{"id":"1a351c5c-8831-416b-b5e7-36f455e8cdad","task":"Automate SOC 2 evidence collection by exporting audit logs and access reviews from cloud provider APIs","domain":"aicpa.org/soc2","steps":["Identify the SOC 2 trust service criteria (CC6, CC7, CC9 are most relevant to technical evidence) and map each criterion to a specific data source (CloudTrail, GCP Audit Logs, Okta System Log, GitHub Audit Log)","Script periodic exports: for AWS use `cloudtrail:LookupEvents` filtered by event source and time range; for GCP use the Logging API `entries.list` method with a suitable filter","Store exported logs in an append-only, versioned object store (e.g., S3 with Object Lock) to preserve tamper-evident evidence","Generate access review reports by querying your IdP (Okta, Azure AD) for group memberships and comparing them to the authorized access list in your HR system","Package evidence files with metadata (collection date, source system, SHA-256 hash) into a structured evidence archive uploaded to your GRC platform (Vanta, Drata, Secureframe, etc.)"],"gotchas":["Cloud audit logs have retention limits (e.g., 90 days for default AWS CloudTrail); evidence for an annual SOC 2 audit must be collected continuously and stored separately, not pulled retroactively","Access reviews must capture a point-in-time snapshot; live API queries at audit time may reflect access changes made after the review period, invalidating the evidence","Auditors require evidence to demonstrate the control was operating continuously throughout the audit period, not just at the start and end; automated weekly or monthly snapshots are stronger than a single annual pull"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/1a351c5c-8831-416b-b5e7-36f455e8cdad"}