Skip to main content

Overview

Kube Starter Kit is designed with security and auditability as core principles. While the kit itself doesn’t make you SOC2 compliant (that requires organizational policies, procedures, and a formal audit), it provides the technical foundation that addresses many SOC2 Trust Services Criteria. This page maps Kube Starter Kit features to specific SOC2 controls and explains how they support your compliance posture.

SOC2 Trust Services Criteria Coverage

SOC2 audits evaluate controls across five Trust Services Criteria. Kube Starter Kit primarily addresses Security (Common Criteria) and Availability, with supporting capabilities for Processing Integrity and Confidentiality.

Security (Common Criteria)

The Security category forms the foundation of SOC2 and is required for all audits.

CC6.1 - Logical Access Security

The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events.
Control RequirementKube Starter Kit FeatureImplementation
Role-based access controlUser ManagementSingle users.yaml defines AWS SSO users, groups, and permission sets. GitHub teams mirror AWS groups for consistent RBAC.
Centralized identity managementUser ManagementAWS IAM Identity Center provides centralized authentication. No long-lived credentials; users authenticate via SSO portal.
Least privilege enforcementUser ManagementPre-configured permission sets (Admin, PowerUser, ReadOnly) with AWS-managed policies. Easy to add custom permission sets for more granular access.
Network segmentationAWS ArchitectureEKS nodes run in private subnets with no public IPs. Workloads are isolated from direct internet access.
Multi-account isolationAWS ArchitectureStaging and production in separate AWS accounts. Hard boundary prevents cross-environment access or accidental impact.
Evidence artifacts:
  • Git history of users.yaml changes showing access reviews
  • AWS IAM Identity Center user/group listings
  • Terraform state showing VPC and subnet configurations

CC6.2 - Access Provisioning and Deprovisioning

Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users.
Control RequirementKube Starter Kit FeatureImplementation
Documented access requestsUser ManagementAll access changes are pull requests. PR description documents who, what, and why.
Approval workflowUser ManagementBranch protection requires PR approval before merge. Access changes get code review.
Automated provisioningTerraform + TerramateMerging approved PRs triggers Terraform apply. No manual AWS console access needed.
Timely deprovisioningUser ManagementRemove user from users.yaml, open PR, merge. Access revoked across GitHub and AWS simultaneously.
Evidence artifacts:
  • Pull request history showing access change approvals
  • Git blame on users.yaml showing who approved each change
  • Terraform plan outputs showing exact access modifications

CC6.3 - Access Removal

The entity removes access to protected information assets when appropriate.
Control RequirementKube Starter Kit FeatureImplementation
Single source of truthUser ManagementOne file controls all access. Removing a user entry revokes GitHub org membership, team access, and AWS SSO access.
Audit trailGitOpsGit history provides immutable record of when access was removed and by whom.
No orphaned accessTerraform + TerramateTerraform manages state declaratively. Users not in users.yaml are removed on apply.
Evidence artifacts:
  • Git commits showing user removal
  • Terraform destroy plans for removed users
  • AWS CloudTrail logs showing SSO user deletion

CC6.6 - Protection Against Threats Outside System Boundaries

The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
Control RequirementKube Starter Kit FeatureImplementation
TLS encryptionKubernetes Baselinecert-manager automatically provisions and renews Let’s Encrypt certificates for all ingress endpoints.
No default credentialsKubernetes BaselineExternal Secrets pulls credentials from AWS Secrets Manager. No secrets in Git, no default passwords.
Network perimeter controlsAWS ArchitectureNLB with security groups controls inbound traffic. Private subnets prevent direct access to nodes.
Container vulnerability scanningImage ScanningDaily CVE scans against production images. SBOM generation for supply chain visibility.
Evidence artifacts:
  • cert-manager Certificate resources showing valid TLS
  • CVE scan reports from GitHub Actions
  • VPC security group configurations

CC6.7 - Transmission Encryption

The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes.
Control RequirementKube Starter Kit FeatureImplementation
Encryption in transitKubernetes BaselineAll external traffic terminates TLS at traefik. Internal cluster traffic uses Kubernetes network policies.
Automated certificate managementKubernetes Baselinecert-manager handles certificate lifecycle. No manual certificate handling or risk of expiration.
Evidence artifacts:
  • Ingress resources with TLS configuration
  • Certificate resources showing renewal history

CC6.8 - Malicious Software Prevention

The entity implements controls to prevent or detect and act on the introduction of unauthorized or malicious software.
Control RequirementKube Starter Kit FeatureImplementation
Container image scanningImage ScanningGrype scans all container images for known CVEs. Reports generated with severity breakdowns.
SBOM generationImage ScanningSyft generates Software Bill of Materials for each image. Enables tracking of vulnerable dependencies.
Immutable deploymentsCI/CD PipelineContainer images are tagged with version and commit hash. Tags are never overwritten.
Evidence artifacts:
  • CVE scan reports and SBOM artifacts
  • ECR image tags showing immutable versioning
  • GitHub Actions workflow runs

CC8.1 - Change Management

The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures.
Control RequirementKube Starter Kit FeatureImplementation
Change authorizationGitOpsAll changes require pull request approval. Branch protection enforces review requirements.
Change documentationGitOpsGit commits document what changed. PR descriptions explain why. Rendered manifests show exact Kubernetes changes.
Separation of environmentsAWS ArchitectureChanges deploy to staging first. Production deployment requires separate approval/promotion.
Automated testingCI/CD PipelineCI runs on every PR. Manifest validation ensures rendered output matches committed files.
Rollback capabilityGitOpsReverting a Git commit triggers ArgoCD rollback. Previous state is always recoverable.
Evidence artifacts:
  • Pull request history with approvals
  • Git diff showing exact changes per deployment
  • ArgoCD sync history showing deployments

CC8.2 - Infrastructure and Software Changes

The entity authorizes, documents, and implements changes to infrastructure and software.
Control RequirementKube Starter Kit FeatureImplementation
Infrastructure as CodeTerraform + TerramateAll AWS infrastructure defined in Terraform. Changes visible in PR diffs.
Change visibilityTerramateterraform plan output posted to PRs. Reviewers see exactly what will change before approval.
Drift detectionTerramateScheduled workflows detect infrastructure drift. Alerts when actual state differs from code.
Kubernetes changesGitOpsRendered manifests committed to Git. ArgoCD shows diff between desired and actual state.
Evidence artifacts:
  • Terraform plan outputs in PRs
  • Drift detection workflow results
  • ArgoCD application sync status

A1.1, A1.2 - Availability

The entity maintains, monitors, and evaluates current processing capacity and use of system components to support availability.
Control RequirementKube Starter Kit FeatureImplementation
Capacity managementKubernetes BaselineKarpenter auto-provisions nodes based on workload demand. Removes underutilized capacity automatically.
High availabilityAWS ArchitectureEKS spans 3 availability zones. Node failures don’t affect application availability.
ObservabilityKubernetes BaselineSigNoz provides metrics, logs, and traces. Enables monitoring of system health and performance.
Database resilienceKubernetes BaselineCloudNativePG provides automated failover for PostgreSQL. Backups to S3 enable point-in-time recovery.
Evidence artifacts:
  • Karpenter provisioner logs
  • SigNoz dashboards and alerts
  • CloudNativePG backup records

C1.1, C1.2 - Confidentiality

The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.
Control RequirementKube Starter Kit FeatureImplementation
Secrets managementKubernetes BaselineExternal Secrets syncs credentials from AWS Secrets Manager. Secrets never stored in Git.
Encryption at restAWS ArchitectureEBS volumes, S3 buckets, and Secrets Manager all encrypted with KMS by default.
Access to secretsKubernetes BaselinePod Identity provides scoped AWS credentials. Pods only access secrets they’re authorized for.
Evidence artifacts:
  • ExternalSecret resources (not containing actual secret values)
  • AWS Secrets Manager access logs
  • Pod Identity association configurations

Control Matrix Summary

SOC2 ControlPrimary FeatureEvidence Location
CC6.1 - Logical AccessUser Managementusers.yaml + Git history
CC6.2 - Access ProvisioningUser ManagementPull requests
CC6.3 - Access RemovalUser ManagementGit commits + Terraform state
CC6.6 - External ThreatsImage Scanning, TLSCVE reports, Certificates
CC6.7 - Transmission Encryptioncert-managerIngress TLS configs
CC6.8 - Malicious SoftwareImage ScanningSBOM + CVE reports
CC8.1 - Change ManagementGitOpsGit history + ArgoCD
CC8.2 - Infrastructure ChangesTerraform/TerramatePlan outputs + drift detection
A1.1/A1.2 - AvailabilityKarpenter, Multi-AZProvisioner logs, SigNoz
C1.1/C1.2 - ConfidentialityExternal SecretsSecrets Manager audit logs

Other Compliance Frameworks

The same technical controls that support SOC2 also map to other compliance frameworks:

HIPAA (Healthcare)

HIPAA RequirementKube Starter Kit Feature
Access Controls (§164.312(a)(1))User Management with RBAC
Audit Controls (§164.312(b))GitOps audit trail + CloudTrail
Transmission Security (§164.312(e)(1))TLS via cert-manager
Integrity Controls (§164.312(c)(1))Immutable container images

PCI-DSS (Payment Card)

PCI-DSS RequirementKube Starter Kit Feature
Req 1: Network SegmentationPrivate subnets, security groups
Req 2: Secure ConfigurationsInfrastructure as Code
Req 6: Secure DevelopmentCI/CD with vulnerability scanning
Req 7: Restrict AccessRBAC via User Management
Req 8: Identify UsersAWS IAM Identity Center
Req 10: Track AccessGit audit trail + CloudTrail

ISO 27001

ISO 27001 ControlKube Starter Kit Feature
A.9 Access ControlUser Management
A.12 Operations SecurityGitOps, CI/CD
A.14 System DevelopmentIaC, rendered manifests
A.16 Incident ManagementObservability (SigNoz)

Preparing for Audit

While Kube Starter Kit provides the technical controls, a SOC2 audit also requires:
  1. Policies and Procedures: Written documentation of your access control policy, change management process, incident response plan, etc.
  2. Evidence Collection: Regular exports of:
    • Git history for access changes
    • Terraform plan outputs
    • CVE scan reports
    • ArgoCD sync history
  3. Access Reviews: Periodic review of users.yaml to verify access is still appropriate.
  4. Risk Assessments: Documentation of how you triage and remediate CVE findings.
  5. Training Records: Evidence that team members understand security procedures.
Start early: Begin collecting evidence before your audit period. The Git-based workflow automatically creates an audit trail, but you’ll want to establish the rhythm of periodic reviews and documentation.