SOC 2 compliance for AWS — see exactly where you stand
Map your AWS security posture to SOC 2 Trust Services Criteria. See which controls pass, which fail, and what to fix — before the auditor arrives.
Run Free SOC 2 Gap AnalysisFree tier includes compliance mapping. No credit card required.
SOC 2 audits shouldn't start with a scramble
Most teams don't know their SOC 2 readiness until the auditor asks for evidence. Then it's weeks of pulling screenshots, reviewing access logs, and hoping nothing critical was missed. Secure Compass shows you the gaps before the audit starts.
Typical time to gather SOC 2 evidence manually from AWS console
Manual checks miss controls — auditors find gaps you didn't know about
Screenshots and exports go stale. SOC 2 Type II requires continuous evidence
SOC 2 Trust Services Criteria mapped to AWS
Secure Compass maps your AWS Security Pillar assessment findings to the SOC 2 Trust Services Criteria. Each criteria shows your compliance rate and the specific controls that are failing.
Control Environment
IAM policies, MFA enforcement, account governance, and organisational controls mapped to your AWS security configuration.
Communication & Information
CloudTrail logging, Config recording, and audit trail completeness across your AWS accounts.
Risk Assessment
Security assessment coverage, vulnerability detection, and risk prioritisation from your Well-Architected Review.
Control Activities
Encryption enforcement, access controls, network segmentation, and security group configurations.
Logical & Physical Access
IAM role boundaries, key rotation, security group rules, and VPC configuration controlling who can access what.
System Operations
Monitoring configuration, alerting setup, incident response readiness, and operational security controls.
Change Management
CloudTrail change tracking, Config rule compliance, and infrastructure-as-code governance signals.
Risk Mitigation
Public exposure findings, unresolved security issues, and remediation tracking across assessment periods.
How the SOC 2 gap analysis works
Automated security scan
228 controls run against your AWS account. Every finding is mapped to the relevant SOC 2 criteria automatically.
See your compliance rate
Each Trust Services Criteria shows a compliance percentage with the specific controls that pass and fail. No interpretation needed.
Export for your auditor
Executive PDF with compliance scores, failing controls, and remediation guidance. Evidence your auditor can actually use.
SOC 2 is just the start
Many of the controls that satisfy SOC 2 also map to other frameworks. Secure Compass shows you the overlap — so you can tackle multiple certifications from a single assessment.
ISO 27001
~80% overlapInternational information security standard. Most SOC 2 controls map directly.
PCI-DSS
~50% overlapPayment card data protection. Significant overlap in access control and encryption requirements.
HIPAA
~45% overlapHealthcare data protection. Shared controls around encryption, access, and audit logging.
Frequently asked questions
Does Secure Compass replace a SOC 2 audit?
No. SOC 2 audits are performed by licensed CPA firms. Secure Compass provides the gap analysis and evidence collection that prepares you for the audit — so you know what will fail before the auditor does.
Which SOC 2 type does this help with?
Both. Type I assesses controls at a point in time. Type II assesses controls over a period (typically 6-12 months). Secure Compass provides continuous monitoring with historical trends — useful for both, essential for Type II.
Do I need a paid plan for SOC 2 mapping?
The free tier includes the full Security Pillar assessment. Compliance mapping to SOC 2 and other frameworks, plus PDF export, is available on paid plans.
How accurate is the mapping?
The mapping connects specific AWS security controls to SOC 2 Trust Services Criteria based on the AWS Well-Architected Framework. It shows you which technical controls satisfy which criteria — but your auditor determines final compliance.
Can I share the report with my auditor?
Yes. The executive report is designed for this — compliance scores per framework, specific failing controls, remediation status, and historical trends in an exportable PDF.
What if I need SOC 2 and ISO 27001?
Secure Compass maps your assessment to both frameworks simultaneously. Approximately 80% of SOC 2 controls overlap with ISO 27001, so most of the work carries over.