SOC 2 Compliance Engineering

SOC 2 proves to customers that you protect their data. Most companies treat compliance as a checkbox exercise — manual evidence collection, last-minute scrambles before audits, and controls that exist on paper but not in practice. Engineering-driven compliance embeds controls into your development workflow so that evidence generates itself.

---

Trust Service Criteria

Security (Common Criteria — required):
  Access control, encryption, vulnerability management
  "Is the system protected against unauthorized access?"

Availability:
  Uptime SLAs, disaster recovery, capacity planning
  "Is the system available as agreed?"

Processing Integrity:
  Data accuracy, completeness, valid processing
  "Does the system process data correctly?"

Confidentiality:
  Data classification, encryption, access restrictions
  "Is confidential data protected from disclosure?"

Privacy:
  Consent, data retention, right to access/delete
  "Is personal data handled per privacy commitments?"

---

Automated Evidence Collection

# Replace manual evidence with automated collection
evidence_automation:
  access_reviews:
    manual: "Quarterly spreadsheet of who has access to what"
    automated:
      tool: "Terraform + AWS IAM Access Analyzer"
      frequency: "Continuous"
      evidence: "IAM policy history + Access Analyzer findings"
      
  change_management:
    manual: "Screenshot of every PR approval"
    automated:
      tool: "GitHub branch protection + API"
      frequency: "Continuous"
      evidence: "Git history, PR review requirements enforced"
      
  vulnerability_scanning:
    manual: "Monthly scan report PDF"
    automated:
      tool: "Snyk/Dependabot + CI integration"
      frequency: "Every commit"
      evidence: "CI pipeline logs, vulnerability dashboard"
      
  incident_response:
    manual: "Incident report documents"
    automated:
      tool: "PagerDuty + Jira integration"
      frequency: "Real-time"
      evidence: "Incident timeline, resolution logs"

---

Engineering Controls

# Control: All changes require code review
# Evidence: Branch protection rules (Terraform)

resource "github_branch_protection" "main" {
  repository_id = github_repository.app.node_id
  pattern       = "main"
  
  required_pull_request_reviews {
    required_approving_review_count = 1
    dismiss_stale_reviews          = true
    require_code_owner_reviews     = true
  }
  
  required_status_checks {
    strict   = true
    contexts = ["ci/tests", "security/scan"]
  }
}

# Control: Encryption at rest for all data stores
resource "aws_rds_cluster" "main" {
  storage_encrypted = true  # Always on, non-negotiable
  kms_key_id       = aws_kms_key.db.arn
}

resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
  bucket = aws_s3_bucket.data.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "aws:kms"
      kms_master_key_id = aws_kms_key.s3.arn
    }
  }
}

---

Continuous Compliance Monitoring

# AWS Config Rules for continuous compliance
compliance_rules:
  - name: "encrypted-volumes"
    resource: "AWS::EC2::Volume"
    check: "Volume encryption enabled"
    remediation: "Auto-encrypt on creation"
    
  - name: "restricted-ssh"
    resource: "AWS::EC2::SecurityGroup"
    check: "No SSH (port 22) open to 0.0.0.0/0"
    remediation: "Auto-remove rule"
    
  - name: "s3-bucket-public-read"
    resource: "AWS::S3::Bucket"
    check: "No public read access"
    remediation: "Auto-block public access"

# Dashboard shows compliance percentage:
# 100% compliant → audit-ready at any time
# < 100% → remediation needed, tracked automatically

---

Anti-Patterns

Anti-Pattern	Consequence	Fix
Manual evidence collection	Audit scramble, incomplete records	Automated evidence pipelines
Controls on paper only	Auditor finds them not operating	Engineering-enforced controls
Annual compliance check	11 months of drift	Continuous monitoring
Security team owns compliance	Engineering doesn’t participate	Shared ownership, embedded controls
Treat SOC 2 as project	Compliance degrades after audit	Compliance as ongoing practice

SOC 2 compliance should be a side effect of good engineering practices, not a separate workstream.