SOC 2 Controls
Detailed mappings for CC6.1, CC6.6, and CC7.2 with evidence requirements and pass criteria.
Control Reference
| Control | Name | Category | Connectors |
|---|---|---|---|
| CC6.1 | Logical Access Controls | Access Control | GitHub, AWS, Google Workspace |
| CC6.6 | Access Removal/Modification | Access Control | GitHub, Google Workspace |
| CC7.2 | Change Management | System Operations | GitHub, AWS |
CC6.1 - Logical Access Controls
Official Description: The entity restricts logical access to information assets including hardware, data, software, and information system components to authorized users.
Purpose
Ensure only authorized individuals can access systems, data, and infrastructure. Prevent unauthorized access through authentication and access control mechanisms.
Evidence Requirements
GitHub:
- Organization-level 2FA enforcement
- Repository access controls
- Member permission restrictions
AWS:
- IAM password policy configuration
- Password complexity requirements
- MFA enforcement for privileged accounts
Google Workspace:
- 2-step verification (2SV) enforcement
- User authentication requirements
- Admin account protections
Evidence Collected
From GitHub (org_settings.json):
{
"two_factor_requirement_enabled": true,
"members_can_create_repositories": false,
"default_repository_permission": "read"
}From AWS (iam_password_policy.json):
{
"MinimumPasswordLength": 14,
"RequireSymbols": true,
"RequireNumbers": true,
"RequireUppercaseCharacters": true,
"RequireLowercaseCharacters": true,
"MaxPasswordAge": 90,
"PasswordReusePrevention": 12
}From Google Workspace (users_2sv.json):
{
"isEnforced": true,
"enforcementDate": "2025-01-01",
"usersEnrolled": 98,
"totalUsers": 100,
"enrollmentPercentage": 98.0
}Pass Criteria
✅ GitHub Requirements:
- 2FA enforced for all organization members
- Repository creation limited to admins/owners
- Default repository permission not set to "write" or "admin"
✅ AWS Requirements:
- Password minimum length ≥ 12 characters (NIST recommendation: 12+)
- Password complexity enabled (symbols, numbers, upper/lowercase)
- Password expiration ≤ 90 days
- Password reuse prevention ≥ 12 passwords
✅ Google Workspace Requirements:
- 2-step verification enforced for all users
- Enrollment rate ≥ 95%
- Grace period ended (enforcement active)
Common Findings
Pass Examples:
✓ GitHub 2FA enforced for all members
✓ AWS password minimum length: 14 characters
✓ AWS MFA required for root account
✓ Google Workspace 2SV enforced (98% enrolled)Fail Examples:
✗ GitHub 2FA not enforced
→ Enable in Organization Settings → Authentication security
✗ AWS password minimum length: 8 characters (below 12)
→ Update IAM password policy to require 12+ characters
✗ Google Workspace 2SV not enforced
→ Enable in Admin console → Security → 2-step verificationRemediation Steps
GitHub 2FA Not Enforced:
- Go to Organization Settings → Authentication security
- Enable "Require two-factor authentication"
- Set grace period (e.g., 30 days for users to enable)
- Monitor compliance via Organization Members page
AWS Password Policy Weak:
- Go to IAM → Account settings → Password policy
- Set minimum length to 12+ characters
- Enable all complexity requirements
- Set max password age to 60-90 days
- Enable password reuse prevention (12+ passwords)
Google Workspace 2SV Not Enforced:
- Go to Admin console → Security → 2-step verification
- Click "Enforce 2-step verification"
- Set grace period for users to enroll
- Monitor enrollment via Users report
Resources
CC6.6 - Access Removal/Modification
Official Description: The entity removes access to information assets when an individual's employment or relationship with the entity has been terminated or when the nature of an individual's role has changed in a manner that affects access needs.
Purpose
Ensure access is revoked or modified when employees leave, change roles, or no longer need specific permissions. Prevent orphaned accounts and excessive privileges.
Evidence Requirements
GitHub:
- Code review enforcement (CODEOWNERS)
- Pull request approval requirements
- Branch protection rules
Google Workspace:
- Admin role assignments and changes
- User account lifecycle (suspensions, deletions)
- Access review processes
Evidence Collected
From GitHub (repo_acme_backend_branch_protection.json):
{
"required_pull_request_reviews": {
"required_approving_review_count": 2,
"dismiss_stale_reviews": true,
"require_code_owner_reviews": true
},
"enforce_admins": {
"enabled": true
}
}From GitHub (repo_acme_backend_codeowners.json):
{
"exists": true,
"path": ".github/CODEOWNERS",
"owners": [
"@acme/backend-team",
"@acme/security-team"
]
}From Google Workspace (role_assignments.json):
{
"roles": [
{
"roleId": "admin",
"roleName": "Super Admin",
"assignees": [
{
"email": "admin@acme.com",
"assignedDate": "2025-01-01",
"lastLoginDate": "2026-01-08"
}
],
"totalAssignees": 2
}
]
}Pass Criteria
✅ GitHub Requirements:
- CODEOWNERS file exists in protected branches
- Code owner review required for protected branches
- Pull request reviews required (minimum 2 approvers recommended)
- Stale review dismissal enabled
✅ Google Workspace Requirements:
- Admin roles assigned to active employees only
- Super Admin role limited to 2-3 individuals
- Role assignments reviewed regularly
- Suspended users have admin roles revoked
Common Findings
Pass Examples:
✓ CODEOWNERS file enforced for main branch
✓ 2 required approving reviews for PRs
✓ Stale review dismissal enabled
✓ Admin roles limited to 2 active employeesFail Examples:
✗ No CODEOWNERS file found
→ Create .github/CODEOWNERS with team ownership
✗ Code owner review not required
→ Enable "Require review from Code Owners" in branch protection
✗ Admin role assigned to suspended user
→ Revoke admin role for inactive accountsRemediation Steps
Add CODEOWNERS File:
- Create
.github/CODEOWNERSin repository root - Define ownership patterns:
# Backend team owns all backend code /src/backend/ @acme/backend-team # Security team must review auth changes /src/auth/ @acme/security-team # Infrastructure team owns CI/CD /.github/ @acme/infrastructure-team - Enable "Require review from Code Owners" in branch protection
Enforce Branch Protection:
- Go to Repository Settings → Branches
- Add branch protection rule for
main - Enable "Require pull request reviews before merging"
- Set "Required number of approvals" to 2+
- Enable "Dismiss stale pull request approvals when new commits are pushed"
- Enable "Require review from Code Owners"
Review Admin Roles:
- Go to Google Admin console → Users
- Filter by "Super Admin" role
- Review each admin for active employment
- Remove admin role from suspended/inactive users
- Document admin role justification
Resources
CC7.2 - Change Management
Official Description: The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
Purpose
Ensure all system changes are reviewed, approved, tested, and documented. Prevent unauthorized or untested changes from reaching production.
Evidence Requirements
GitHub:
- Branch protection with required reviews
- Required status checks (CI/CD tests)
- Merge restrictions
- Change history via commit logs
AWS:
- CloudTrail logging enabled
- Audit trail retention
- Multi-region logging
- Log file validation
Evidence Collected
From GitHub (repo_acme_backend_branch_protection.json):
{
"required_status_checks": {
"strict": true,
"checks": [
"ci/tests",
"ci/lint",
"ci/security-scan"
]
},
"required_pull_request_reviews": {
"required_approving_review_count": 2,
"dismiss_stale_reviews": true
},
"restrictions": {
"users": [],
"teams": ["backend-leads"],
"apps": []
}
}From AWS (cloudtrail_trail_production_status.json):
{
"IsLogging": true,
"LatestDeliveryTime": "2026-01-09T12:30:00Z",
"IsMultiRegionTrail": true,
"LogFileValidationEnabled": true,
"S3BucketName": "acme-cloudtrail-logs",
"IncludeGlobalServiceEvents": true
}From AWS (cloudwatch_log_groups.json):
{
"logGroups": [
{
"logGroupName": "/aws/lambda/production-api",
"retentionInDays": 90,
"storedBytes": 1234567890
}
]
}Pass Criteria
✅ GitHub Requirements:
- Branch protection enabled for production branches
- Required status checks passing before merge
- Minimum 2 required reviewers (3+ recommended for production)
- Stale review dismissal enabled
- Merge restrictions to authorized teams/users
✅ AWS Requirements:
- CloudTrail actively logging (IsLogging: true)
- Multi-region trail enabled
- Log file validation enabled
- CloudWatch Logs retention ≥ 90 days
- Recent log delivery (within last 24 hours)
Common Findings
Pass Examples:
✓ Branch protection requires 2+ approving reviews
✓ CI/CD tests must pass before merge
✓ CloudTrail logging active (multi-region)
✓ Log retention: 90 days
✓ Log file validation enabledFail Examples:
✗ No required status checks configured
→ Add CI/CD tests as required status checks
✗ CloudTrail not logging
→ Enable CloudTrail and verify logging status
✗ Log retention: 7 days (below 90-day requirement)
→ Increase CloudWatch Logs retention to 90+ daysRemediation Steps
Enable Required Status Checks:
- Go to Repository Settings → Branches
- Edit branch protection rule for
main - Enable "Require status checks to pass before merging"
- Select required checks:
- Unit tests
- Integration tests
- Linting
- Security scanning
- Enable "Require branches to be up to date before merging"
Configure CloudTrail:
- Go to AWS CloudTrail console
- Create trail with these settings:
- Trail name:
production-audit-trail - Apply trail to all regions: Yes
- Log file validation: Enabled
- S3 bucket: Create dedicated bucket
- CloudWatch Logs: Enabled
- Trail name:
- Verify trail is logging:
aws cloudtrail get-trail-status --name production-audit-trail
Set Log Retention:
- Go to CloudWatch → Log groups
- Select log group (e.g.,
/aws/lambda/production-api) - Actions → Edit retention setting
- Set retention to 90 days or more
- Repeat for all production log groups
Resources
Control Coverage Matrix
By Connector
| Connector | CC6.1 | CC6.6 | CC7.2 |
|---|---|---|---|
| GitHub | ✅ | ✅ | ✅ |
| AWS | ✅ | ✅ | |
| Google Workspace | ✅ | ✅ |
By Evidence Type
| Evidence Type | Controls |
|---|---|
| 2FA/MFA Enforcement | CC6.1 |
| Password Policies | CC6.1 |
| Code Review | CC6.6, CC7.2 |
| Branch Protection | CC7.2 |
| Audit Logging | CC7.2 |
| Access Controls | CC6.1, CC6.6 |
Automated Compliance Checking
The evidence SDK automatically maps collected evidence to controls:
normalized.json Output
{
"controls": {
"CC6.1": {
"name": "Logical Access Controls",
"status": "pass",
"requirements_met": 3,
"total_requirements": 3,
"evidence": [
{
"source": "github",
"artifact": "org_settings.json",
"requirement": "2FA enforcement",
"finding": "2FA required for all organization members",
"compliant": true
},
{
"source": "aws",
"artifact": "iam_password_policy.json",
"requirement": "Password complexity",
"finding": "14 character minimum with complexity requirements",
"compliant": true
},
{
"source": "google-workspace",
"artifact": "users_2sv.json",
"requirement": "MFA enforcement",
"finding": "2SV enforced for 98% of users",
"compliant": true
}
]
}
}
}hints.json Output
{
"hints": [
{
"severity": "info",
"control": "CC6.1",
"category": "improvement",
"message": "Consider reducing AWS password expiration from 90 to 60 days",
"source": "aws",
"artifact": "iam_password_policy.json"
},
{
"severity": "low",
"control": "CC7.2",
"category": "recommendation",
"message": "Consider increasing required reviewers from 2 to 3 for production repos",
"source": "github",
"artifact": "repo_acme_backend_branch_protection.json"
}
]
}Next Steps
Configure Connectors Set up each connector to collect evidence for these controls.
Automate Collection Schedule evidence collection with GitHub Actions.
View Complete Mappings See detailed evidence-to-control mappings for each connector.