SOC 2
SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA). It is the de facto compliance standard for SaaS companies, cloud service providers, and any organisation that stores or processes customer data in the cloud.
Guardian Pro maps its automated checks to SOC 2 Trust Services Criteria, giving you continuous visibility into your SOC 2 readiness without waiting for annual audit cycles.
What SOC 2 Covers
SOC 2 is organised around five Trust Services Criteria (TSC). Guardian Pro focuses on the criteria that can be evaluated through automated infrastructure checks:
Security (Common Criteria)
The Security criteria -- also known as the Common Criteria -- are required for every SOC 2 report. They cover:
- Access control -- Restricting system access to authorised users (IAM policies, MFA, password requirements)
- Logical and physical access -- Ensuring appropriate network boundaries and encryption
- System operations -- Monitoring, alerting, and incident response readiness
- Change management -- Configuration drift detection and infrastructure-as-code governance
- Risk mitigation -- Identifying and addressing security vulnerabilities
Availability
Availability criteria focus on ensuring that your systems remain accessible as committed:
- Redundancy -- Multi-AZ deployments, load balancing, auto-scaling configurations
- Backup and recovery -- Automated backups, snapshot policies, disaster recovery readiness
- Monitoring -- Health checks, CloudWatch alarms, uptime tracking
Confidentiality
Confidentiality criteria address the protection of information designated as confidential:
- Encryption at rest -- EBS, S3, RDS, and other storage service encryption
- Encryption in transit -- TLS/SSL configurations, certificate management
- Data classification -- Tagging and access controls aligned to data sensitivity
Processing Integrity
Processing integrity criteria ensure that system processing is complete, valid, accurate, and timely. These are primarily evaluated through application-level controls rather than infrastructure, but Guardian Pro covers related infrastructure aspects such as:
- Logging completeness -- CloudTrail and VPC flow log coverage
- Queue and processing monitoring -- Dead letter queue configurations, processing pipeline health
Privacy
Privacy criteria relate to the collection, use, retention, and disposal of personal information. While many privacy controls are procedural, Guardian Pro covers the technical underpinnings:
- Encryption -- Ensuring personal data is encrypted at rest and in transit
- Access controls -- Restricting access to systems that process personal data
- Logging -- Audit trails for access to sensitive data stores
How Guardian Pro Maps to SOC 2
SOC 2 controls are typically broader and more principle-based than technical benchmarks like CIS. Guardian Pro bridges this gap by mapping specific, automated infrastructure checks to each applicable SOC 2 criterion.
For each SOC 2 control, Guardian Pro evaluates:
| Status | Meaning |
|---|---|
| PASS | All mapped automated checks are passing, indicating the technical requirements of this criterion are met |
| FAIL | One or more checks have detected issues that affect this criterion |
| NOT APPLICABLE | The criterion targets services or configurations not present in your environment |
SOC 2 includes both technical and procedural controls. Guardian Pro automates the evaluation of technical controls. For procedural controls (such as security awareness training or vendor management), use the evidence management feature to document your compliance.
Viewing Your SOC 2 Compliance
After subscribing to the SOC 2 framework, your SOC 2 score appears on the Compliance Dashboard:
- Open the Compliance Dashboard.
- Locate the SOC 2 score card showing your overall pass rate.
- Click through to see controls grouped by Trust Services Criteria.
- Filter by Security, Availability, Confidentiality, or other criteria to focus on specific areas.
Common SOC 2 Gaps in AWS Environments
Encryption Not Enabled Everywhere
Many SOC 2 criteria require encryption at rest and in transit. Common gaps include:
- EBS volumes without encryption
- S3 buckets without default encryption
- RDS instances without storage encryption
- Elasticsearch/OpenSearch domains without node-to-node encryption
Guardian Pro can identify all unencrypted resources across your environment and, for many services, apply encryption automatically through the Action Centre.
Insufficient Logging Coverage
SOC 2 expects comprehensive audit logging. Guardian Pro checks for:
- CloudTrail enabled across all regions
- VPC flow logs enabled for all VPCs
- S3 access logging enabled for sensitive buckets
- RDS audit logging and slow query logging
Access Control Weaknesses
The Security Common Criteria require strong access controls:
- IAM users without MFA
- Overly permissive IAM policies (wildcard actions or resources)
- Security groups with unrestricted inbound access (0.0.0.0/0)
- Public S3 buckets or publicly accessible RDS instances
Missing Redundancy
Availability criteria require systems to be resilient:
- Single-AZ deployments for critical databases
- No auto-scaling configured for compute resources
- Missing health checks on load balancers
- No backup or snapshot policies for data stores
Preparing for a SOC 2 Audit
Guardian Pro helps you prepare for SOC 2 audits in several ways:
-
Continuous monitoring -- Rather than scrambling before an audit, maintain continuous compliance visibility. Your auditor can see that controls have been passing consistently, not just at a point in time.
-
Export compliance reports -- Generate PDF, CSV, or JSON reports showing your SOC 2 compliance posture. Share these with your auditor as supporting evidence.
-
Attach evidence for procedural controls -- For controls that cannot be fully automated (security policies, training records, vendor assessments), use the evidence management feature to upload and organise documentation.
-
Document exceptions -- If a specific control does not apply to your environment or you have a compensating control, create an exception with a documented justification.
-
Demonstrate improvement -- Use compliance trends to show your auditor a history of continuous improvement over the audit period.
Guardian Pro's SOC 2 mapping covers the technical infrastructure controls. A complete SOC 2 audit also evaluates organisational policies, procedures, and human controls. Work with your auditor to ensure all aspects are addressed.
SOC 2 Type I vs. Type II
- Type I evaluates the design of your controls at a specific point in time. Guardian Pro's compliance reports serve as strong evidence for Type I assessments.
- Type II evaluates the operating effectiveness of your controls over a period of time (typically 6-12 months). Guardian Pro's compliance trends provide the historical evidence needed for Type II, showing that controls were consistently effective throughout the audit period.