LoxeAI · Pre-Audit Checklist
SOC 2 Type I
for AWS-Native Teams
For lean, 1–30 person AWS-Native teams getting their first SOC 2. Everything you need to know & more about getting ready for SOC 2 compliance.
The short version: SOC 2 Type I is a point-in-time snapshot. Prepare evidence, assign owners, and verify before contacting an auditor.
Read these first
SOC 2, AICPA framework assessing how companies handle customer data.
Type I vs Type II, Type I is a snapshot; Type II is evidence over time.
01Scope it before you build anything
- Confirm you actually need a SOC 2Ask your buyer. SOC 2 is often overkill.
- Confirm Security is your only Trust Services CriterionAdd others only if necessary.
02Know your AWS infrastructure's actual state
Controls in this section map directly to AWS APIs, IAM, CloudTrail, S3, VPC, GuardDuty, SecurityHub, Config.
What's automatable: Many checks map to AWS APIs and are scannable; evidence is API responses and config exports.
The six-step version
- Scope it: Security only, define boundary, assign owners.
- Know your AWS state: Find gaps: IAM, CloudTrail, GuardDuty, S3, VPC.
- Write policies: Eight core documents. AI-drafted is fine.
- Collect evidence: Timestamped, API-native where possible.
- Pick an auditor: Startup-friendly CPA firm. Readiness assessment first.
- Know the limits: Type I is a photograph, not continuous assurance.