Introduction
Navigating the world of compliance can feel like trying to read a map in a language you don’t speak. When you throw Kubernetes into the mix, it gets even trickier. That’s why we’ve put together this straightforward, human-friendly checklist to help you get your Amazon EKS clusters ready for a SOC 2 Type II audit.
Think of this not as a rigid set of rules, but as a friendly guide. We’ll walk you through what you need to do, why it matters, and how to do it, without all the dense, technical jargon. Whether you’re just starting your SOC 2 journey or you’re a seasoned pro looking to stay current, this guide is for you.
The Core of Your Security: Mandatory Controls (CC1-CC9)
CC1: Common Criteria related to the Control Environment
Organizational Security Structure
- Designate security ownership for EKS clusters with defined roles and responsibilities
- Implement a security governance framework with regular policy reviews
- Establish an incident response team with EKS-specific procedures
- Create a security awareness training program including container security
Designate security ownership for EKS clusters with defined roles and responsibilities
Defining Roles and Responsibilities
Security team
The security team is responsible for defining and enforcing organizational security standards. In certain scenarios, they may also define and manage Kubernetes policies that govern cluster configuration and workload behavior.
Cluster Owners
Specific individuals or teams are designated as owners of individual Amazon EKS clusters.
Their responsibilities include:
- Provisioning, configuring, and maintaining clusters in alignment with organizational and security standards.
- Managing Identity and Access Management (IAM) roles, RBAC permissions, and enforcing least‑privilege principles.
- Applying, validating, and updating Kubernetes policies to ensure compliance with security and operational requirements.
- Monitoring cluster health and performance, escalating issues when required.
- Managing the cluster lifecycle, including version upgrades, patching, and secure decommissioning.
Application Owners
Application Owners are responsible for the security, compliance, and operational performance of the applications deployed within an Amazon EKS cluster. Their responsibilities include:
- Deploying and configuring applications in accordance with organizational security and compliance requirements.
- Implementing application‑level access controls and following least‑privilege principles.
- Monitoring application performance, availability, and resource consumption.
- Ensuring applications comply with Kubernetes policies, security standards, and regulatory requirements.
- Coordinating with Cluster Owners and the Security Team for incident management, upgrades, and operational changes.
- Managing the application lifecycle, including version updates, scaling, and secure decommissioning.
Implement a security governance framework with regular policy reviews
- Implement and maintain a security governance framework to ensure Amazon EKS environments operate in compliance with organizational security policies and SOC 2 Trust Services Criteria.
- Conduct regular policy reviews at least annually.
- Review and update Kubernetes governance policies.
- Maintain a documented change history for all security policies.
- Ensure that updates are communicated to all relevant stakeholders.
Responsibility parties
Primary: Security Team
Supporting: EKS Cluster Owners, Application Owners
Establish an incident response team with EKS-specific procedures
Ensure security incidents related to Amazon EKS clusters and workloads are detected, contained, investigated, and remediated in a timely and effective manner.
- Formally establish an Incident Response Team with designated roles and responsibilities.
- Develop and maintain EKS-specific incident response procedures.
- Conduct incident response drills.
- Maintain incident documentation and post-incident review reports.
- Ensure procedures are reviewed and updated regularly.
Responsibility parties
Primary: IRT
Supporting: EKS Cluster Owners, Application Owners, Infrastructure Team
Create a security awareness training program including container security
Ensure that all personnel involved in the management, development, and operation of Amazon EKS clusters and workloads are trained in security best practices, including Kubernetes and container security, to reduce the risk of security incidents.
Documentation Requirements
- Document security policies covering container and Kubernetes security
- Maintain security procedures for EKS cluster operations
- Create security architecture documentation for all EKS environments
- Establish compliance monitoring procedures and reporting
Document security policies covering container and Kubernetes security
Establish and maintain documented security policies that define requirements for securing Amazon EKS clusters, Kubernetes resources, and containerized workloads, ensuring compliance with organizational and regulatory standards.
Responsibility parties
Primary: Security Team
Supporting: EKS Cluster Owners, Application Owners
Maintain security procedures for EKS cluster operations
Ensure that Amazon EKS cluster operations are conducted in accordance with documented security procedures to maintain compliance, reduce operational risk, and protect workloads from unauthorized access or compromise.
Responsibility parties
Primary: EKS Cluster Owners
Supporting: Security Team, Application Owners
Create security architecture documentation for all EKS environments
Ensure that all Amazon EKS environments are supported by comprehensive, documented security architecture that clearly defines how security controls are implemented, maintained, and validated across the environment in alignment with SOC 2 Trust Services Criteria.
Responsibility parties
Primary: Security Team
Supporting: EKS Cluster Owners, Infrastructure Team
Establish compliance monitoring procedures and reporting
Ensure that Amazon EKS environments are continuously monitored for compliance with organizational security policies, regulatory requirements, and SOC 2 Trust Services Criteria, and that compliance status is documented and reported to relevant stakeholders.
Responsibility parties
Primary: Security Team
Supporting: EKS Cluster Owners, Application Owners, Infrastructure Team
CC2: Communication and Information
Security Communication Framework
- Implement security incident communication procedures
- Establish security metrics reporting to stakeholders
- Create a security documentation repository with version control
- Deploy security training materials for development and operations teams
Implement security incident communication procedures
Ensure timely, accurate, and coordinated communication during security incidents affecting Amazon EKS clusters and workloads, in order to minimize business impact, maintain compliance, and meet SOC 2 Trust Services Criteria for security and availability.
Responsibility parties
Primary: Security Team
Supporting: EKS Cluster Owners, Application Owners, Executive Leadership
Establish security metrics reporting to stakeholders
Provide stakeholders with accurate, timely, and actionable security metrics related to Amazon EKS clusters and workloads to support risk management, compliance monitoring, and decision‑making in alignment with SOC 2 Trust Services Criteria.
Responsibility parties
Primary: Security Team
Supporting: EKS Cluster Owners, Application Owners
Create a security documentation repository with version control
Ensure all Amazon EKS security‑related documentation is centrally stored, version‑controlled, and accessible only to authorized personnel to maintain integrity, traceability, and audit readiness in alignment with SOC 2 Trust Services Criteria.
Responsibility parties
Primary: Security Team
Supporting: EKS Cluster Owners, Application Owners, Executive Leadership
Deploy security training materials for development and operations teams
Ensure that development and operations teams responsible for Amazon EKS clusters and workloads receive targeted security training to reduce security risks, strengthen compliance, and meet SOC 2 Trust Services Criteria for security and availability.
Responsibility parties
Primary: Security Team
Supporting: Development Team Leads, Operations Managers
To be continued in Part 2…
Related Reading
- Boosting Container Image Security Using Wazuh and Trivy - Container security monitoring
- Enhancing Wazuh with Ollama: Part 1 - AI-powered security monitoring
- How to Set Up a Custom Integration between Wazuh and MARK - Security platform integrations
Series Navigation:
- Part 1: Foundational Controls (you are here)
- Part 2: Advanced Controls