A B2B SaaS company that provides workflow automation tools for mid-market enterprises operates its entire platform on AWS serverless services, including AWS Lambda for compute, Amazon API Gateway for endpoints, Amazon DynamoDB for data storage, Amazon EventBridge for event routing, and AWS Step Functions for complex orchestration.
The platform handles customer PII and some financial data, placing it within the scope of SOC 2 Type 2 attestation for the Security and Confidentiality criteria.
As the company prepared for its first SOC 2 Type 2 audit, the GRC and engineering teams encountered challenges directly tied to the characteristics of serverless architectures.
Evidence for controls had to be assembled from transient function invocations, event payloads, execution traces, and configuration states rather than persistent server logs.
Maintaining an accurate inventory of hundreds of resources was complicated by frequent product changes. Infrastructure-as-code (IaC) served as the primary…
