Join us for live office hours! Next WednesdayNext Wed
SOC 2 Compliance
← Back to Glossary
Security & Compliance

What is SOC 2 Compliance?

SOC 2 is an attestation — not a certification — where an auditor verifies that your security controls are real, operational, and repeatable: you say what you do, and you do what you say.

Attestation, Not Certification

SOC 2 isn't a certification. It's an attestation. Your auditor isn't grading you against a fixed checklist — they're verifying that your controls are real, operational, and repeatable.

The core principle is simple: say what you do, and do what you say.

SOC 2 evaluates your organization across five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Most B2B SaaS companies need SOC 2 to win enterprise customers.

Type 1 vs. Type 2

  • Type 1 proves you can do it once
  • Type 2 proves you do it continuously

The only way to do anything continuously is to automate it. The only way to automate it effectively is with infrastructure as code. That's why Type 2 carries more weight with customers — it demonstrates that your controls aren't just designed well, they're actually running.

What Your Auditor Actually Looks For

SOC 2 requires demonstrable evidence for:

  • Access management — least-privilege IAM, MFA, and centralized identity
  • Change management — pull request workflows, code review, and deployment approvals
  • Monitoring — audit logging, alerting, and incident response procedures
  • Data protection — encryption at rest and in transit, backup and recovery
  • Network security — VPC isolation, security groups, and WAF configuration

Why Infrastructure as Code Matters

When all infrastructure is defined in code, your compliance posture is versioned, reviewable, and repeatable — the very definition of "continuous." Git history becomes your audit trail, modules enforce consistent security configurations, and drift detection catches unauthorized changes before your auditor does.

Related Terms

DevSecOpsAWS Multi-Account

Related Articles

You Need More AWS Accounts Than You Think

Your lead engineer thinks 10 AWS accounts is overkill. Here's why starting clean is weeks of work, while untangling later is 6-12 months of migration pain.

Dec 19 2025

Building Enterprise-Grade Terraform: A Practical Guide

Ready to build enterprise-grade Terraform? This guide covers the architectural patterns, governance frameworks, and practical implementation steps that successful teams use to balance compliance with team autonomy.

Nov 15 2025

SOC 2 Made Simple: Why Implementation Beats Audit Prep Every Time

Learn why SOC 2 compliance is an implementation problem, not a paperwork problem—and how the right AWS foundation turns controls into code and evidence into automation.

Oct 07 2025

Terraliths vs Componentized Terraform: Where's the Real Line?

When should you stick with a Terralith? When should you componentize Terraform? Here's how to know where the line is—and how Cloud Posse approaches it.

Jul 09 2025

Why Enterprise Terraform is Different

Enterprise Terraform isn't just about choosing the right tools. It's about understanding why the gap between DevOps freedom and compliance oversight creates architectural challenges that can't be patched up. Here's what makes it hard.

Jun 09 2025

The Production Ready Newsletter

Build Smarter. Avoid Mistakes. Stay Ahead of DevOps Trends That Matter.

The fastest way to achieve SOC 2 on AWS with Terraform and GitHub Actions.

For Developers

  • GitHub
  • Documentation
  • Quickstart Docs
  • Resources
  • Read our Blog

Community

  • Join Office Hours
  • Join the Slack Community
  • DevOps Podcast
  • Try our Newsletter

Company

  • Services & Support
  • AWS Migrations
  • Pricing
  • Book a Meeting

Legal

  • Terms of Use
  • Privacy Policy
  • Disclaimer
  • Cookie Policy
Copyright ©2026 Cloud Posse, LLC. All rights reserved.