readtheplan
static mapper

SOC 2 cloud control mapper

Map Terraform change categories to SOC 2 evidence.

Use this static mapper to plan review notes for common AWS resource changes. It is high-level by design: raw Terraform plans stay local, and readtheplan can generate control-mapped evidence from your CI or workstation.

Static reference No plan upload No accounts No billing

The mapping below is useful for triage and auditor conversations. Treat it as a starting point, then verify exact control IDs against your control matrix and the generated readtheplan evidence envelope.

Request pilot setup

Placeholder inbox: pilot-contact@example.com. Replace the configured pilot handoff address before production use.

AWS / Terraform categories

SOC 2 control family map

Resource category Typical Terraform signal SOC 2 evidence angle
AWS IAM policies, roles, and trust Policy document update, trust relationship change, permission boundary removal CC6 logical access, CC8 change management, least privilege review
S3 buckets and data stores Public access block, encryption, versioning, lifecycle, delete action CC6 access controls, C1 confidentiality, A1 availability and recovery
Security groups, routes, load balancers Ingress broadened to 0.0.0.0/0, listener exposure, route change CC6.6 boundary protection, CC7 monitoring, CC8 change review
CloudWatch logs, alarms, and trails Retention decrease, alarm removal, delivery destination change CC7 system monitoring, CC8 change management, audit evidence completeness
KMS keys and encrypted services Key replacement, deletion window change, alias movement CC6 access boundary, CC6.7 asset movement, C1 confidentiality

FAQ

Mapper questions

Can this replace a SOC 2 control matrix?

No. It gives a useful high-level map for cloud changes. Your auditor, control owner, and internal control matrix remain authoritative.

How does readtheplan help with evidence?

readtheplan runs locally or in CI against Terraform JSON and can produce risk tiers, reviewer context, control IDs, and signed evidence.

Next step

Wire it into one repo.

Start with one private production repo, confirm the plan JSON artifact path, and route SOC 2 review notes to the pilot setup flow.

Open setup generator