SOC 2 Evidence from AWS CloudTrail

Why this matters for SOC 2

If your production infrastructure runs on AWS, CloudTrail is the primary evidence source for almost every infrastructure-related SOC 2 control — who made what change, who assumed what role, and whether access followed least-privilege principles. Auditors will ask for it by name.

What evidence CloudTrail provides

• A complete, append-only record of every IAM change (CC6.3 — role-based access and least privilege)
• Evidence of system monitoring for anomalous API activity, supporting CC7.2
• A record of console and API access patterns that can demonstrate access reviews are grounded in actual usage, not just policy documents
• Cross-account access and AssumeRole activity, which is frequently the specific evidence requested for multi-account AWS organizations

How LogTriage maps this to SOC 2 controls

IAM-modifying CloudTrail events are mapped to MITRE ATT&CK privilege escalation techniques, which the compliance mapper then ties to CC6.3 (Role-Based Access and Least Privilege). Detected exfiltration-pattern activity maps to CC7.2 (System Monitoring) automatically, with the specific evidence note an auditor expects attached to the report.

Evidence checklist

• Confirm CloudTrail is enabled in every account and region in scope, including organization-level trails
• Verify log file integrity validation is enabled — auditors specifically check for this
• Retain evidence of IAM access reviews and tie them to actual CloudTrail-observed usage
• Document the retention period for CloudTrail logs and confirm it meets your SOC 2 evidence window requirement
• Maintain a record of any privilege escalation alerts and their resolution