Learning from the AWS SOC 2 Report: How Cloud Service Providers Support—Not Own—Your Compliance
Anna Fitzgerald
Senior Content Marketing Manager
Rob Gutierrez
Senior Cybersecurity and Compliance Manager, CISA, CCSK, CMMC RP
If your company runs critical systems or stores customer data on Amazon Web Services (AWS), understanding the AWS SOC 2 report is essential. This third-party audit document is a valuable compliance asset, but can also be a source of confusion.
Many organizations assume that using AWS, or any SOC 2 compliant cloud service provider (CSP), means they’re already covered for their own SOC 2 compliance. In reality, AWS’s SOC 2 report can support and help meet your compliance efforts, but not replace them.
In this article, we’ll unpack what the AWS SOC 2 report covers, how to use it to streamline your own audit, and the broader topic of shared responsibility in cloud compliance so you can leverage CSPs while still meeting security and compliance requirements.
The AWS SOC 2 Report, Explained
The AWS SOC 2 report is a third-party attestation of AWS controls that meet the SOC 2 Trust Services Criteria for Security, Availability, Confidentiality, and Privacy.
The AWS SOC 2 Report is based on a SOC 2 Type II audit, which evaluates both the design and operating effectiveness of AWS controls over a 12-month reporting period. The reporting period of the most recent AWS SOC 2 report was April 1, 2024 to March 31, 2025.
Designed to provide information about how AWS handles the content that customers upload to AWS and how AWS protects that content across in-scope services and locations, the most current AWS SOC 2 report covers nearly 200 cloud services, data centers in 25 locations across the world, and 138 edge locations. Given this scope, it makes sense that the most recent report is 185 pages in length.
Customers can access this report through the AWS Artifact portal to demonstrate cloud provider compliance in their own audit processes.
Let’s cover what information you can expect if you download the SOC 2 report from AWS Artifact.
Recommended Reading
What is a SOC 2 Report?
What does the AWS SOC 2 report include?
The AWS SOC 2 report includes detailed descriptions of the:
- System architecture and services covered
- AWS control environment, including:
- Logical and physical access controls
- Change management processes
- Incident response procedures
- Data protection measures
- Complementary user entity controls
- Auditor’s test results over the evaluation period
- Auditor’s opinion
It’s important to note that AWS’s SOC 2 report only applies to AWS-managed services, not customer-deployed applications or configurations.
Recommended reading
What Does a SOC 2 Report Cover?
Does this mean AWS customers are automatically SOC 2 compliant?
No, and this is a common misconception.
Using a SOC 2 compliant cloud provider like AWS does not make your organization SOC 2 compliant.
The AWS SOC 2 report shows that AWS has implemented strong security and availability controls for the infrastructure and services it manages. But your own organization is still responsible for:
- Securing your applications and workloads hosted in AWS
- Managing user access and permissions
- Implementing encryption, logging, and monitoring at the application level
- Defining and enforcing security policies
- Responding to security incidents
In short, AWS can help you meet some SOC 2 requirements, but you’ll still need to implement your own internal controls, policies, and procedures to meet the framework’s full criteria.
Recommended reading
SOC 2 Compliance Checklist for 2025: Must-Have Tips to Get SOC 2 Audit-Ready
| Responsibility Area | AWS | Customer |
|---|---|---|
| Physical Infrastructure (including regions, availability zones, and edge locations) | ✅ | ❌ |
| Software | ✅ | ❌ |
| Environmental controls | ✅ | ❌ | Customer Data | ❌ | ✅ | Platform, Applications, Identity and access management | ❌ | ✅ |
| Operating System, Network & Firewall Configuration | ❌ | ✅ |
| Client-side Data Encryption & Data Integrity Authentication | ❌ | ✅ |
| Server-side Encryption | ❌ | ✅ |
| Networking Traffic Protection | ❌ | ✅ |
Note that some controls which apply to both the infrastructure layer and customer layers are shared by AWS and the customer. For a shared control, AWS provides the control implementation for the infrastructure while the customer provides their own control implementation within their use of AWS services. Take patch management for example. While AWS is responsible for patching and fixing flaws within the infrastructure, customers are responsible for patching their guest OS and applications.
Bottom line: While AWS provides a secure foundation, you’re responsible for how that foundation is used, including how securely your systems are configured and operated.
That means that the AWS SOC 2 report helps validate part of your environment, but you’re still responsible for implementing and demonstrating the controls within your scope during a SOC 2 audit, such as logging, monitoring, vulnerability management, and user access.
This is true no matter what CSP you’re using. Your responsibility may vary based on the provider, the product you’re using, the type of deployment of your tech stack, and your regulatory and customer requirements, among other factors — but if at least some of your data and workloads are in the cloud, then you’ll share responsibility with the CSP. That’s why it’s essential to find and review each CSP’s shared responsibility model, including:
Recommended reading
Do You Need a SOC 2® Report? Answers to Common SOC 2 Compliance Questions
Why you may need the AWS SOC 2 report
Now that we understand that the AWS SOC 2 report can help, but not replace, your compliance efforts, you might be wondering what is the purpose of the report then.
Here’s why this report matters:
- Required by your auditors: If you’re pursuing SOC 2 compliance, your auditors will want to see the AWS SOC 2 report to verify that your cloud service provider meets baseline requirements.
- Inherits security controls: As an AWS customer, you benefit from the physical and environmental security controls validated in the AWS SOC 2 report. This reduces the burden of proving certain infrastructure controls in your own audit.
- Reduces testing scope: Your SOC 2 auditor won’t need to re-evaluate AWS’s infrastructure controls already covered in the AWS SOC 2 report.
- Spells out CUECs: The AWS SOC 2 report includes a section titled Complementary User Entity Controls, which can help you determine what policies, procedures, and controls you may need to implement to satisfy the service commitments and system requirements for specific use cases.
- Supports risk assessments: Leveraging the security policies and test results detailed in the AWS SOC 2 report can help support your own control evaluations and streamline the SOC 2 readiness process.
- Builds customer trust: While this request is more common from auditors, your customers may request the AWS SOC 2 report to validate the security of your hosting provider, especially if they are in highly regulated industries like finance or healthcare. While you may not be able to share the SOC 2 report, you can share AWS’s SOC 3 report, a publicly available summary of the AWS SOC 2 report.
- Supports vendor diligence and risk management requirements: SOC 2 includes several requirements related to vendor risk in its privacy and security TSC (or the Common Criteria). For example, CC9.2 requires that the entity assesses and manages risks associated with vendors and business partners. So being able to access and review the AWS SOC 2 report can help you meet these requirements more efficiently.
- Supports reviews of new AWS services or regions or other CSPs: Your internal team may review AWS’s SOC 2 report when evaluating new AWS services or regions, or when comparing AWS with other cloud providers.
Now that we understand the legitimate use cases for the AWS SOC 2 report, let’s walk through the steps to access it.
How to get AWS SOC 2 Report
Getting access to the most recent AWS SOC 2 report is simple. Here are the steps to access the report:
- Log into the AWS Management Console
- Navigate to AWS Artifact
- Search for “SOC 2 Type II Report”
- Accept the NDA terms
- Download the report for use in your SOC 2 audit prep or due diligence
Please note that you must have an active AWS account with appropriate admin permissions to access this report and any Artifact documentation.
Don’t have an active AWS account with appropriate permissions? Download our illustrative SOC 2 report example to get a sense of what this type of report covers and how long it is.
Illustrative SOC 2 Report Example
Download this illustrative example of a complete SOC 2 Type II Report for a more in-depth look at what a report might cover and how long it may be.
How Secureframe can help you get your SOC 2 report
Using AWS doesn’t automatically make you SOC 2 compliant.
While the AWS SOC 2 report is a critical piece of evidence in your own SOC 2 readiness and audit process, you still need to implement, document, and monitor your own internal controls to secure your own data and applications in the cloud.
Think of your cloud provider’s SOC 2 report as a compliance building block.
Secureframe’s SOC 2 compliance automation helps you connect AWS and the other building blocks you need to create a complete, audit-ready control environment. Secureframe can help you get your SOC 2 report more efficiently by:
- Automatically collecting evidence from AWS and other cloud tools
- Mapping inherited controls from AWS to your audit scope
- Providing real-time monitoring so you stay continuously audit-ready
Request a demo to see exactly how Secureframe can simplify your path to SOC 2 compliance.
FAQs
Does AWS have a SOC 2 report?
Yes, AWS has a SOC 2 report that provides third-party validation of its control environment as related to the Security, Availability, Confidentiality, and Privacy Trust Services Criteria. Its most recent spring report evaluates the control environment from April 1, 2024 to March 31, 2025 and is 185 pages long.
Is AWS SOC 2 Type I or Type II compliance?
AWS publishes a SOC 2 Type II report, which evaluates the effectiveness of its controls over a 12-month audit period. AWS auditors perform SOC 2 audits twice a year with each report covering a 12 month period ending 3/31 and 9/30.
What AWS services are covered by the SOC 2 report?
AWS provides a full list of in-scope services and regions in each year’s report and on this website page. In its most current spring report, it covers 184 services.
If I use AWS, do I still need to do a SOC 2 audit?
Yes. Even if you host everything in AWS, your organization is still responsible for meeting SOC 2 requirements related to data handling, access control and passwords, security policies, incident response, and more for your AWS environment. Here’s some reasons why you should get a SOC 2 report.
What’s the purpose of the AWS SOC 2 report?
The AWS SOC 2 report serves multiple purposes for organizations that rely on Amazon Web Services:
- SOC 2 audit preparation: If your organization is pursuing SOC 2 compliance, your auditors will likely request evidence from key vendors. The AWS SOC 2 report helps demonstrate that your cloud infrastructure provider meets industry-standard security and availability requirements.
- Vendor due diligence: Customers or partners may request AWS’s SOC 2 report as part of their third-party risk management process to ensure your hosting environment follows strong security practices.
- Fulfilling complementary subservice controls: In your own SOC 2 system description, you’ll need to explain how you address responsibilities passed to third parties. AWS’s report clearly defines the controls it manages, making it easier for you to document shared responsibilities.
- Internal security evaluations: Security and compliance teams may review the AWS SOC 2 report when assessing new AWS services, validating configurations, or comparing CSPs across multiple vendors.
How can the AWS SOC 2 report help in my own SOC 2 audit?
The AWS SOC 2 report can meaningfully reduce your workload and help streamline your own SOC 2 audit:
- Saves time by eliminating the need for your auditors to review AWS controls directly
- Clarifies shared controls and lets you focus on areas under your organization’s purview
- Supports your documentation of third-party risk and control inheritance
- Aligns with your control narrative when drafting your system description and risk assessments
Can I share the AWS SOC 2 report with customers?
The report is protected by a non-disclosure agreement and is generally intended for internal use or as part of compliance reviews. You should consult AWS’s terms and your legal counsel before sharing externally or consider sharing the AWS SOC 3 report. This is a publicly available summary of the AWS SOC 2 report that outlines how AWS meets the AICPA’s Trust Services Criteria in SOC 2 and includes the external auditor’s opinion of the operation of controls. Here’s the most current AWS SOC 3 report.
You can dive deeper into the similarities and differences in SOC 2 and SOC 3 reports (as well as SOC 1) in this blog on SOC audits.
Does AWS have a SOC 1?
Yes, AWS also has a SOC 1 report, which is issued quarterly. While both types of SOC reports use the same auditing standard SSAE 18, they have different purposes.
- The purpose of the AWS SOC 1 report is to provide information to customers about AWS' control environment that may be relevant to their internal controls over financial reporting
- The purpose of the AWS SOC 2 report is to provide customers with an independent assessment of AWS' control environment relevant to system security, availability, confidentiality, and privacy.
You can dive deeper into the similarities and differences between SOC 1 vs SOC 2 in this blog.
Is AWS compliant with ISO 27001 and SOC 2?
Yes, AWS is compliant with the latest versions of ISO/IEC 27001 and SOC 2. Its compliance with both frameworks is evidence of AWS’s commitment to information security at every level of our organization, and that the AWS security program is in accordance with industry leading best practices. More specifically, AWS’s ISO 27001 certification reassures customers that they’ve developed and implemented an Information Security Management System (ISMS), which defines how AWS perpetually manages security in a holistic, comprehensive manner. You can dive deeper into the similarities and differences between ISO 27001 vs SOC 2 in this blog.