do we handle multi-account AWS environments for SOC 2?
Use AWS Organizations and AWS Security Hub's delegated admin feature to aggregate findings across all accounts into a central security account. Enable CloudTrail as an organisation trail to capture events from all member accounts. Configure GuardDuty with the organisation-level delegated admin to cover all accounts centrally.
Is Prowler better than AWS Security Hub for SOC 2?
They are complementary. AWS Security Hub is deeply integrated with native AWS services and runs continuously. Prowler is an open-source tool with broader benchmark coverage and can be run on-demand. Using both provides stronger evidence — Security Hub for continuous monitoring, Prowler for periodic deep-scan evidence.
What AWS regions should we enable GuardDuty and CloudTrail in?
All regions where you have active workloads, plus any regions where you have ever had workloads. The safest approach is to enable both in all AWS regions using organisation-level configuration. This prevents an attacker from using a quiet region as a staging ground.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free