Skip to content
Cased Documentation

SOC2 Compliance Detection

Ensure and maintain SOC2 compliance as part of your development workflow.

How It Works

Catch potential compliance issues early with our pre-configured SOC2 rules. Automated checks run:

  • On every infrastructure pull request
  • Only on changed Terraform files (.tf)

This proactive approach helps you:

  • Maintain compliance throughout development
  • Reduce audit preparation time
  • Follow infrastructure best practices consistently

Setup

  1. Navigate to your project settings
  2. Enable compliance checks in the Infrastructure section
  3. Select “SOC2” from the available compliance standards
Enable SOC2 compliance checks in project settings

Other available standards include:

  • HIPAA
  • PCI DSS
  • GDPR

What Gets Detected

Security Controls

Our pre-configured rules check for:

  • Encryption and Data Protection (CC6.1, CC6.7)

    • Storage encryption for S3, RDS, EBS volumes
    • KMS key rotation and configuration
    • Sensitive data in code
    • In-transit encryption

  • Access Management (CC6.1, CC6.3)

    • IAM policy configurations
    • Security group rules
    • Public access settings
    • Password policies

  • Monitoring and Logging (CC4.1, CC7.2)

    • CloudTrail configuration
    • VPC flow logs
    • Load balancer access logs
    • GuardDuty settings

Resource Settings

Each resource type has specific required and optional checks:

  • S3 Buckets

    • KMS encryption
    • Public access blocks
    • Versioning configuration

  • RDS Instances

    • Storage encryption
    • Backup retention
    • Multi-AZ deployment
    • Deletion protection

  • ElastiCache

    • At-rest encryption
    • Transit encryption
    • Replication group settings

Review Process

When compliance issues are detected:

  1. A compliance task is created in your Cased dashboard
  2. You can review violations directly in Cased or on GitHub
  3. Each violation can be reviewed and addressed individually
  4. Required violations must be fixed before merging

Task Details

The compliance task shows:

  • Standard: The compliance standard being checked (e.g., SOC2)
  • Pull Request: Link to the GitHub PR with review comments
  • Violation Count: Number of detected issues
  • Priority: Required or Optional for each violation
  • Description: Why this matters for SOC2
  • Fix: Suggested code changes that can be applied automatically

Example Violation

# Non-compliant: Missing encryption
resource "aws_db_instance" "app_db" {
  identifier     = "production-db"
  engine         = "postgres"
  instance_class = "db.t3.micro"
}


# Compliant: Encryption enabled
resource "aws_db_instance" "app_db" {
  identifier        = "production-db"
  engine           = "postgres"
  instance_class   = "db.t3.micro"
  storage_encrypted = true              # Required for SOC2 compliance
  kms_key_id       = aws_kms_key.db.arn
}