1. Home
  2. Security & Compliance
  3. SOC 2 Playbook: Audit Logging in AWS
Searching...

SOC 2 Playbook: Audit Logging in AWS

Contents

To meet SOC 2 requirements in a cloud-native environment, you need centralized, tamper-resistant logging across critical AWS services. This playbook outlines the best practices and configurations required to align AWS logging and alerting with SOC 2 controls (especially CC7.2, CC6.6, and CC10.1).

✅ SOC 2 Logging Objectives

  • Capture access, change, and system events across infrastructure
  • Store logs centrally with restricted access and immutability
  • Retain logs for a defined period (typically 90+ days)
  • Enable alerts on suspicious or unauthorized activity

🛠 Key AWS Services to Configure

  • AWS CloudTrail: Enable for all regions and send to an S3 bucket with restricted access. Turn on log file validation.
  • CloudWatch Logs: Use metric filters to trigger alarms on high-risk events (e.g., root login, policy changes)
  • S3 Access Logs: Enable for all sensitive data buckets to monitor object-level activity
  • Config Recorder: Enable AWS Config to track resource drift and configuration changes
  • IAM Access Analyzer: Monitor external access to IAM roles, policies, and resources

🔒 Minimum CloudTrail Settings


- Enable CloudTrail in all regions
- Log file validation: ON
- Send logs to S3 (private bucket, versioning enabled)
- Enable encryption (SSE-S3 or SSE-KMS)

You can optionally stream CloudTrail to CloudWatch Logs for real-time analysis and alerting.

🚨 SOC 2 Alerts You Should Configure

Use CloudWatch Logs metric filters with alarms for:

  • Root account activity
  • Unauthorized API calls (AccessDenied)
  • Changes to security groups, IAM policies, or roles
  • Console logins outside normal business hours
  • CloudTrail being stopped or modified

📁 Retention & Integrity

  • Set S3 log retention per policy (typically 90+ days)
  • Enable versioning and MFA delete to protect logs
  • Restrict log access to a dedicated security role

📋 Audit Reporting Tips

  • Tag log-producing resources for easy inventorying
  • Include screenshots of CloudTrail, S3, and CloudWatch configurations in your audit binder
  • Maintain a changelog of log policy updates (in Git or Confluence)

🔗 Resources

Updated on May 8, 2025
Tagged:
Was this article helpful?
Yes No

Leave a Comment