Is AWS SOC 2 Compliant? Type II Report & What It Covers
Amazon Web Services (AWS) maintains SOC 2 Type II compliance, with independent auditors issuing annual reports covering the Trust Services Criteria. AWS SOC 2 reports cover the infrastructure and managed services that AWS operates, but your application built on AWS is not automatically SOC 2 compliant — you must implement your own controls on top of AWS infrastructure.
AWS is SOC 2 Type II compliant. AWS publishes annual SOC 2 Type II reports audited by independent firms. The reports cover AWS infrastructure security, availability, and confidentiality controls. However, your use of AWS does not make your application SOC 2 compliant — the shared responsibility model applies.
Compliance Assessment
AWS publishes annual SOC 2 Type II reports. Reports are available through AWS Artifact for customers under NDA.
AWS infrastructure implements comprehensive security controls including physical security, network security, and identity management.
AWS provides multi-AZ, multi-region architecture with documented SLAs for availability of core services.
AWS provides encryption services (KMS, CloudHSM), network isolation (VPC), and access controls (IAM) to protect data confidentiality.
AWS IAM provides granular identity and access management with MFA, role-based policies, and least-privilege enforcement.
AWS CloudTrail provides API-level logging for all AWS services. CloudWatch provides monitoring and alerting capabilities.
AWS offers encryption at rest (KMS, S3 SSE) and in transit (TLS) for all services. Customer-managed keys available via KMS and CloudHSM.
AWS has documented incident response procedures and provides services like GuardDuty and Security Hub for threat detection.
AWS follows formal change management processes for infrastructure changes, documented in their SOC 2 report.
AWS SOC 2 covers infrastructure only. You must implement your own application-level controls, access management, and monitoring.
How to Make AWS SOC 2 Compliant
Access the AWS SOC 2 report through AWS Artifact and review the complementary user entity controls (CUECs).
Implement all CUECs documented in the AWS SOC 2 report — these are controls you must implement on your side.
Enable CloudTrail logging across all regions and configure log retention per your audit requirements.
Configure IAM policies following least-privilege principles with MFA for all human users.
Enable encryption at rest for all data stores (S3, EBS, RDS, DynamoDB) using KMS.
Set up GuardDuty, Security Hub, and Config for continuous monitoring and compliance checks.
Limitations
- AWS SOC 2 covers infrastructure only — your application is not automatically SOC 2 compliant.
- SOC 2 reports are under NDA and cannot be publicly shared — available through AWS Artifact.
- You must implement complementary user entity controls (CUECs) listed in the AWS SOC 2 report.
- SOC 2 compliance requires your own audit even when using compliant infrastructure.
- Not all AWS services may be in scope for the SOC 2 report — verify specific services.
Alternative Tools & Related Assessments
Frequently Asked Questions
Is AWS SOC 2 compliant?
Yes. AWS maintains SOC 2 Type II compliance with annual audits by independent firms. SOC 2 reports are available through AWS Artifact for AWS customers.
How do I get the AWS SOC 2 report?
Access the AWS SOC 2 Type II report through AWS Artifact in the AWS Management Console. You must accept the NDA to download the report.
Does using AWS make my app SOC 2 compliant?
No. AWS SOC 2 covers infrastructure controls only. You must implement your own application-level security controls, access management, monitoring, and undergo your own SOC 2 audit.
What is the shared responsibility model for SOC 2?
AWS secures the cloud infrastructure (physical, network, hypervisor). You secure everything in the cloud (OS, application, data, access, monitoring). Your SOC 2 audit covers your responsibilities.
What are complementary user entity controls (CUECs)?
CUECs are controls that AWS expects you to implement for the overall system to be secure. They are listed in the AWS SOC 2 report and include things like IAM configuration, encryption settings, and monitoring.
Is AWS SOC 2 Type I or Type II?
AWS publishes SOC 2 Type II reports, which cover the design and operating effectiveness of controls over a period of time (typically 12 months). Type II is more rigorous than Type I.
Which AWS services are covered by SOC 2?
Most major AWS services are in scope for the SOC 2 report including EC2, S3, RDS, Lambda, CloudFront, IAM, KMS, and many more. Check the current report in AWS Artifact for the complete list.
Generate SOC 2 policies for your stack
PoliWriter creates all the SOC 2 policies you need, customized to tools like AWS and your specific configuration. AI-powered, audit-ready, hours not months.
Get Started Free