SOC2 Compliance
Here are the currently-implemented SOC2 rules:
AWS
| Rule | AWS Service |
|---|---|
| Checks if rule evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop http headers. The rule is NON_COMPLIANT if the value of routing.http.drop_invalid_header_fields.enabled is set to false. | Elastic Load Balancing |
| Checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The rule is NON_COMPLIANT if one or more HTTP listeners of Application Load Balancer do not have HTTP to HTTPS redirection configured. | Elastic Load Balancing |
| Checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The rule is compliant if the KmsKeyId is defined. | CloudTrail |
| Checks whether AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must be enabled on all trails. The rule is noncompliant if the validation is not enabled. | CloudTrail |
| Checks whether RDS DB instances have backups enabled. | RDS |
| Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized. | EC2 |
| Check that Amazon Elastic Block Store (EBS) encryption is enabled by default. The rule is NON_COMPLIANT if the encryption is not enabled. | EC2 |
| Checks whether detailed monitoring is enabled for EC2 instances. | EC2 |
| Checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association. The rule is NON_COMPLIANT if the publicIp field is present in the Amazon EC2 instance configuration item. This rule applies only to IPv4. | EC2 |
| Checks whether the Application Load Balancers and the Classic Load Balancers have logging enabled. | Elastic Load Balancing |
| Checks whether EBS volumes that are in an attached state are encrypted. | EC2 |
| Checks whether IAM groups have at least one IAM user. | IAM |
| Checks that inline policy feature is not in use. The rule is NON_COMPLIANT if an AWS Identity and Access Management (IAM) user, IAM role or IAM group has any inline policy. | IAM |
| Checks whether the account password policy for IAM users meets the specified requirements. | IAM |
| Checks whether IAM users are members of at least one IAM group. | IAM |
| Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or roles. | IAM |
| Checks whether your EC2 instances belong to a virtual private cloud (VPC). | EC2 |
| Checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled. This rule is NON_COMPLIANT if an Amazon RDS instance does not have deletion protection enabled i.e deletionProtection is set to false. | RDS |
| Checks if an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled. This rule is NON_COMPLIANT if an Amazon RDS instance does not have AWS IAM authentication enabled. | RDS |
| Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item. | RDS |
| Checks whether Amazon RDS database is present in back plans of AWS Backup. The rule is NON_COMPLIANT if Amazon RDS databases are not included in any AWS Backup plan. | RDS |
| Checks whether storage encryption is enabled for your RDS DB instances. | RDS |
| Checks whether Amazon S3 bucket has lock enabled, by default. The rule is NON_COMPLIANT if the lock is not enabled. | S3 |
| Checks whether logging is enabled for your S3 buckets. | S3 |
| Checks that your Amazon S3 bucket either has S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server side encryption. | S3 |
| Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL). | S3 |
| Checks whether versioning is enabled for your S3 buckets. | S3 |
| Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC. | VPC |
Updated about 1 year ago