The following SOC 2 controls are automatically covered by connecting your AWS account:
- The company maintains a list of the company's system components, owners, and their business function.
- The company uses logging and monitoring software to collect data from servers and endpoints, detect potential security threats and unusual system activity, and monitor system performance.
- The company uses alerting software to notify impacted teams of potential security and availability events.
- Production infrastructure is restricted to users with a unique account, SSH key or access key.
- Administrative access to production servers, databases, and internal administrative tools is restricted based on the principal of least privilege. Internal user access to systems and applications with customer data requires two-factor authentication in the form of user ID / password, and one-time passcode.
- Users are assigned unique IDs to access sensitive information.
- Service data is encrypted at rest.
- Encryption is used to protect the transmission of data over the internet.
- System tools monitor company load balancers and notify appropriate personnel of any events or outages based on predetermined criteria. Any identified issues are tracked through resolution in accordance with the Incident Response Plan.
- The system is configured to operate across availability zones to support continuous availability.
- Full backups are performed daily and retained in accordance with the Backup Policy.
- Threat management is installed on susceptible endpoints that can access the production environment.
- Management has implemented intrusion prevention and detection tools to provide monitoring of network traffic to the production environment.
- Firewall configurations ensure available networking ports and protocols are restricted to approved business rules.
- Vulnerability scanning is performed on production infrastructure systems. Company remediates identified deficiencies on a timely basis.