21 Essential SOC 2 Type II Evidence Artifacts (and How to Produce Them Fast)
If you’re tightening evidence trails ahead of a SOC 2 Type II audit, this guide shows exactly what artifacts pass scrutiny, how to generate them quickly (with code), and how to close gaps via disciplined two-week remediation sprints.
Quick navigation:
Evidence vs. Policy: What Auditors Actually Sample
Policies declare intent; evidence proves operating effectiveness over the Type II period. Auditors will sample tickets, logs, approvals, reports, and configurations across each relevant Trust Services Criteria (Security/Availability/Confidentiality/Processing Integrity/Privacy). Below are 21 evidence artifacts commonly requested—plus real, copy-pasteable commands/playbooks to create or export them.
Tip: Store artifacts in a versioned evidence binder with clear indices:
/evidence/YYYY-QX/<control>/<artifact>.<ext>. Add owner, date, and sampling window in the filename or front-matter.
The 21 SOC 2 Type II Evidence Artifacts Auditors Ask For (with Code)
- User & Admin Inventory with MFA Status
Baseline for CC6 (access), CC7 (monitoring).
AWS CLI (users, MFA):
aws iam list-users --query 'Users[].UserName' --output text |
xargs -I{} aws iam list-mfa-devices --user-name {} \
--query '[].{user:`{}`,serial:SerialNumber}' --output tableAzure AD (Admins & MFA):
Get-MgDirectoryRoleTemplate | ?{$_.DisplayName -match "Admin"} | %{
Get-MgDirectoryRole -Filter "displayName eq '$($_.DisplayName)'" |
% { Get-MgDirectoryRoleMember -DirectoryRoleId $_.Id }
}
Get-MgUserAuthenticationMethod -UserId <user@domain> # Check MFA methods- Quarterly Access Reviews (Attestations & Revocations)
Proof that least privilege is actively governed.
Sample CSV template (import to GRC/ticketing):
user,system,role,justification,reviewer,decision,date
alice,prod-db,readonly,"BI dashboards",cto,approve,2025-10-07
bob,prod-db,admin,"break-glass",ciso,revoke,2025-10-07- SSO Enforcement & Conditional Access Baselines
Google Workspace example (export SSO/OAuth apps):
gam print apps list > evidence/workspace_sso_apps_2025-10.csv- Change Management Tickets for Releases
Change → Approval → Evidence trail.
Jira JQL (export sample set):
project=OPS AND issuetype in (Change)
AND status=Done AND resolved >= -90d ORDER BY resolved DESC- CI/CD Run Logs & Required Reviews
GitHub Actions—export last 90 days of successful deploy runs:
gh run list --workflow deploy.yml --status success --limit 200 \
--json databaseId,headSha,startedAt,conclusion > ci_runs.json- Build Provenance (SLSA/in-toto Attestation)
Proves artifact → source → builder linkage.
Example in-toto statement (JSON):
{
"_type": "https://in-toto.io/Statement/v1",
"subject": [{"name":"webapp","digest":{"sha256":"<artifact_sha256>"}}],
"predicateType": "https://slsa.dev/provenance/v1",
"predicate": { "builder": {"id":"github-actions"}, "buildType":"docker" }
}- Code Review & Protected Branch Evidence
GitHub branch protection & required reviews:
gh api repos/:owner/:repo/branches/main/protection > branch_protection.json- Vulnerability Scans + Fix Verification
Save pre-/post-fix PDFs or CSVs and the retest ticket.
Pentest Testing’s Free Website Vulnerability Scanner. Run a quick surface scan before deep testing to spot obvious exposures. Perfect to seed your remediation backlog and capture pre-fix evidence.
Sample report to check Website Vulnerability. Shows detected categories, URLs, and severity—pair with your change tickets and retest exports to prove closure.
- Endpoint Patch Compliance (OS/Agent Levels)
Windows (PowerShell):
Get-HotFix | Select HotFixID,InstalledOn | Sort-Object InstalledOn -desc |
Export-Csv evidence/patches_win_2025-11.csv -NoType- Encryption at Rest (Keys & Policies)
AWS KMS (rotation & key policy export):
aws kms list-keys --query 'Keys[].KeyId' --output text | tr '\t' '\n' |
xargs -I{} aws kms get-key-rotation-status --key-id {} --output json
aws kms get-key-policy --key-id <key-id> --policy-name default > kms_policy.json- TLS in Transit (Modern Cipher Config)
NGINX example snippet (save as evidence of config):
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:...';
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;- Centralized Logging Enablement
AWS CloudTrail & CloudWatch retention as IaC evidence (Terraform):
resource "aws_cloudtrail" "org" { name="org-trail" is_multi_region_trail=true ... }
resource "aws_cloudwatch_log_group" "trail" { name="/org/trail" retention_in_days=365 }- Log Integrity (Tamper-Evident Hash Chain)
Bash: daily chain for exported logs:
prev=$(cat chain.tail || echo "genesis")
cur=$(sha256sum logs/$(date +%F).json | cut -d' ' -f1)
echo "$(date -I),$prev,$cur" | sha256sum | tee chain.tail- Security Monitoring Rules (SIEM) & Alerts
Splunk SPL—admin logins outside country + MFA bypass attempts:
index=auth action=login role=admin NOT src_country="expected"
| stats count by user, src_ip, src_country- Incident Response (IR) Exercises & Lessons Learned
Store tabletop agenda, attendees, time-stamped notes, action items, and created tickets with owners/dates. - Backups & Restore Tests
AWS RDS automated restore validation (snippet):
snap=$(aws rds describe-db-snapshots --db-instance-identifier prod | jq -r '.DBSnapshots[-1].DBSnapshotIdentifier')
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier restore-check --db-snapshot-identifier "$snap"
# run smoke tests, then clean up:
aws rds delete-db-instance --db-instance-identifier restore-check --skip-final-snapshot- Business Continuity/DR (RTO/RPO Evidence)
Save documented RTO/RPO targets and actuals from a scheduled failover test with timestamps and pass/fail criteria. - Vendor Risk (Due Diligence & Monitoring)
_Template CSV:*
vendor,service,criticality,due_diligence,review_date,decision
Acme SSO,Identity,High,"SOC2 Type II 2025, SIG Lite OK",2025-09-14,Approved- Risk Register with Treatment & Owners
Fields: risk_id, description, inherent score, control refs (CCx.x), owner, due, treatment, evidence path.
(See our related post on building a unified, multi-framework risk register.) - Awareness/Training Completion & Phishing Results
Export LMS completion CSVs and quarterly phishing metrics with user counts, click rates, and remedial training tickets. - Policy Suite with Versioning & Sign-Off
Include control IDs, version, approval date, and mapped TSC references. Store as signed PDFs or in a doc system with immutable version history.
Mapping Gaps to 2-Week Remediation Sprints (Owner • Artifact • Proof)
Use small, outcome-driven sprints that end with evidence in hand. Here’s a practical starter mapping:
| Gap (example) | Owner | Artifact to Produce | Proof to Save |
|---|---|---|---|
| Admin MFA gaps | IT/IAM Lead | MFA enrollment report (users, methods) | CSV export + ticket IDs closing gaps |
| Unlogged prod API | SRE | CloudTrail/ALB/WAF logging IaC | Terraform plan/apply + console screenshot |
| Unreviewed access | CISO delegate | Quarterly access review pack | Attestations + revocation tickets |
| No build provenance | Dev Lead | SLSA in-toto attestation | JSON attestation + CI run URL export |
| No DR test | Ops | Documented restore test | CLI output + test plan + checklist PDF |
Automation tip (nightly evidence job via GitHub Actions):
name: evidence-export
on:
schedule: [{cron: "0 2 * * *"}]
jobs:
export:
runs-on: ubuntu-latest
steps:
- name: Export GH branch protection
run: gh api repos/$OWNER/$REPO/branches/main/protection > evidence/branch_protection.json
- name: Export CI runs
run: gh run list --workflow deploy.yml --limit 100 --json databaseId,headSha,startedAt,conclusion > evidence/ci_runs.json
- name: Upload artifact (retain 400 days)
uses: actions/upload-artifact@v4
with: {name: evidence-bundle, path: evidence, retention-days: 400}Automating Repeatable Evidence (SIEM, Ticketing, Build Provenance)
- SIEM Saved Searches: Convert your best ad-hoc queries (e.g., admin logins, failed MFA, excessive 5xxs) into scheduled reports that email PDFs weekly into
/evidence/monitoring/. - Ticketing Hooks: Auto-create remediation tickets from scanner exports (CSV → API) and tag them with
SOC2andCC7.2. - Build Provenance: Generate attestations on each release and push to an immutable bucket with write-once lifecycle rules.
- Immutable Log Storage: Set retention ≥ 365 days and document it (screenshots + IaC).
Common Pitfalls (and Quick Fixes)
- Backdated evidence: Auditors will notice; schedule exports and keep raw export timestamps.
- Control drift: Policy says X, config shows Y. Fix with IaC baselines and a weekly drift report.
- One-off proofs: Create recurring jobs; don’t rely on a single screenshot.
- Unscoped sprints: Tie every sprint item to a control ID and exit criteria (what file proves it?).
- No retest: Always attach a post-fix log, config, or scan proving the change.
Where We Fit in Your SOC 2 Journey
- Need help scoping controls and building an audit-ready plan? Explore our Risk Assessment Services.
- Already have findings and a deadline? Our Remediation Services and dedicated SOC 2 Remediation Services close gaps and assemble the evidence binder your auditor expects.
Related Reading (recent posts)
- 7 Proven Steps to a Unified Risk Register (30 Days) — turn multi-framework chaos into one prioritized register.
- NIST CSF 2.0: 14-Day Exclusive Plan for Board-Ready Metrics — practical metrics that map well to SOC 2 governance.
- NIST SP 800-53 5.2: 7 Proven Patch/Update Integrity Fixes — patterns you can reuse for SOC 2 change/patch evidence.
Browse more on our Blog.
Add These to Your Evidence Binder Today (Copy/Paste Snippets)
Elastic Query (HTTP 5xx surge, 15 min):
{
"query": { "range": { "@timestamp": { "gte": "now-15m" } } },
"aggs": { "by_service": { "terms": { "field": "service.keyword" },
"aggs": { "rate": { "rate": { "field": "status", "unit": "minute" } } } } }
}Cross-check Change Tickets vs Deploys (SQL):
-- Compare deploys to approved change tickets in last 30 days
SELECT d.sha, d.deployed_at, c.ticket, c.status
FROM deploys d LEFT JOIN changes c ON d.change_id=c.ticket
WHERE d.deployed_at >= CURRENT_DATE - INTERVAL '30 days' AND c.status='Approved';GitHub Required Reviewers (export):
gh api repos/$OWNER/$REPO/branches/main/protection/required_pull_request_reviews \
> required_reviews.jsonGCP Audit Logs sink retention (gcloud):
gcloud logging sinks describe org-sink --format=json > gcp_logs_sink.json- Pentest Testing – Free Website Vulnerability Scanner
- Sample Vulnerability Report.
Ready to Move Fast?
- Start with a scoped Risk Assessment to baseline gaps and a prioritized backlog.
- Engage our Remediation Services to implement fixes and produce an auditor-ready evidence binder.
- Keep learning on our Blog, or head back to Home.
🔐 Frequently Asked Questions (FAQs)
Find answers to commonly asked questions about SOC 2 Type II Evidence Artifacts.
