Overview
Kube Starter Kit is designed with security and auditability as core principles. While the kit itself doesn’t make you SOC2 compliant (that requires organizational policies, procedures, and a formal audit), it provides the technical foundation that addresses many SOC2 Trust Services Criteria. This page maps Kube Starter Kit features to specific SOC2 controls and explains how they support your compliance posture.SOC2 Trust Services Criteria Coverage
SOC2 audits evaluate controls across five Trust Services Criteria. Kube Starter Kit primarily addresses Security (Common Criteria) and Availability, with supporting capabilities for Processing Integrity and Confidentiality.Security (Common Criteria)
The Security category forms the foundation of SOC2 and is required for all audits.CC6.1 - Logical Access Security
The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events.
Evidence artifacts:
- Git history of
users.yamlchanges showing access reviews - AWS IAM Identity Center user/group listings
- Terraform state showing VPC and subnet configurations
CC6.2 - Access Provisioning and Deprovisioning
Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users.
Evidence artifacts:
- Pull request history showing access change approvals
- Git blame on
users.yamlshowing who approved each change - Terraform plan outputs showing exact access modifications
CC6.3 - Access Removal
The entity removes access to protected information assets when appropriate.
Evidence artifacts:
- Git commits showing user removal
- Terraform destroy plans for removed users
- AWS CloudTrail logs showing SSO user deletion
CC6.6 - Protection Against Threats Outside System Boundaries
The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
Evidence artifacts:
- cert-manager Certificate resources showing valid TLS
- CVE scan reports from GitHub Actions
- VPC security group configurations
CC6.7 - Transmission Encryption
The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes.
Evidence artifacts:
- Ingress resources with TLS configuration
- Certificate resources showing renewal history
CC6.8 - Malicious Software Prevention
The entity implements controls to prevent or detect and act on the introduction of unauthorized or malicious software.
Evidence artifacts:
- CVE scan reports and SBOM artifacts
- ECR image tags showing immutable versioning
- GitHub Actions workflow runs
CC8.1 - Change Management
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures.
Evidence artifacts:
- Pull request history with approvals
- Git diff showing exact changes per deployment
- ArgoCD sync history showing deployments
CC8.2 - Infrastructure and Software Changes
The entity authorizes, documents, and implements changes to infrastructure and software.
Evidence artifacts:
- Terraform plan outputs in PRs
- Drift detection workflow results
- ArgoCD application sync status
A1.1, A1.2 - Availability
The entity maintains, monitors, and evaluates current processing capacity and use of system components to support availability.
Evidence artifacts:
- Karpenter provisioner logs
- SigNoz dashboards and alerts
- CloudNativePG backup records
C1.1, C1.2 - Confidentiality
The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.
Evidence artifacts:
- ExternalSecret resources (not containing actual secret values)
- AWS Secrets Manager access logs
- Pod Identity association configurations
Control Matrix Summary
Other Compliance Frameworks
The same technical controls that support SOC2 also map to other compliance frameworks:HIPAA (Healthcare)
PCI-DSS (Payment Card)
ISO 27001
Preparing for Audit
While Kube Starter Kit provides the technical controls, a SOC2 audit also requires:- Policies and Procedures: Written documentation of your access control policy, change management process, incident response plan, etc.
-
Evidence Collection: Regular exports of:
- Git history for access changes
- Terraform plan outputs
- CVE scan reports
- ArgoCD sync history
-
Access Reviews: Periodic review of
users.yamlto verify access is still appropriate. - Risk Assessments: Documentation of how you triage and remediate CVE findings.
- Training Records: Evidence that team members understand security procedures.