SSAE-18 SOC 2 - AWS Audit Manager
What is SOC 2?Using this frameworkNext stepsAdditional resources

SSAE-18 SOC 2

AWS Audit Manager provides a prebuilt standard framework that supports the Statement on Standards for Attestations Engagement (SSAE) No. 18, Service Organizations Controls (SOC) Report 2.

What is SOC 2?

SOC 2, defined by the American Institute of Certified Public Accountants (AICPA), is the name of a set of reports that's produced during an audit. It's intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories known as Trust Service Principles.

AWS SOC reports are independent third-party examination reports that demonstrate how AWS achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the AWS controls established to support operations and compliance. There are five AWS SOC reports:

  • AWS SOC 1 Report, available to AWS customers from AWS Artifact.

  • AWS SOC 2 Security, Availability & Confidentiality Report, available to AWS customers from AWS Artifact.

  • AWS SOC 2 Security, Availability & Confidentiality Report available to AWS customers from AWS Artifact (scope includes Amazon DocumentDB only).

  • AWS SOC 2 Privacy Type I Report, available to AWS customers from AWS Artifact.

  • AWS SOC 3 Security, Availability & Confidentiality Report, publicly available as a whitepaper.

Using this framework to support your audit preparation

You can use this framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to SOC 2 requirements. You can also customize this framework and its controls to support internal audits with specific requirements.

Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.

The framework details are as follows:

Framework name in AWS Audit Manager Number of automated controls Number of manual controls Number of control sets
Statement on Standards for Attestations Engagement (SSAE) No. 18, Service Organizations Controls (SOC) Report 2 8 53 20
Tip

To review the AWS Config rules that are used as data source mappings in this standard framework, download the AuditManager_ConfigDataSourceMappings_SSAE-No.-18-SOC-Report-2.zip file.

The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant. Moreover, they can't guarantee that you'll pass an audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.

You can find this framework under the Standard frameworks tab of the framework library in Audit Manager.

Next steps

For instructions on how to create an assessment using this framework, see Creating an assessment in AWS Audit Manager.

For instructions on how to customize this framework to support your specific requirements, see Making an editable copy of an existing framework in AWS Audit Manager.

Additional resources