AWS IAM Controls for SOC 2: The Complete Checklist

Root Account Lockdown

The AWS root account has unrestricted access to all AWS services and cannot be restricted by IAM policies. Securing it is a critical CC6.1 and CC6.2 requirement. The controls for root: (1) Enable MFA — use a hardware security key (YubiKey) rather than a virtual MFA device for the root account. (2) Delete root access keys if any exist. (3) Do not use the root account for routine operations. (4) Store the root account credentials in a physical safe or encrypted vault accessible only to named executives.

AWS Config managed rule "iam-root-access-key-check" will alert if root access keys exist. Run this rule and evidence a clean result for your auditors.

Under AWS Organizations, the management account root is especially sensitive — a compromise could affect all member accounts. Enable an SCP that prevents members from operating without the organization context, and restrict root usage at the organization level.

IAM Users vs IAM Identity Center

Traditional IAM users (with username/password and access keys) are being replaced by AWS IAM Identity Center (formerly AWS SSO) for human access. Identity Center integrates with your corporate IdP (Okta, Azure AD, Google Workspace), enforces MFA at the IdP level, and issues short-lived credentials for AWS access.

For SOC 2 compliance, the goal is: no IAM users for human access — all human access via Identity Center with MFA at the IdP. IAM users only for service accounts where a role cannot be used. If you currently have IAM users for humans, create a migration plan and execute it before the audit.

Service accounts should use IAM roles with instance profiles or ECS task roles — not IAM users with access keys. IAM roles issue temporary credentials that auto-rotate, eliminating the access key rotation burden.

Least Privilege Policy Design

Least privilege means each IAM identity (user, role, group) has only the permissions needed to perform its function. Start with the principle: deny by default, allow only what is explicitly needed.

For engineering roles: use AWS managed job function policies as a starting point (ReadOnlyAccess, PowerUserAccess) and restrict further. Add specific allow statements for the services the role needs to write to. Avoid "Action: *" wildcards. Use resource ARNs to scope permissions to specific S3 buckets, DynamoDB tables, or RDS instances rather than all resources.

Use IAM Access Analyzer to identify policies that grant public access or cross-account access that wasn't intended. Run an access advisor report (IAM console > role > Access Advisor tab) to identify service permissions that have never been used — remove them.

Access Key Management

Long-lived IAM access keys are a high-risk control gap. Keys that are exposed in code repositories, compromised via phishing, or simply old represent a significant breach risk. SOC 2 auditors will check the IAM credential report for access keys older than 90 days and flag them as a finding.

Best practices for access key hygiene: (1) Prefer IAM roles over access keys wherever possible. (2) Set a key rotation policy — rotate access keys every 90 days maximum. (3) Configure AWS Config rule "access-keys-rotated" with maxAccessKeyAge of 90 to alert on stale keys. (4) Enable AWS Secrets Manager or Parameter Store for storing keys that must be long-lived. (5) Audit all GitHub repositories for accidentally committed keys using AWS Partner tools or GitHub's secret scanning feature.

MFA Enforcement for IAM

For remaining IAM users (those not yet migrated to Identity Center), enforce MFA with a deny policy. Attach the following policy to all IAM users or groups: deny all AWS actions unless the request is authenticated with MFA (aws:MultiFactorAuthPresent: true), with exceptions for the MFA enrollment actions so users can set up their MFA device before the policy takes effect.

The AWS documentation provides a ready-made policy for this — search "IAM enable MFA for users" in the AWS docs. Attach it to a group containing all IAM users.

AWS Config managed rule "iam-user-mfa-enabled" checks all IAM users have MFA devices attached. "mfa-enabled-for-iam-console-access" checks console access specifically. Evidence both rules in a compliant state.

IAM Access Analyzer

AWS IAM Access Analyzer identifies resource policies that grant access to external principals — S3 buckets accessible from outside your account, IAM roles that can be assumed by other AWS accounts, and more. Enabling it and resolving all findings demonstrates proactive CC6.1 compliance.

Enable Access Analyzer in all regions and accounts from IAM > Access Analyzer > Create Analyzer. Review active findings monthly. For each finding, either confirm that the external access is intended (archive with justification) or remediate by removing the external access.

Access Analyzer also validates IAM policies against the principle of least privilege — use the policy validation feature when writing new policies to catch overly permissive patterns before deployment.

IAM Evidence for SOC 2 Auditors

(1) IAM credential report (aws iam get-credential-report) — shows all IAM users, password age, MFA enrollment, access key ages, and last used dates. (2) IAM Security Status dashboard screenshot — shows green checkmarks for root MFA, no root access keys, MFA on users. (3) AWS Config findings for iam-root-access-key-check, iam-user-mfa-enabled, access-keys-rotated. (4) IAM Access Analyzer findings list showing no active unresolved public/cross-account access findings. (5) Identity Center configuration screenshot showing external IdP integration. (6) Sample IAM role policies for key engineering roles demonstrating least privilege.