Compliance
Granting access this way actively helps your compliance posture. Here is how it maps to the frameworks your auditors care about.
SOC 2
CC6 - Logical and Physical Access Controls
| Criteria | Requirement | How this satisfies it |
|---|---|---|
| CC6.1 | Logical access security measures | Roles are scoped by least privilege. Each CE role grants only what is needed. |
| CC6.2 | Prior to issuing credentials | No credentials are issued. Access is federated from CE's IdP with MFA enforced. |
| CC6.3 | Role-based access | CE-ReadOnly, CE-SRE, CE-DevOps, CE-Admin are distinct roles with defined scopes. |
| CC6.6 | Logical access restricted to authorized users | Trust policy requires ExternalId and MFA age check. Both are technical controls, not policies. |
| CC6.8 | Controls to prevent unauthorized access | Short-lived tokens (2-4h). No standing access. Delete the stack to revoke instantly. |
CC7 - System Operations
| Criteria | Requirement | How this satisfies it |
|---|---|---|
| CC7.2 | Monitor system components | Every API call appears in CloudTrail with the engineer's identity. |
| CC7.3 | Evaluate security events | CE-Admin assumption triggers an email alert to your security team in real time. |
CC9 - Risk Mitigation
| Criteria | Requirement | How this satisfies it |
|---|---|---|
| CC9.2 | Vendor and business partner risk | Access is scoped, auditable, time-limited, and revocable by deleting one CloudFormation stack. |
Evidence for auditors: The CloudFormation template, role trust policies, and CloudTrail logs together constitute evidence of CC6 and CC9.2 compliance. Export the stack template and 90 days of CloudTrail as your evidence package.
ISO 27001:2022
A.8 - Technological Controls
| Control | Requirement | How this satisfies it |
|---|---|---|
| A.8.2 | Privileged access rights | CE-Admin requires MFA within 1 hour and triggers an alert on every assumption. |
| A.8.5 | Secure authentication | MFA enforced at trust policy level. Technical control, not a policy. |
| A.8.15 | Logging | CloudTrail provides immutable logs of all API calls made by CE engineers. |
| A.8.18 | Use of privileged utility programs | SSM replaces SSH. No SSH daemon needs to be exposed. |
A.5 - Organizational Controls
| Control | Requirement | How this satisfies it |
|---|---|---|
| A.5.19 | Information security in supplier relationships | Access is scoped, auditable, and revocable. CE cannot access resources outside defined roles. |
| A.5.20 | Addressing security within supplier agreements | The role trust policy is the technical enforcement of the supplier agreement. |
HIPAA
For environments handling PHI (45 CFR Part 164):
Technical Safeguards (164.312)
| Safeguard | Requirement | How this satisfies it |
|---|---|---|
| 164.312(a)(2)(i) | Unique user identification | Every CE engineer has a unique SSO identity. CloudTrail logs show their individual ARN, not a shared identity. |
| 164.312(a)(2)(iii) | Automatic logoff | Session tokens expire automatically in 2-4 hours with no extension. |
| 164.312(b) | Audit controls | CloudTrail provides hardware, software, and procedural mechanisms to record activity. |
| 164.312(d) | Person or entity authentication | MFA enforced via trust policy. AWS rejects sessions without it. |
BAA
If CE engineers may encounter PHI during the engagement, ensure a Business Associate Agreement is in place with continuous.engineering before granting access. Contact hello@continuous.engineering.
PCI DSS v4.0
Requirement 7 - Restrict Access
| Requirement | How this satisfies it |
|---|---|
| 7.2 - Access control system | IAM roles are the access control system. Deny-by-default. |
| 7.2.4 - Review of user accounts | CE roles are reviewed by deleting and redeploying the stack. No dormant accounts accumulate. |
Requirement 8 - Authenticate Access
| Requirement | How this satisfies it |
|---|---|
| 8.2 - Unique IDs | Every CE engineer has a unique SSO identity. No shared accounts. |
| 8.3 - Strong authentication | MFA enforced at trust policy level. CE-Admin requires MFA within the last hour. |
Requirement 10 - Log and Monitor
| Requirement | How this satisfies it |
|---|---|
| 10.2 - Audit log implementation | CloudTrail captures all API activity including role assumptions, with timestamps and source IP. |
| 10.3 - Audit log protection | CloudTrail logs are written to S3. CE roles have no ability to delete log files. |
ISO 42001 (AI Management)
If CE is engaged for AI or ML work:
| Control | How this satisfies it |
|---|---|
| 6.1 - Risk assessment | Access to AI training data is scoped via CE-Data to explicitly tagged instances only. |
| 8.4 - Data governance | CE engineers can only access data resources you have explicitly tagged and granted. |
| 9.1 - Monitoring | CloudTrail provides a full audit record of all data access during the engagement. |
Evidence package for auditors
| Evidence | Where to find it |
|---|---|
| What roles were created and what they can do | CloudFormation stack template (this repo) |
| Every action taken by CE engineers | CloudTrail in your account |
| MFA and ExternalId enforcement | IAM role trust policies (view in IAM console) |
| Access revocation | CloudFormation stack deletion record |
All of this lives in your AWS account. You own it. We cannot modify or delete it.