SOC 2 on AWS

SOC 2-Ready AWS Infrastructure, Built to Pass the Audit

Your biggest deal reaches procurement, and the reply is one line: send us your SOC 2 report. You don't have one, and the deal freezes. We build the AWS infrastructure and controls that turn that request into a quick yes, SOC 2-ready from day one, with the evidence auditors look for already in place.

AWS Advanced Tier Partner
Google Cloud Partner
RedHat Partner
ISO 27001:2022 Certified
ISO 9001:2015 Certified
SOC 2 · Type I & Type IISOC 2-Ready

SOC 2 is a controls audit. We build the controls and the evidence.

5
Trust Services Criteria
1
Security is mandatory
II
Type II proves operation
3-12mo
Typical Type II window
Your auditor issues the SOC 2 report. Our job is to make sure that when they look, the controls are there and the evidence is complete.HAZERCLOUD SOC 2 readiness on AWS
Built
AWS-Native
Where We Fit

We hold ISO 27001:2022. We build SOC 2-ready AWS.

AWS Advanced TierISO/IEC 27001:2022ISO 9001:2015SOC 2-Ready Infrastructure

We hold ISO 27001:2022 and ISO 9001:2015, and we build AWS infrastructure that is ready for a SOC 2 examination. To be precise about roles: an independent CPA firm performs the SOC 2 audit and issues the report. Our job is to implement the controls and make the evidence complete, so that examination goes smoothly.

Type I vs Type II

Two reports, and the difference is time.

SOC 2 comes in two forms, and the distinction is straightforward. A Type I report describes whether your controls are suitably designed at a single point in time, a snapshot on one date. A Type II report goes further: an independent auditor observes whether those same controls actually operated effectively across a period, typically three to twelve months. Type I proves the design; Type II proves the discipline. Most enterprise buyers eventually want Type II, so we build your AWS environment so the controls run, and log their own evidence, from the first day of that observation window rather than the last.

SOC 2 Infrastructure Controls

The infrastructure controls auditors actually check.

SOC 2 is not a product you install. It is a set of controls an auditor tests, and asks you to prove. Here is what those controls look like when they are built into AWS from the start instead of bolted on before the audit.

Control · Change Management

Change management

  • Infrastructure changes ship via pull request with a required reviewer
  • CI/CD pipelines gate every deploy, no manual console changes in production
  • Git history and plan diffs form the change-approval evidence auditors ask for
  • CloudTrail records who changed what, and when
Control · Access Management

Access reviews

  • Single sign-on and least-privilege roles via IAM Identity Center
  • Periodic access reviews with exportable membership reports
  • Joiner, mover, and leaver process wired to identity provisioning
  • MFA enforced; root account usage alarmed and rare
Control · Logging & Monitoring

Logging and monitoring

  • Centralized, tamper-evident logs in CloudTrail and CloudWatch
  • GuardDuty and Security Hub for threat detection and posture
  • Alerting routed to on-call with a documented triage path
  • Log retention set to cover your full audit period
Control · Backup & DR

Backup and disaster recovery

  • AWS Backup policies with tested restore procedures
  • Defined RPO and RTO per workload
  • Cross-region or cross-account copies where the risk warrants
  • Restore tests documented as evidence of availability controls
Control · Vendor Management

Vendor management

  • Inventory of subprocessors and critical AWS services in scope
  • Subservice organization controls tracked (AWS carries its own reports)
  • Vendor risk reviews and renewal reminders documented
  • Data flows mapped so the auditor can trace where data lives
Evidence Automation

Evidence that collects itself.

The slowest part of any SOC 2 audit is gathering evidence. When your infrastructure is defined as code and shipped through CI/CD, that evidence becomes a by-product of how you already work: every change is a reviewed pull request, every deploy is a pipeline run with a record, and every access grant is a version-controlled role. CloudTrail, Config, and Security Hub keep the operational trail. Nobody has to reconstruct a year of screenshots the week before the audit.

Many teams pair this with an evidence-automation platform such as Vanta or Drata, which connects to AWS and your CI/CD to collect control evidence continuously and map it to the Trust Services Criteria. We build your AWS environment so those platforms have clean, well-tagged signals to read, and so the same evidence can also serve ISO 27001 or other frameworks you take on later. The platform you choose is your call; we make the underlying infrastructure produce evidence worth automating.

Where the evidence lives

Change approvalsPRs
Deploy recordsCI/CD
API audit trailCloudTrail
Config stateAWS Config
Posture and findingsSecurity Hub
See how infrastructure as code creates the trail
Timeline Expectations

What a realistic SOC 2 timeline looks like.

There are no shortcuts around the observation window, but there is a lot of waste to remove before it starts. Honest expectations, not a sales promise.

01

Readiness and remediation

We assess your current AWS setup against the criteria, close gaps, and stand up the controls and logging. This is where most of the effort lives, and where we spend the bulk of an engagement.

02

Type I, point in time

Once controls are designed and in place, your auditor can assess a Type I report, a snapshot that many buyers will accept while Type II is still in progress.

03

Type II, observation window

Type II requires an observation window during which the controls run and generate evidence, commonly three to twelve months depending on scope and buyer expectations. The report follows the window; there is no compressing the clock, so the aim is to start the window with controls already operating.

Related Work

Where SOC 2 readiness connects.

FAQ

SOC 2 questions founders ask first.

How long does Type II really take? Who actually does the audit? SOC 2 or ISO 27001? Book a call and we'll answer these against your AWS setup.

Book a SOC 2 Readiness Call →
How long does SOC 2 Type II take?+
There is no way around the observation window, so plan for it honestly. Type II requires an auditor to observe your controls operating over a period, most commonly three to twelve months depending on scope and what your buyers will accept. Before that window starts there is usually a readiness phase to close gaps and stand up controls and logging, which is where most of the real work lives. The report only follows the window, so the goal is to begin the observation period with controls already operating and generating evidence, not scrambling to build them once the clock has started.
Do you do the audit?+
No, and by design we cannot. A SOC 2 report is always issued by an independent CPA firm; that independence is the entire point of the attestation. We build and operate the SOC 2-ready AWS infrastructure, implement the controls, and make sure the evidence is complete and easy to hand over, so that when your chosen auditor examines your environment the answer is already yes. We work alongside the auditor you select, but the examination and the report are theirs, never ours.
SOC 2 vs ISO 27001, which do we need?+
It usually comes down to who is buying. SOC 2 is a US-origin attestation issued by a CPA firm and is what most North American enterprise buyers ask for. ISO 27001 is a globally recognized certification issued by an accredited body and is often preferred in Europe. The good news is that the underlying controls overlap heavily, so building for one gets you a long way toward the other. We hold ISO 27001:2022 ourselves, so we have operated these controls in production, and we build your AWS environment so the same evidence base can serve both frameworks rather than duplicating the effort.
AWS says it is SOC 2 compliant, does that not cover us?+
Only the part AWS is responsible for. Under the shared responsibility model, AWS obtains its own SOC reports for the infrastructure it operates, the data centers, hardware, and managed service layers. That covers the foundation, but everything you configure on top of AWS, your identity and access, change management, logging, backup, and data handling, is your scope and your auditor will test it. AWS being examined reduces your work; it does not remove your need for your own controls and evidence.
What are the SOC 2 Trust Services Criteria?+
SOC 2 is organized around five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security, often called the Common Criteria, is the only mandatory category; the other four are included when they are relevant to what you do and what your customers care about. Part of a readiness engagement is deciding which criteria belong in your scope, because a wider scope means more controls to operate and more evidence to maintain. We help you pick a scope that satisfies your buyers without carrying controls you do not need.
Can our existing AWS setup be made SOC 2-ready without a rebuild?+
In most cases, yes. We start by assessing what you already run against the criteria, then adopt and improve in place rather than tearing things down. Where infrastructure was built by hand, we bring it under infrastructure as code so changes become reviewable and versioned; where logging or access controls are thin, we add them; where evidence is manual, we automate its collection. A rebuild is occasionally warranted, but far more often the fastest path is to harden and instrument the environment you have.
Which evidence-automation platform should we use?+
That is your decision, and we stay tool-agnostic. Evidence-automation platforms such as Vanta or Drata connect to AWS and your CI/CD to collect control evidence continuously and map it to the Trust Services Criteria, and they can save a great deal of manual work. Our role is to build the underlying AWS environment so that whichever platform you choose has clean, well-tagged signals to read, and so the same evidence also serves other frameworks you may take on later. We do not resell any specific platform; we make the infrastructure produce evidence worth automating.
Jobin Joseph, Founder & CTO of HAZERCLOUD
Jobin Joseph
Founder & CTO
AWS SA ProDevOps ProSecurity+2
Verify on Credly ↗
Who You'll Actually Work With

This engagement runs through me, personally.

The AWS-certified specialist on your discovery call leads the implementation team on your engagement. No bait-and-switch. No junior-led delivery.

Discovery call: I attend, no exceptions
Architecture sign-off: before any work begins
Weekly review: I'm on every call, every week
Control decisions: go through me first
Evidence sign-off: my signature, my reputation
30 days post-handoff: direct line to me
Read more about Jobin and the engagement model
SOC 2
Blocked on a SOC 2 report request?

30 minutes with our founder. One SOC 2 readiness insight.

We'll look at your current AWS setup, the criteria your buyers care about, and your timeline. You'll leave with a clearer view of what is already in place, what the audit will test, and the realistic path to a Type II report.

AWS Advanced Tier Services Partner · ISO 27001:2022 · ISO 9001:2015 · 5× AWS-Certified Founder

30 min Free Consultation →