Identify the SOC 2 trust service criteria (CC6, CC7, CC9 are most relevant to technical evidence) and map each criterion to a specific data source (CloudTrail, GCP Audit Logs, Okta System Log, GitHub Audit Log)
Script periodic exports: for AWS use `cloudtrail:LookupEvents` filtered by event source and time range; for GCP use the Logging API `entries.list` method with a suitable filter
Store exported logs in an append-only, versioned object store (e.g., S3 with Object Lock) to preserve tamper-evident evidence
Generate access review reports by querying your IdP (Okta, Azure AD) for group memberships and comparing them to the authorized access list in your HR system
Package evidence files with metadata (collection date, source system, SHA-256 hash) into a structured evidence archive uploaded to your GRC platform (Vanta, Drata, Secureframe, etc.)
Known gotchas
Cloud audit logs have retention limits (e.g., 90 days for default AWS CloudTrail); evidence for an annual SOC 2 audit must be collected continuously and stored separately, not pulled retroactively
Access reviews must capture a point-in-time snapshot; live API queries at audit time may reflect access changes made after the review period, invalidating the evidence
Auditors require evidence to demonstrate the control was operating continuously throughout the audit period, not just at the start and end; automated weekly or monthly snapshots are stronger than a single annual pull
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp