Documentation
ReferenceConfigurationControls Configuration

Controls Configuration

Complete schema reference for selecting SOC 2 controls in evidence.yaml.

Schema

controls:
  - CC6.1
  - CC6.6
  - CC7.2

Requirements:

  • At least one control must be specified
  • Maximum 20 controls per configuration
  • Control IDs must be valid SOC 2 control identifiers

Available Controls

CC6.1 - Logical Access Controls

Purpose: The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.

What it verifies:

  • Two-factor authentication (2FA) enforcement
  • Password complexity requirements
  • Multi-factor authentication (MFA) for privileged accounts
  • Access control mechanisms

Evidence collected:

  • GitHub: Organization 2FA enforcement settings
  • AWS: IAM password policy configuration
  • Google Workspace: 2-Step Verification (2SV) enforcement

Pass criteria:

  • ✅ 2FA/2SV enforced for all users
  • ✅ Password complexity meets NIST standards (12+ characters)
  • ✅ MFA required for admin/privileged accounts

CC6.6 - Logical Access - Removal/Modification

Purpose: The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity's objectives.

What it verifies:

  • Access removal processes when authorization changes
  • Code review requirements for changes
  • User lifecycle management
  • Admin role assignments

Evidence collected:

  • GitHub: CODEOWNERS file (enforces code review)
  • Google Workspace: Admin role assignments, user lifecycle policies

Pass criteria:

  • ✅ Code review required (CODEOWNERS file exists)
  • ✅ Admin roles properly assigned and tracked
  • ✅ User suspension/deletion tracked

CC7.2 - System Operations - Change Management

Purpose: The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.

What it verifies:

  • Change management processes
  • Audit logging of system changes
  • Code review requirements
  • Protected branch configurations

Evidence collected:

  • GitHub: Branch protection rules (required reviews, status checks)
  • AWS: CloudTrail logging configuration and status
  • AWS: CloudWatch Logs retention settings

Pass criteria:

  • ✅ Branch protection enabled with 2+ required reviewers
  • ✅ CloudTrail actively logging all API calls
  • ✅ Log retention ≥ 90 days

Control Selection

Single Control

Minimal configuration for one control:

framework: soc2_type1
controls:
  - CC6.1
sources:
  github:
    mode: token
    token_env: GITHUB_TOKEN
    org: acme
    repos:
      - acme/backend

Use case: Focus on access controls only

Multiple Controls

Standard configuration with multiple controls:

framework: soc2_type1
controls:
  - CC6.1
  - CC6.6
  - CC7.2
sources:
  github:
    mode: token
    token_env: GITHUB_TOKEN
    org: acme
    repos:
      - acme/backend
  aws:
    mode: env
    region: us-east-1

Use case: Comprehensive SOC 2 Type I coverage

All Available Controls

Complete control coverage:

framework: soc2_type1
controls:
  - CC6.1   # Logical access controls
  - CC6.6   # Access removal/modification
  - CC7.2   # Change management
sources:
  github:
    mode: token
    token_env: GITHUB_TOKEN
    org: acme
    repos: '*'
  aws:
    mode: env
    region: us-east-1
    log_groups:
      - /aws/lambda/production-*
    cloudtrail:
      trails:
        - production-audit-trail
  google_workspace:
    mode: service_account
    credentials_env: GOOGLE_APPLICATION_CREDENTIALS
    customer_id: C0xxxxxxx
    admin_email: admin@acme.com

Use case: Full SOC 2 Type I compliance

Control-to-Source Mapping

CC6.1 Sources

SourceArtifactDescription
GitHuborg_settings.json2FA enforcement status
AWSiam_password_policy.jsonPassword complexity requirements
Google Workspace2sv_enforcement.json2-Step Verification settings

CC6.6 Sources

SourceArtifactDescription
GitHubcodeowners.jsonCode review enforcement
Google Workspaceadmin_roles.jsonAdmin role assignments
Google Workspaceuser_lifecycle.jsonUser suspension/deletion events

CC7.2 Sources

SourceArtifactDescription
GitHubbranch_protection.jsonProtected branch rules
AWScloudtrail_status.jsonAudit logging configuration
AWScloudwatch_retention.jsonLog retention settings

Validation

Schema Validation

# ❌ Missing controls field
framework: soc2_type1
sources:
  github:
    mode: token
    token_env: GITHUB_TOKEN
    org: acme
    repos: [acme/backend]

Error:

Configuration validation failed:
  - controls: required field missing

Control ID Validation

# ❌ Invalid control ID
framework: soc2_type1
controls:
  - CC6.1
  - INVALID_CONTROL
sources:
  github:
    mode: token
    token_env: GITHUB_TOKEN
    org: acme
    repos: [acme/backend]

Error:

Configuration validation failed:
  - controls[1]: invalid control ID 'INVALID_CONTROL'
  - Valid controls: CC6.1, CC6.6, CC7.2

Empty Controls Array

# ❌ Empty controls array
framework: soc2_type1
controls: []
sources:
  github:
    mode: token
    token_env: GITHUB_TOKEN
    org: acme
    repos: [acme/backend]

Error:

Configuration validation failed:
  - controls: must contain at least one control

Too Many Controls

# ❌ Exceeds maximum (20 controls)
framework: soc2_type1
controls:
  - CC6.1
  - CC6.6
  # ... 19 more controls
  - CC_EXTRA  # 21st control

Error:

Configuration validation failed:
  - controls: maximum 20 controls allowed (got 21)

Control Requirements by Framework

SOC 2 Type I

Minimum controls:

  • At least one control from CC6.x (Logical Access)
  • Recommended: CC6.1, CC6.6, CC7.2

Typical configuration:

framework: soc2_type1
controls:
  - CC6.1
  - CC6.6
  - CC7.2

SOC 2 Type II (Future)

Requirements:

  • Same controls as Type I
  • Evidence collected over 3-6 month period
  • Continuous monitoring required

Future configuration:

framework: soc2_type2
controls:
  - CC6.1
  - CC6.6
  - CC7.2
period:
  start: 2026-01-01
  end: 2026-06-30

Note: SOC 2 Type II support coming in v0.2.0

Progressive Control Implementation

Phase 1: Access Controls (Week 1)

Start with logical access controls:

framework: soc2_type1
controls:
  - CC6.1  # 2FA, password policy
sources:
  github:
    mode: token
    token_env: GITHUB_TOKEN
    org: acme
    repos: [acme/backend]

Artifacts collected: 1-2 Setup time: ~10 minutes

Phase 2: Add Access Management (Week 2)

Add code review and user lifecycle:

framework: soc2_type1
controls:
  - CC6.1
  - CC6.6  # Code review, admin roles
sources:
  github:
    mode: token
    token_env: GITHUB_TOKEN
    org: acme
    repos: [acme/backend]
  google_workspace:
    mode: service_account
    credentials_env: GOOGLE_APPLICATION_CREDENTIALS
    customer_id: C0xxxxxxx
    admin_email: admin@acme.com

Artifacts collected: 4-6 Setup time: ~30 minutes

Phase 3: Add Change Management (Week 3)

Add audit logging and change tracking:

framework: soc2_type1
controls:
  - CC6.1
  - CC6.6
  - CC7.2  # Branch protection, CloudTrail
sources:
  github:
    mode: token
    token_env: GITHUB_TOKEN
    org: acme
    repos: [acme/backend]
  aws:
    mode: env
    region: us-east-1
    cloudtrail:
      trails:
        - production-audit-trail
  google_workspace:
    mode: service_account
    credentials_env: GOOGLE_APPLICATION_CREDENTIALS
    customer_id: C0xxxxxxx
    admin_email: admin@acme.com

Artifacts collected: 8-10 Setup time: ~45 minutes Status: ✅ Full SOC 2 Type I coverage

Control Coverage Testing

Before collection, SDK tests which controls can be satisfied:

evidence collect --dry-run

Output:

Testing control coverage...

CC6.1 - Logical Access Controls
  ✓ GitHub: Org 2FA enforcement (sources.github)
  ✓ AWS: IAM password policy (sources.aws)
  ✗ Google Workspace: 2SV enforcement (source not configured)

CC6.6 - Access Removal/Modification
  ✓ GitHub: CODEOWNERS file (sources.github)
  ✗ Google Workspace: Admin roles (source not configured)

CC7.2 - Change Management
  ✓ GitHub: Branch protection (sources.github)
  ✓ AWS: CloudTrail status (sources.aws)
  ✓ AWS: CloudWatch retention (sources.aws)

Control Coverage Summary:
  - CC6.1: Partial (2/3 sources configured)
  - CC6.6: Partial (1/2 sources configured)
  - CC7.2: Complete (3/3 sources configured)

Recommendation: Configure google_workspace source for complete CC6.1 and CC6.6 coverage.

Control Exclusions

Exclude Specific Controls

If certain controls don't apply to your organization:

framework: soc2_type1
controls:
  - CC6.1
  - CC7.2
  # CC6.6 excluded - no user lifecycle management required
sources:
  github:
    mode: token
    token_env: GITHUB_TOKEN
    org: acme
    repos: [acme/backend]
  aws:
    mode: env
    region: us-east-1

Note: Document exclusion reasons in compliance notes for auditors.

Control Scoping by Source

Control what each source collects:

framework: soc2_type1
controls:
  - CC6.1
  - CC6.6
  - CC7.2
sources:
  github:
    mode: token
    token_env: GITHUB_TOKEN
    org: acme
    repos: [acme/backend]
    controls:  # Override: only these controls from GitHub
      - CC6.1
      - CC7.2
  aws:
    mode: env
    region: us-east-1
    # Collects all configured controls

Use case: GitHub only for access + change management, not user lifecycle

Common Patterns

Minimal GitHub-Only

framework: soc2_type1
controls:
  - CC6.1
sources:
  github:
    mode: token
    token_env: GITHUB_TOKEN
    org: acme
    repos: [acme/backend]

Coverage: Partial CC6.1 (GitHub 2FA only)

Standard Multi-Source

framework: soc2_type1
controls:
  - CC6.1
  - CC6.6
  - CC7.2
sources:
  github:
    mode: token
    token_env: GITHUB_TOKEN
    org: acme
    repos: [acme/backend]
  aws:
    mode: env
    region: us-east-1

Coverage: Full CC6.1, Partial CC6.6, Full CC7.2

Complete Coverage

framework: soc2_type1
controls:
  - CC6.1
  - CC6.6
  - CC7.2
sources:
  github:
    mode: token
    token_env: GITHUB_TOKEN
    org: acme
    repos: '*'
  aws:
    mode: env
    region: us-east-1
    cloudtrail:
      trails:
        - production-audit-trail
  google_workspace:
    mode: service_account
    credentials_env: GOOGLE_APPLICATION_CREDENTIALS
    customer_id: C0xxxxxxx
    admin_email: admin@acme.com

Coverage: Full CC6.1, Full CC6.6, Full CC7.2

See Also

Sources Configuration

Complete schema reference for configuring evidence sources in evidence.yaml.

Bundle Configuration

Complete schema reference for configuring evidence bundle options in evidence.yaml.

On this page

SchemaAvailable ControlsCC6.1 - Logical Access ControlsCC6.6 - Logical Access - Removal/ModificationCC7.2 - System Operations - Change ManagementControl SelectionSingle ControlMultiple ControlsAll Available ControlsControl-to-Source MappingCC6.1 SourcesCC6.6 SourcesCC7.2 SourcesValidationSchema ValidationControl ID ValidationEmpty Controls ArrayToo Many ControlsControl Requirements by FrameworkSOC 2 Type ISOC 2 Type II (Future)Progressive Control ImplementationPhase 1: Access Controls (Week 1)Phase 2: Add Access Management (Week 2)Phase 3: Add Change Management (Week 3)Control Coverage TestingControl ExclusionsExclude Specific ControlsControl Scoping by SourceCommon PatternsMinimal GitHub-OnlyStandard Multi-SourceComplete CoverageSee Also