This blog continues content from Part 1: The Ultimate Guide to Leveraging AWS Security Hub and AWS Config to meet SOC 2 Requirements.
If you've worked in cyber security over the last five years, you probably are familiar with SOC 2 reports. In the United States, companies of all industries and sizes utilize SOC 2 reports to prove that they have implemented the basic cyber security best practices at their organization. In addition, companies hosted on Amazon Web Services (AWS), you can leverage native security services to streamline and automate testing of SOC 2 controls.
What is SOC 2?
SOC 2 is a reporting framework developed by the American Institute of Certified Professional Accountants (AICPA) intended to help service organizations prove the security of their service or system. SOC 2 reports are internal control reports, which independent CPAs provide, on a service organization's services. These reports are:
- Useful for evaluating the effectiveness of controls related to the services performed by a service organization
- Appropriate for understanding how the service organization fits into the supply chain of providing services to customers
- Help reduce the compliance burden by providing one report that addresses the shared needs of multiple users
- Enhances the ability to obtain and retain customers
Companies receive SOC 2 reports to demonstrate they have specific controls to mitigate security, availability, confidentiality, processing integrity, or privacy risks. In addition, a SOC 2 report includes a CPA firm's opinion on control design and potentially operating effectiveness over a period of time.
How are SOC 2 reports used?
Companies don't earn SOC 2 reports for fun. It is a process that is often expensive, takes a lot of time, and is operationally disruptive to organizations. Companies pursue a SOC 2 report because it helps them build trust and unlock sales. SOC 2 reports have a variety of use cases, such as:
- Vendor due diligence
- Demonstrating security as a differentiator
- Internal corporate governance and risk management processes
- Proving security to a regulatory body or governing authority
Using AWS Config and AWS Security Hub to Automate SOC 2 Control Testing
A SOC 2 report is a comprehensive audit that covers many different areas of your cybersecurity program. These areas include onboarding and offboarding procedures, risk assessment and mitigation, governance, vendor management, and of course, your technical controls such as access control, vulnerability management, change management, and a few others. When you're hosted on AWS, a significant portion of your SOC 2 audit will involve assessing the security of your AWS environment. This generally means your auditor is requesting screenshots of various configurations across your AWS account. These evidence requests can be draining and time-consuming for your team on the other end of those evidence requests.
There is a better way to prove you are meeting SOC 2 controls on AWS. There are two services on AWS that can make SOC 2 easier for you and your company. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation. These two services have built-in rules (config) and controls (security hub) that directly address SOC 2 criteria and controls.
Leveraging these services will require you and your organization to enable the services and configure them appropriately. Along with your auditor understanding how AWS services work and how these services evaluate resources in your AWS account. Your auditors can test the below 15 controls quickly and efficiently and accelerate the time it takes you to earn a SOC 2 report.
Control #1: Multi-Factor Authentication
Control Statement: Multi factor authentication is enabled for all IAM users that have a console password.
SOC 2 Criteria: CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
AWS Config Rule: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
AWS Security Hub CIS Benchmark: 1.2 – Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password.
Control #2: Unused Credentials
Control Statement: IAM credentials that are unused for 90 days or greater are disabled.
SOC 2 Criteria: CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
AWS Config Rule: IAM_USER_UNUSED_CREDENTIALS_CHECK
AWS Security Hub CIS Benchmark: 1.3 – Ensure credentials unused for 90 days or greater are disabled
Control #3: Access Key Rotation
Control Statement: The company rotates IAM access keys at least every 90 days to prevent keys from being compromised.
SOC 2 Criteria: CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
AWS Config Rule: ACCESS_KEYS_ROTATED
AWS Security Hub CIS Benchmark: 1.4 – Ensure access keys are rotated every 90 days or less
Control #4: Password Policy
Control Statement: The Company has enabled a password policy that enforces the creation of strong user passwords for users accessing AWS in-scope resources.
SOC 2 Criteria: CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
AWS Config Rule: IAM_PASSWORD_POLICY
AWS Security Hub CIS Benchmark:
1.5 – Ensure IAM password policy requires at least one uppercase letter
1.6 – Ensure IAM password policy requires at least one lowercase letter
1.7 – Ensure IAM password policy requires at least one symbol
1.8 – Ensure IAM password policy requires at least one number
1.9 – Ensure IAM password policy requires a minimum length of 14 or greater
1.10 – Ensure IAM password policy prevents password reuse
1.11 – Ensure IAM password policy expires passwords within 90 days or less
Control #5: Root Account Usage
Control Statement: The Company requires that root account access keys are removed and the root account has MFA enabled.
SOC 2 Criteria: CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
AWS Config Rule: IAM_ROOT_ACCESS_KEY_CHECK and ROOT_ACCOUNT_MFA_ENABLED
AWS Security Hub CIS Benchmark: 1.12 – Ensure no root account access key exists
1.13 – Ensure MFA is enabled for the "root" account
Control #6: IAM Policies
Control Statement: The Company requires that IAM policies are attached only to groups or roles.
SOC 2 Criteria: CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
AWS Config Rule: IAM_NO_USER_POLICIES_CHECK
AWS Security Hub CIS Benchmark: 1.16 – Ensure IAM policies are attached only to groups or roles
Control #7: IAM Admin Policies
Control Statement: The Company continually assesses whether there are IAM policies that allow full administrative privileges.
SOC 2 Criteria: CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
AWS Config Rule: IAM-POLICY-NO-STATEMENTS-WITH-ADMIN-ACCESS
Control #8: S3 Bucket Protection for CloudTrail Logs
Control Statement: The Company restricts upload and delete access to S3 buckets that store CloudTrail logs to administrators with a legitimate business need.
SOC 2 Criteria: CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
AWS Config Rule: S3_BUCKET_PUBLIC_READ_PROHIBITED and S3_BUCKET_PUBLIC_WRITE_PROHIBITED
Control #9: CloudTrail Logs Encryption
Control Statement: CloudTrail logs are encrypted at rest using AWS KMS keys.
SOC 2 Criteria: CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
AWS Config Rule: CLOUD_TRAIL_ENCRYPTION_ENABLED
Control #10: Security Groups
Control Statement: AWS security groups are used and configured to prevent unauthorized access.
SOC 2 Criteria: CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
AWS Config Rule: INCOMING_SSH_DISABLED and RESTRICTED_INCOMING_TRAFFIC
AWS Security Hub CIS Benchmark:
4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
Control #11: Default Security Group
Control Statement: The Company restricts all traffic on the default security group of every VPC in the production AWS account.
SOC 2 Criteria: CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
AWS Config Rule: VPC_DEFAULT_SECURITY_GROUP_CLOSED
Control #12: CloudTrail Enabled
Control Statement: The Company has enabled CloudTrail in all regions to record all AWS API calls in its production account.
SOC 2 Criteria: CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
AWS Config Rule: MULTI_REGION_CLOUD_TRAIL_ENABLED
AWS Security Hub CIS Benchmark: 2.1 – Ensure CloudTrail is enabled in all Regions
Control #13: CloudTrail Enabled
Control Statement: The Company implements log file validation with CloudTrail that creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3 to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log.
SOC 2 Criteria: CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
AWS Config Rule: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED
AWS Security Hub CIS Benchmark: 2.2. – Ensure CloudTrail log file validation is enabled
Control #14: CloudTrail Enabled
Control Statement: The Company has enabled S3 bucket access logging for all S3 buckets housing sensitive data.
SOC 2 Criteria: CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
AWS Config Rule: S3_BUCKET_LOGGING_ENABLED
Control #15: VPC Flow Logs
Control Statement: The Company implements VPC flow logging to capture information about the IP traffic going to and from network interfaces in your VPC.
SOC 2 Criteria: CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
AWS Config Rule: VPC_FLOW_LOGS_ENABLED
AWS Security Hub CIS Benchmark: 2.9 – Ensure VPC flow logging is enabled in all VPCs
SOC 2 on AWS becomes a lot easier when you utilize native security services to prove compliance and implement continuous monitoring of your control environment. A common theme we talk about in SEC557: Continuous Automation for Enterprise and Cloud Compliance is living off the land and using the tools your administrators use to assess and prove compliance. Living off the land is exactly what we described in this article with AWS Config and AWS Security Hub to demonstrate compliance with the SOC 2 reporting framework.
About the Author
AJ Yawn is Co-Founder and CEO at ByteChek and a Founding Board Member of the National Association of Black Compliance and Risk Management Professionals (NABCRMP). AJ has earned 6 AWS certifications including the AWS Solutions Architect-Professional and AWS Security-Specialty. Prior to ByteChek, AJ spent over a decade in the cybersecurity industry both in the US Army and as a consultant. He is a regular speaker at SANS Cloud Security curriculum events such as BIPOC in Cloud Forum and CloudSecNext Summit, and can be found teaching SEC557: Continuous Automation for Enterprise and Cloud Compliance. Learn more about AJ here.
