Skip to main content
RiscLens

Technical Nuance

AWS SOC 2 ≠ Your SOC 2

Founders often think using AWS or GCP means they are "already compliant." Here is why you still need your own audit and how to handle the "Carve-out" method.

Audit Readiness Validation

Establish Your Audit Baseline

Get your readiness score, identify critical gaps, and unblock enterprise deal velocity in under 2 minutes.

Validate Readiness Now

What AWS Covers

  • Physical Data Center Security
  • Server Hardware Maintenance
  • Infrastructure Network Isolation
  • Environmental Controls (Power/Cooling)

What YOU Must Cover

  • IAM & Access Control (Who logs in?)
  • SDLC & Code Security (Is your code safe?)
  • Database Encryption (Is data at rest safe?)
  • Incident Response (What if you get hacked?)

The "Carve-out" Method Explained

In a SOC 2 audit, you "carve out" vendors like AWS. This means the auditor acknowledges AWS is responsible for certain controls, and they don't audit AWS themselves. Instead, they look for your **annual review** of AWS's SOC 2 report.

Action Plan for Founders

  • 01.Download the AWS SOC 2 Type II report from AWS Artifact.
  • 02.Identify Complementary User Entity Controls (CUECs) in their report. These are tasks AWS requires *you* to do (e.g., managing your own passwords).
  • 03.Document how your company meets each of those CUECs.

Frequently Asked Questions

If AWS is SOC 2 compliant, why do I need my own audit?

AWS is responsible for the 'security OF the cloud' (data centers, physical security), but you are responsible for 'security IN the cloud' (access controls, code deployments, data encryption). Your SOC 2 proves you are doing your part.

What is the difference between Carve-out and Inclusive methods?

The 'Carve-out' method excludes the subservice organization's controls from your report (standard for AWS/GCP). The 'Inclusive' method includes their controls and requires them to sign a management assertion, which is rare for large cloud providers.

Do I need to review my vendors' SOC 2 reports?

Yes. Auditors expect you to perform an annual 'Vendor Risk Review' where you check their SOC 2 reports for exceptions and ensure their Complementary User Entity Controls (CUECs) are implemented by you.

Back to Sales Hub