RectifyCloud
Back to Blog
Cloud

SOC 2 Cloud Network Security: What Auditors Check & Test

Learn which network security controls SOC 2 auditors test in cloud environments, how to spot misconfigurations, and steps to verify compliance before your audit

March 26, 202612 min read

Introduction

For senior engineers and tech leads, the phrase "SOC 2 audit" often conjures images of endless spreadsheet requests, recursive evidence gathering, and tedious walkthroughs with auditors who may or may not understand the nuances of ephemeral cloud infrastructure. However, as cloud environments become increasingly complex, the focus of a SOC 2 Type II examination has shifted. Auditors are no longer satisfied with a simple policy document stating that "the network is secure." Instead, they dive deep into the technical implementation of network security controls, looking for evidence of continuous enforcement and automated governance.

In a cloud-native ecosystem, the traditional "moat and castle" defense has been replaced by identity-defined perimeters and micro-segmentation. For a SOC 2 auditor, the goal is to verify that your organization has implemented the Trust Services Criteria (TSC), specifically the Common Criteria related to logical and physical access (CC6.0 series). Within this framework, network security controls serve as the primary line of defense against unauthorized access and lateral movement.

Gaps in firewall configurations, lack of network isolation, or unmonitored ingress points aren't just security risks—they are direct audit findings that can lead to a qualified report. To navigate a SOC 2 audit successfully, tech leads must understand exactly what auditors are looking for, how they test these controls in a cloud context (AWS, Azure, or GCP), and how to proactively sanitize the environment before the observation period begins. This guide explores the technical depth of network security controls through the lens of a SOC 2 audit, providing actionable strategies for maintaining compliance without sacrificing velocity.

The Auditor’s Perspective: Risk-Based Testing

Before diving into specific controls, it is essential to understand the auditor's mindset. A SOC 2 auditor is tasked with verifying that your controls are designed effectively and operated consistently over the observation period. In the cloud, this means they will look for "drift." If your policy says all production databases are isolated in a private subnet, but the auditor finds a single instance with a public IP or an overly permissive Security Group, the control is considered failed.

Auditors typically focus on the "Blast Radius." They ask: If a single web server is compromised, what prevents an attacker from reaching the core database or the CI/CD pipeline? This is where cloud infrastructure security becomes the focal point of the audit. Auditors will request sampled evidence from your cloud management console or via Infrastructure as Code (IaC) repositories to verify that your stated protections are actually in place.

Firewall Rules and Security Groups: The Perimeter

In the cloud, firewalls are often implemented as stateful Security Groups (SGs) or stateless Network Access Control Lists (NACLs). Auditors treat these as the primary mechanism for enforcing the Principle of Least Privilege at the network layer.

Ingress and Egress Filtering

The most common finding in a SOC 2 audit is the presence of "Any-Any" rules (0.0.0.0/0). While developers might use these for troubleshooting, they are a major red flag during an audit. Auditors will specifically look for:

  • Open Management Ports: Ports like 22 (SSH) and 3389 (RDP) must never be open to the entire internet. Auditors look for the use of Bastion hosts, Just-In-Time (JIT) access, or VPN-restricted access.
  • Unrestricted Egress: While many focus on ingress, auditors are increasingly looking at egress rules. If a compromised instance can reach out to any IP on the internet, it can exfiltrate data or communicate with Command and Control (C2) servers.
  • Database Isolation: Databases should strictly limit ingress to the application tier. An auditor will check if a database security group allows traffic from anything other than the specific application CIDR or security group ID.

Automated Verification

To satisfy an auditor, you should demonstrate that you use automated tools to prevent configuration drift. This might include AWS Config rules, Azure Policy, or GCP Organization Policy constraints that automatically flag or remediate overly permissive firewall rules.

Network Segmentation and VPC Architecture

Flat networks are the enemy of SOC 2 compliance. If your development, staging, and production environments live in the same Virtual Private Cloud (VPC) without strict isolation, you will struggle to pass the CC6.6 (Logical Access) criteria.

Logical Separation of Environments

Auditors expect a clear boundary between environments. The gold standard is using separate cloud accounts or projects for Production and Non-Production. If you use a single account, you must demonstrate:

  • VPC Peering Restrictions: Peering should be minimal and documented. Auditors will check if a "Dev" VPC can talk to a "Prod" VPC.
  • Subnet Partitioning: Public subnets should only contain load balancers or NAT gateways. Application servers and databases should reside in private subnets with no direct route to the internet.
  • Micro-segmentation: For containerized workloads (Kubernetes), auditors will look at Network Policies. They want to see that Pod A cannot talk to Pod B unless explicitly required for the application to function.

The Role of Infrastructure as Code (IaC)

One of the most effective ways to prove segmentation to an auditor is through your Terraform or CloudFormation templates. By showing that the network architecture is defined in code and requires peer review (Pull Requests) for any change, you provide evidence of a "Change Management" control alongside a "Network Security" control.

Intrusion Detection and Centralized Logging

SOC 2 requires organizations to monitor for potential security incidents. In the network context, this involves Intrusion Detection Systems (IDS) and comprehensive logging of network traffic.

VPC Flow Logs and SIEM Integration

Auditors will ask for evidence that network traffic is being logged and that those logs are being reviewed.

  • VPC Flow Logs: You must enable flow logs for all production VPCs. These logs capture metadata about the IP traffic going to and from network interfaces.
  • Centralization: Logs should be sent to a centralized, immutable location (like a hardened S3 bucket or a dedicated Log Archive account).
  • Alerting: Simply collecting logs isn't enough. You must show that high-severity events (e.g., repeated denied connections to a database port) trigger alerts in a tool like PagerDuty or Slack.

Threat Detection Services

Modern auditors are well-versed in cloud-native security services. They will look for the enablement of:

  • AWS GuardDuty: To detect anomalous behavior like unauthorized API calls or potential port scanning.
  • Azure IDPS: For real-time packet inspection.
  • GCP Cloud IDS: To provide cloud-native visibility into network-based threats.

Vulnerability Management and Patching

Network security is inextricably linked to the state of the assets residing on that network. Auditors check CC7.1 (System Monitoring) by looking at how you manage vulnerabilities.

Regular Scanning

You must demonstrate that you perform regular vulnerability scans on your network-attached resources. This includes:

  • External Scanning: Scanning your public-facing IP addresses for open ports and known vulnerabilities.
  • Internal Scanning: Using tools like Amazon Inspector or Tenable to find vulnerabilities within your private subnets.

Patch Management Lifecycle

The auditor will request a sample of "Critical" or "High" vulnerabilities identified during the observation period and ask for evidence that they were remediated within your defined Policy timeline (e.g., 30 days for High, 7 days for Critical). Gaps in patch management often stem from a lack of automation, leading to "forgotten" legacy instances that remain unpatched for months.

Identity-Driven Network Access (MFA and VPNs)

In the modern cloud, "Network Security" is often just "Identity Management" in disguise. Auditors look for strong authentication at every entry point to the network.

MFA Enforcement

Multi-Factor Authentication (MFA) is a non-negotiable requirement for SOC 2. Auditors will check:

  • Console Access: Every user accessing the cloud console must have MFA enabled.
  • VPN/Bastion Access: If users connect to the private network via a VPN or a Bastion host (like AWS Systems Manager Session Manager), that access must be protected by MFA.
  • Service Accounts: While service accounts don't use MFA, auditors will check that their "Network Access" is restricted to specific IP ranges or VPCs.

Zero Trust Implementation

If your organization has moved toward a Zero Trust architecture (e.g., using Google’s BeyondCorp model or Cloudflare Access), you can often simplify the "Network" portion of the audit. By proving that access is granted based on device health and identity rather than just network location, you provide a robust control that satisfies multiple TSCs simultaneously.

Common Misconfigurations: The "Audit Killers"

During an audit, certain technical configurations act as "instant fails" or, at the very least, trigger deep-dive investigations that can derail your timeline. Senior engineers should proactively hunt for these:

  1. Default VPC Usage: Using the "default" VPC provided by cloud providers is a major risk. These VPCs often have wide-open default security groups and public subnets by default.
  2. Unused Security Groups: SGs that are not attached to any resource but allow broad access are often flagged as evidence of poor housekeeping and lack of visibility.
  3. Overly Permissive IAM Roles for Network Changes: If every developer has the ec2:AuthorizeSecurityGroupIngress permission, your network security controls are effectively bypassed. Auditors look for separation of duties.
  4. Unencrypted Traffic for Sensitive Data: While SOC 2 doesn't strictly mandate TLS for all internal traffic, it is highly expected for data in transit. Auditors look for the use of Load Balancer listeners on Port 80 instead of 443.

Technical Implementation: Defining Secure Baselines

To provide the auditor with concrete evidence, it is best to use standardized, version-controlled configurations. Below is an example of a hardened Security Group configuration represented in JSON (as it might appear in an AWS CloudFormation template or an AWS Config policy). This demonstrates to an auditor that you have a "Baseline Configuration" (CC6.1).

{
  "SecurityGroup": {
    "GroupName": "production-app-sg",
    "Description": "Allow HTTPS ingress from Load Balancer only",
    "VpcId": "vpc-0a1b2c3d4e5f6g7h8",
    "SecurityGroupIngress": [
      {
        "IpProtocol": "tcp",
        "FromPort": 443,
        "ToPort": 443,
        "SourceSecurityGroupId": "sg-lb-12345",
        "Description": "Allow TLS from ALB"
      }
    ],
    "SecurityGroupEgress": [
      {
        "IpProtocol": "tcp",
        "FromPort": 443,
        "ToPort": 443,
        "CidrIp": "0.0.0.0/0",
        "Description": "Allow outbound HTTPS for API calls"
      },
      {
        "IpProtocol": "tcp",
        "FromPort": 5432,
        "ToPort": 5432,
        "DestinationSecurityGroupId": "sg-db-67890",
        "Description": "Allow outbound to Production RDS"
      }
    ]
  }
}

By providing such configurations, you demonstrate:

  • Least Privilege: Ingress is restricted to a specific Security Group (the Load Balancer), not the whole internet.
  • Egress Control: The application can only talk to the internet on port 443 and to the database on port 5432.
  • Documentation: Every rule has a description, which auditors love for context.

Verification: Cleaning the Environment Before the Audit

The "observation period" for a SOC 2 Type II audit is usually 3 to 12 months. Any mistake during this window is "on the record." Therefore, a pre-audit "clean-up" phase is critical.

Step-by-Step Pre-Audit Checklist

  • Audit All Public IPs: Use a script or cloud native tool to list every resource with a public IP address. Justify why each one exists. If it doesn't need to be public, move it to a private subnet.
  • Review Security Group "Any" Rules: Search for 0.0.0.0/0 in your security groups. Replace these with specific CIDR blocks or Security Group IDs wherever possible.
  • Terminate Stale Resources: Old "test" instances or "temp" databases are security liabilities. If they aren't in use, terminate them before the auditor asks to see their patch history.
  • Verify Logging Coverage: Ensure that VPC Flow Logs are enabled on new VPCs created during the year. It’s a common mistake to enable logs on the main VPC but forget the ones created for a specific project.
  • Check MFA Compliance: Run a report on all IAM users. If anyone (including "break-glass" accounts) doesn't have MFA enabled, remediate it immediately.
  • Validate Patching Status: Run a final scan of the environment. Ensure there are no "Critical" vulnerabilities older than your policy's remediation window.

The Importance of Continuous Compliance

A SOC 2 audit shouldn't be a once-a-year fire drill. For tech leads, the goal is to build a "Compliance as Code" culture. When network controls are integrated into the CI/CD pipeline, the audit becomes a matter of exporting logs and showing code repositories rather than manually taking hundreds of screenshots.

By focusing on cloud infrastructure security as a foundational element of the engineering process, you ensure that network segmentation, firewalling, and monitoring are not just "checkboxes" for an auditor, but robust defenses that protect your organization's most valuable data.

Key takeaways for engineering leadership:

  • Standardize via IaC: Use modules to ensure every new VPC or Security Group follows the approved security baseline.
  • Automate Drift Detection: Use tools that alert you the moment a port is opened to 0.0.0.0/0.
  • Document Exceptions: If you must have a "risky" configuration for a valid business reason, document it in a central risk register before the audit starts.

Conclusion

Successfully navigating a SOC 2 audit of your cloud network requires a blend of rigorous technical implementation and disciplined documentation. Auditors are looking for evidence that you have moved beyond basic security and have implemented a defense-in-depth strategy that includes tight firewall rules, logical network segmentation, proactive intrusion detection, and strict identity-based access controls.

The transition from a "permissive" development environment to a "compliant" production environment is often the biggest challenge for growing tech companies. However, by treating network security as an engineering problem—using Infrastructure as Code, automated monitoring, and continuous vulnerability scanning—you can meet the SOC 2 requirements without slowing down your development teams.

Remember that the audit is ultimately a test of your operational maturity. When you can show an auditor a clean, well-segmented network with automated logging and alerting, you aren't just passing an audit; you are demonstrating to your customers and stakeholders that your cloud infrastructure is built on a foundation of security and trust. Start your preparations early, clean your environment before the observation period begins, and lean into cloud-native automation to make your next SOC 2 audit a non-event.

This content was generated by AI.