Quick assessment

CC1.1 — Control Environment

CC6.1 — Logical and Physical Access Controls

CC7.4 — Security Incidents

A1.2 — System Availability

"Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::audit-bucket/*"

"Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::audit-bucket/*"

"Effect": "Allow", "Action": "s3:Get*", "Resource": "*"

"Effect": "Deny", "Action": "s3:DeleteObject", "Resource": "*"

AWS handles everything because they have their own SOC 2 report

AWS handles the physical security of the data center and hypervisor isolation; we handle IAM configuration, MFA enforcement, and access reviews

We handle everything because IAM is in our account

It depends on the contract — sometimes AWS handles MFA, sometimes we do

aws_s3_bucket_public_access_block with all four flags set to true — yes, pass

aws_s3_bucket with acl = "public-read" — yes, pass because we control which bucket

aws_iam_policy with Resource = "*" on PutObject — yes, pass because least privilege only applies to read actions

A bucket with no encryption configuration — yes, pass because S3 enables encryption by default

Email screenshots of three recent terminations showing accounts being disabled

Show the offboarding playbook, the SCIM deprovisioning workflow in Okta, and the last 90 days of automated termination events from the IGA system

Show the HR policy document that says we offboard people

Ask the auditor to interview the IT manager

SOC 2 Type II

PCI DSS

ISO 27001

NIST CSF

At rest = data on disk, in transit = data moving over a network

At rest = data in RAM, in transit = data being processed by the CPU

At rest = data in a backup, in transit = data being restored

They are the same thing with different names

Restricts the key to only be used by S3 in us-east-1

Allows any service to use the key as long as it is in us-east-1

Prevents the key from being deleted

Enables automatic key rotation

The ability to monitor employee keystrokes

Visibility into device compliance (patches, encryption, security software) and the ability to enforce policies remotely

Faster internet speeds on company devices

The ability to read employee emails

The VPN is down

Their personal laptop is not MDM-enrolled, so the IdP blocks access because the device is not compliant

Their password expired

The cloud app is experiencing an outage

Making the network faster

Limiting the blast radius of a compromise — if one segment is breached, the attacker cannot move laterally to other segments

Saving money on bandwidth

Making it easier for employees to find resources

Yes, SSH is encrypted so it is safe

No — 0.0.0.0/0 means the entire internet can attempt SSH connections to this resource

Yes, if the instance has a strong password

It depends on the time of day

A policy says what should happen. A control is the mechanism that enforces it.

They are the same thing

A policy is technical, a control is non-technical

A control is written by management, a policy is written by engineers

A screenshot of the current S3 settings

AWS Config rule evaluation history showing s3-bucket-server-side-encryption-enabled was compliant for all 12 months

An email from the CTO saying buckets are encrypted

The AWS documentation page about S3 encryption

It is an antivirus program

It evaluates policies written in Rego against structured data — used for Terraform plan validation, Kubernetes admission control, and API authorization

It manages SSL certificates

It is a log aggregation tool

They are added together to get the risk score

Likelihood measures how often a risk materializes, impact measures the damage when it does — they are multiplied to prioritize

Impact is always more important than likelihood

They are the same measurement on different scales

To list every vulnerability scan finding

To document identified risks, their likelihood, impact, and mitigation plans — connecting business objectives to security controls

To track employee performance reviews

To store backup encryption keys

24 hours

60 days

1 year

There is no deadline

Delete the compromised server immediately

Contain the threat and preserve evidence — isolate the affected system without destroying forensic data

Send an email to all employees about the breach

Change all passwords company-wide

Type I covers more controls than Type II

Type I evaluates control design at a point in time. Type II evaluates operating effectiveness over a period (typically 6-12 months).

Type II is only for healthcare companies

There is no difference — they are interchangeable