For companies that use Amazon Web Services, it is important that they understand that the AWS framework is a shared responsibility model. AWS provides top-notch security for your system and data and ensures that the cloud platform is consistently in compliance with SOC 2® requirements.
However, as AWS protects the cloud environment, you and your company are still responsible for your security when operating within the cloud. Companies must remain diligent about protecting their content, data, programs, networks, and digital infrastructure in the same way that they have always before.
How Are Security Responsibilities Shared on AWS Cloud
When it comes to SOC2 compliance, this is how the responsibilities are split between your company and AWS.
Your Company’s Responsibility
- Customer data.
- Platform, application, identity, and access management.
- Operating system, network, and firewall configurations.
- Client-side data encryption and data integrity authentication.
- Server-side encryption.
- Networking traffic protection.
AWS Responsibility
- Software security for computing, storage, database, and networking.
- Hardware security for the entire AWS global infrastructure including regions, availability zones, and edge locations.
Looking at this, you can see that the security that AWS provides is only to secure the cloud environment by using layered controls, continuous validation, and testing for vulnerabilities. There are also many automated security processes that AWS uses to continuously monitor and protect your systems and data operating within the cloud.
Aside from understanding how security is a shared responsibility model and what you and your company are responsible for versus what AWS is responsible for, you should also know how you can use AWS tools to help with your SOC 2 compliance audit.
For example, all of the AWS compliance reports related to SOC 2 can be located on the AWS Artifact tool. AWS Artifact is a resource where compliance-related information and AWS SOC 2 reports are stored and where you can access those reports to demonstrate compliance with the physical and environmental infrastructure security controls criteria of any SOC 2 audit.
The primary responsibility of your company when it comes to the physical and environmental security controls criteria of SOC 2 compliance is that you are verifying that AWS is maintaining SOC 2 compliance in these areas by consistently reviewing the AWS SOC 2 reports found in the AWS Artifact tool.
What You Should Know about Maintaining SOC 2 Compliance for AWS Cloud Infrastructure
There are several important practices that need to be followed when maintaining SOC 2 compliance for AWS cloud infrastructure. Here is a breakdown of some of the most common practices that you and your team are going to want to implement to ensure you are SOC 2 compliant while operating within the AWS cloud infrastructure.
- Muti-factor authentication: Whenever accessing the AWS Management Console, MFA must be used. The first step is for users to enter their usernames and password. The second step can be an authentication code sent to their device or a biometrics authentication.
- Restricting access: Companies must restrict traffic to and from AWS and any assets hosted on the cloud. Companies must close unnecessarily open ports and require access to FTP, SMB, and other services.
- Implement boundary protection systems: Companies must use firewalls, DMZs, IDS, IPS, and other security systems to secure cloud infrastructure and limit traffic, and control access to specific resources to authorized users when needed.
- Create and maintain records of system storage activities: All user activities must be logged to observe any misconfigurations, identify suspicious activity, and detect potentially malicious attacks.
- Protect encryption keys: AWS Key System Management System can help companies properly manage all of the processes in an encryption key’s lifecycle. All encryption keys must be created, stored, used, and destroyed properly to secure data.
These are just a few of the major SOC 2 compliance criteria that relate to AWS. It is you and your team’s responsibility to not only understand all of the SOC 2 compliance that is required of you regarding AWS, but also you must keep track of what you have implemented and easily access the activity logs that record those implementations to provide them during a SOC 2 audit.
Related article: What You Need to Know about SOC 2 and Cloud Security.
What Are the Best AWS Tools for Preparing for a SOC 2 Audit?
AWS has an entire arsenal of tools to help users maintain regulatory compliance and prepare for SOC 2 audits. Here are some of the most effective AWS tools for preparing for a SOC 2 audit.
- AWS Cloud Trail, Amazon CloudWatch, and Amazon GuardDuty: This suite of AWS tools can help monitor your system and data while providing the insights needed to catch potential threats or issues before they negatively impact your business. Businesses must maintain relevant logs that can be accessed and analyzed for signs of compromise and events that are outside the scope of normal tech operations.
2. AWS Trusted Advisor: The AWS Trusted Advisor tool can help you optimize your AWS infrastructure to increase performance and security. When it comes to a SOC 2 audit, the AWS Trusted Advisor tool addresses all the basic information security controls a company should have in place when creating a new environment within AWS. Information security controls beyond what the AWS Trusted Advisor tool provides are strongly recommended.
3. Amazon Inspector: The Amazon Inspector tool is an automated security assessment tool that can be used to assess security and compliance for AWS-deployed applications. You can use this tool to look for common vulnerabilities and exposures, CIS benchmarks, network reachability, and more. Amazon Inspector can be integrated into the AWS Security Hub and build upon many of the basic security controls that the AWS Trusted Advisor provides.
4. AWS Security Hub: The AWS Security Hub can give you a comprehensive overview of all of your security posture across all of your AWS accounts. The AWS Security HUB is a powerful tool that can be used to monitor security and compliance. It can also be integrated with many of the other AWS tools needed for preparing for a SOC 2 audit.
5. AWS Audit Manager: The AWS Audit Manager is a powerful tool that can help you audit and manage all of your AWS usages to detect and assess potential threats while helping to ensure regulatory compliance. The AWS Audit Manager can also help businesses demonstrate compliance with auditors.
Which Are the Best AWS Tools for Optimizing SOC 2 Audit Processes?
The best AWS tools for optimizing your SOC 2 audit processes include the AWS Trusted Advisor, AWS Security Hub, and AWS Audit Manager. The AWS Trusted Advisor is used to optimize your AWS infrastructure to increase performance and security while putting in place the most basic security controls a new environment should have in place with AWS to be SOC 2 compliant. The AWS Security Hub is used to monitor all security and compliance across all AWS accounts. The AWS Audit Manager is used to detect and assess potential threats and ensure and demonstrate regulatory compliance.
Which Are the Best AWS Tools for Maintaining SOC 2 Compliance?
Part of maintaining SOC 2 compliance is keeping detailed and accurate activity logs and records. These records need to be accessible by organizations so they can be analyzed for signs of compromise and events that are outside the scope of normal tech operations. The best tools for monitoring systems and creating these needed records are AWS Cloud Trail, Amazon CloudWatch, and Amazon GuardDuty.
Aside from creating and maintaining accurate records and activity logs, The Amazon Inspector tool can be used to assess security and compliance for AWS-deployed applications and look for common vulnerabilities and exposures. The Amazon Inspector tool integrated into the AWS Security Hub is a good way to monitor security and compliance within the scope of SOC 2 requirements.
Related article: 8 Steps to SOC 2 Audit Preparation.
Get Ready for Your SOC 2 Audit in the Cloud
I.S. Partners is specialized in SOC 2 audit preparation, helping companies reach compliance no matter what type of cloud infrastructure upon which they rely. Contact our team to get started.
SOC 1®, SOC 2® and SOC 3® are registered trademarks of the AICPA (American Institute of Certified Public Accountants). The AICPA® Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.
