In this webinar, Andrew Stansfield, Senior Security Consultant at LBMC Information Security, explains how to navigate AWS-related risks during a SOC 2 audit. Learn about AWS’s shared responsibility model, key AWS services like EC2, S3, Lambda, CloudWatch, and CloudTrail, and how they impact security, availability, and compliance controls. Andrew walks through how to manage access, logging, networking, backups, and data privacy within AWS to meet SOC 2 requirements.
Key topics covered:
- AWS shared responsibility model
- Access management and IAM controls
- Logging, monitoring, and resource management
- Backup, replication, and availability configurations
- Confidentiality, privacy, and automated data retention
- Best practices for preparing your AWS environment for a SOC 2 audit
On-Demand Webinar Duration: 12:07
Speaker: Andrew Stansfield, CISA, CCSFP, Senior Security Consultant, LBMC
Preparing Your AWS Environment for a SOC 2 Audit
As more organizations move to the cloud, understanding how to align AWS infrastructure with SOC 2 requirements has become essential. In this on-demand webinar, Andrew Stansfield, Senior Security Consultant at LBMC Information Security, explains how AWS usage affects your SOC 2 compliance and what you can do to prepare effectively.
Here’s a breakdown of the critical insights from the session.
The Shared Responsibility Model: Know Your Role
AWS operates under a shared responsibility model, which means that while AWS secures the infrastructure, your organization is responsible for configuring and maintaining the security of anything you put in the cloud.
Andrew emphasizes that misunderstanding this model is one of the most common issues clients face during a SOC 2 audit. The key takeaway: you must actively manage access, configurations, and data security within your environment.
Key AWS Services and Their Compliance Implications
Several core AWS services are essential to SOC 2 evaluations:
- EC2 (Elastic Compute Cloud) and S3 (Simple Storage Service): Often used to host applications and store sensitive data.
- Lambda: Requires proper event and permission control.
- CloudWatch and CloudTrail: Integral to logging and monitoring, both critical components in proving control effectiveness.
Each of these services needs to be implemented with compliance in mind, including ensuring logs are retained and reviewed, access is tightly managed, and systems are backed up properly.
Security and Availability Controls
SOC 2 requires evidence of strong security and availability practices. In AWS, this translates into:
- IAM (Identity and Access Management) policies that enforce least-privilege access.
- VPC (Virtual Private Cloud) configurations that isolate sensitive workloads.
- Backup and replication policies that ensure business continuity.
Andrew walks through common configurations and where auditors often find gaps.
Privacy and Confidentiality: More Than Just Encryption
SOC 2’s confidentiality and privacy principles go beyond encrypting data at rest and in transit. AWS users must also ensure that:
- Automated data retention policies are in place.
- Access to personally identifiable information (PII) is tracked and limited.
- Data deletion processes meet client and regulatory expectations.
Preparing for a SOC 2 Audit with AWS
Andrew outlines best practices for getting your AWS environment audit-ready:
- Conduct regular risk assessments to identify misconfigured resources.
- Maintain documentation that explains your security and availability controls.
- Enable and review AWS monitoring tools like GuardDuty and Security Hub.
- Work with your internal or external auditor early to map AWS services to the relevant SOC 2 trust services criteria.
Conclusion
Moving to AWS doesn’t eliminate your SOC 2 obligations—it reshapes them. With the right planning and oversight, your organization can leverage the cloud’s flexibility while meeting compliance requirements with confidence.
Need help navigating SOC 2 requirements in AWS? Contact LBMC’s Information Security team to assess your cloud environment and prepare for a successful audit.