Compliance Automation: SOC 2, PCI-DSS, and Audit Trails

Automate compliance evidence collection and continuous compliance monitoring for SOC 2, PCI-DSS, and other frameworks using policy-as-code.

published: March 25, 2026 reading time: 12 min read

Compliance audits used to mean months of document collection, spreadsheets, and fire drills. Teams would scramble before an audit, gathering evidence from dozens of systems, then forget about it until the next year. This approach is slow, error-prone, and expensive.

Policy-as-code changes this. Instead of collecting evidence manually, you define compliance requirements as code, run them continuously, and generate evidence automatically.

When to Use

InSpec vs. Cloud-Native Compliance Tools

Use InSpec when you need cross-cloud compliance checks, want to define compliance as code in a language developers understand, or need to audit both cloud and on-premises infrastructure from a single tool. InSpec works well when your compliance requirements span multiple cloud providers or include custom software running outside cloud environments.

Use cloud-native tools like AWS Security Hub, Azure Defender, or GCP Security Command Center when your entire infrastructure lives within one cloud provider and you want integrated findings alongside other security alerts. Cloud-native tools have faster setup but lock you to that provider.

For most teams: start with your cloud provider’s native compliance tools for initial coverage, then add InSpec for cross-cloud requirements and custom software audits.

SOC 2 vs. PCI-DSS vs. HIPAA

SOC 2 applies when you provide services to other businesses and want to demonstrate security controls. If you have enterprise customers, they will ask for a SOC 2 report. SOC 2 Type II audits operating effectiveness over time; Type I is a point-in-time snapshot.

PCI-DSS applies if you store, process, or transmit credit card data. Even if you use Stripe or another payment processor, you may still need PCI compliance depending on how you handle cardholder data. If you ever see raw card numbers, you are in scope.

HIPAA applies if you handle protected health information (PHI) in the US. Healthcare applications, wellness apps, and any company working with healthcare providers need HIPAA compliance.

Automating for SOC 2 covers most of PCI-DSS because both require access control, logging, encryption, and vulnerability management. HIPAA adds specific requirements around PHI handling and breach notification.

When to Automate vs. Manual Review

Automate everything that can be checked programmatically. Access controls, encryption settings, patch levels, logging enablement — these are all automatable. Manual review is appropriate for things that require human judgment: whether a developer actually needed the access they were granted, whether a risk acceptance is still valid, whether a control deficiency represents actual risk.

The exception process must be human-reviewed. Automating exception approval without human judgment defeats the purpose of compliance.

Continuous Compliance Monitoring

flowchart LR
    A[Policy-as-Code<br/>InSpec Profiles] --> B[CI/CD Pipeline<br/>Automated Scans]
    B --> C{Compliant?}
    C -->|No| D[Create Ticket<br/>Alert Team]
    C -->|Yes| E[Evidence<br/>Auto-Generated]
    E --> F[SIEM / Audit Log<br/>Archived]
    F --> G[Quarterly<br/>Access Review]
    G --> H[Findings<br/>Remediated]
    H --> A

The goal of continuous compliance is to always know your compliance posture, not just during audits. This requires running compliance checks as part of your normal operations.

Compliance Framework Overview

SOC 2 and PCI-DSS are the two most common frameworks for technology companies.

SOC 2 focuses on data security across five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. It is a customer-facing audit that demonstrates you have controls in place.

PCI-DSS applies if you store, process, or transmit credit card data. It has 12 requirements covering network security, access control, and monitoring. Fines for non-compliance can be significant.

Both frameworks share common themes: access control, logging, encryption, and vulnerability management. Automating for one gets you most of the way toward the other.

Compliance Automation with InSpec

The goal of continuous compliance is to always know your compliance posture, not just during audits. This requires running compliance checks as part of your normal operations.

InSpec is a good tool for this:

# InSpec profile for SOC 2 Access Control
control 'access-control-1' do
  title 'Users are uniquely identified'
  desc 'Shared accounts are prohibited'
  impact 'high'

  describe command('aws iam list-users') do
    its('stdout') { should_not include '"UserName": "admin"' }
    its('stdout') { should_not include '"UserName": "root"' }
  end
end

control 'access-control-2' do
  title 'MFA is enabled for all users'
  impact 'critical'

  aws_iam_users.where { arn !~ /arn:aws:iam::\d+:user\/ops\// }.each do |user|
    describe user do
      it { should have_mfa_enabled }
    end
  end
end

Run InSpec against your infrastructure regularly, not just before audits:

# Run against AWS
aws profile=production inspec exec https://github.com/username/soc2-profile -t aws://

# Run in CI
docker run --rm -v ~/.aws:/root/.aws:ro \
  chef/inspec exec profile -t aws://production

Audit Log Requirements and Retention

Both SOC 2 and PCI-DSS require logging of security events. The specifics vary, but the common requirements:

Authentication attempts (success and failure)
Authorization decisions (access granted or denied)
Administrative actions (changes to users, roles, permissions)
Data access (read/write operations on sensitive data)
System events (startup, shutdown, errors)

Retention requirements: SOC 2 typically requires 12 months of logs readily available, with longer retention for historical analysis. PCI-DSS requires 12 months of audit trail history and 3 months of immediately accessible logs.

Cloud logging makes this manageable:

# AWS CloudTrail - already captures API calls across your account
aws cloudtrail create-trail \
  --name production-trail \
  --s3-bucket-name my-trail-bucket \
  --is-multi-region-trail

# Ensure encryption
aws cloudtrail update-trail \
  --name production-trail \
  --kms-key-id arn:aws:kms:us-east-1:123456789012:key/abc123

Set up log aggregation to a central location with appropriate access controls. Engineers should not be able to modify or delete logs.

Policy-Based Access Certification

Access certification means periodically reviewing who has access to what and confirming that access is still appropriate. Manual certification is slow and error-prone.

Automate the collection:

# Example: quarterly access review automation
import boto3
from datetime import datetime, timedelta

def get_access_review_report():
    iam = boto3.client('iam')
    users = iam.list_users()['Users']

    report = []
    for user in users:
        # Get last activity
        last_activity = get_last_console_login(user['UserName'])
        last_mfa_used = get_last_mfa_use(user['UserName'])

        # Flag inactive users
        if last_activity and (datetime.now() - last_activity) > timedelta(days=90):
            report.append({
                'user': user['UserName'],
                'status': 'INACTIVE',
                'days_since_login': (datetime.now() - last_activity).days,
                'action': 'REMOVE_ACCESS'
            })

    return report

def get_last_console_login(username):
    # Query CloudTrail for last login
    cloudtrail = boto3.client('cloudtrail')
    events = cloudtrail.lookup_uptime(
        LookupAttributes=[{
            'AttributeKey': 'Username',
            'AttributeValue': username
        }],
        EventName='ConsoleLogin',
        MaxResults=1
    )
    # Return last login time

For PCI-DSS, access review must happen quarterly. For SOC 2, annual is typical, but quarterly is better practice.

Evidence Collection Automation

The tedious part of audits is evidence collection. Policy-as-code lets you generate evidence on demand.

#!/bin/bash
# evidence-collection.sh - Generate compliance evidence

DATE=$(date +%Y-%m-%d)

# Evidence 1: MFA is enabled for all users
echo "=== MFA Compliance Evidence ===" > evidence/${DATE}/mfa-compliance.txt
aws iam get-account-summary | jq '.SummaryMap | to_entries[] | select(.key | contains("AccountMFAEnabled"))' >> evidence/${DATE}/mfa-compliance.txt

# Evidence 2: Encryption at rest
echo "=== EBS Encryption Evidence ===" > evidence/${DATE}/ebs-encryption.txt
aws ec2 describe-volumes --filters Name=encrypted,Values=false --query 'Volumes[].VolumeId' >> evidence/${DATE}/ebs-encryption.txt

# Evidence 3: Security patches
echo "=== Patch Status ===" > evidence/${DATE}/patch-compliance.txt
aws ssm describe-instance-patch-states --query 'PatchStates[?PatchGroup==`production`]' >> evidence/${DATE}/patch-compliance.txt

This script runs weekly via EventBridge. When auditors ask for evidence, you generate a report in minutes.

Handling Compliance Violations

Violations will happen. When they do, how you respond matters as much as the violation itself.

Document the violation and your response:

## Compliance Violation Record

**Date:** 2026-03-15
**Framework:** SOC 2 CC6.1
**Description:** MFA was not enabled for a service account used in the CI pipeline
**Detected by:** Automated InSpec check
**Severity:** Medium
**Status:** Remediated

**Root Cause:** The account was created before MFA enforcement was added to our IAM policy

**Remediation:**

1. Enabled MFA on the service account
2. Updated IAM policy to require MFA for all human users
3. Added pre-commit hook to prevent creation of users without MFA

**Evidence:** [Link to screenshots, command output]

Some violations require notification to customers or regulators. Understand your obligations before you need to know them.

Production Failure Scenarios

Failure	Impact	Mitigation
InSpec check failing on legitimate configuration change	CI pipeline breaks, deployment blocked, team scrambled to understand why	Write InSpec rules with comments explaining the business reason, use exceptions for approved deviations, test rules in staging first
CloudTrail not capturing required events due to misconfigured trail	Audit evidence missing, compliance gap discovered during audit	Enable CloudTrail across all regions, use AWS Config to monitor trail configuration, alert on trail deletion or modification
Access review script false positives causing unnecessary access revocation	Developer loses production access during critical incident, services affected	Run access review scripts in report-only mode for one cycle before enforcing, have a fast re-grant process ready
Audit log retention policy causing compliance violation	Logs deleted before retention period, regulatory violation	Set retention policies to the longest requirement across all frameworks you comply with, use S3 Object Lock (WORM) for critical logs

Compliance Automation Trade-offs

Scenario	InSpec	Cloud-Native (Security Hub, Defender)
Cross-cloud support	Yes	No (single provider)
Setup effort	Higher	Lower
Custom rules	Yes (Ruby)	Limited
Native AWS integration	Via AWS profile	Native
Cost	Free (open source)	Cloud provider pricing

Scenario	Manual Evidence Collection	Automated Evidence
Audit preparation time	Weeks	Minutes
Human error risk	High	Low
Consistency	Varies by auditor	Same every time
Scalability	Poor	Scales with infrastructure
Cost	High (labor)	Low (automation)

Scenario	SOC 2 Type I	SOC 2 Type II
Audit duration	Shorter	Longer
Cost	Lower	Higher
Assurance level	Point-in-time	Over time period
Customer confidence	Basic	Higher
Best for	New organizations	Established organizations

Compliance Observability

Monitor the ratio of passing to failing controls over time. A compliance score that never moves is either a very well-run environment or a sign that your checks are not finding real problems. I have seen both.

Feed InSpec scan results into your metrics pipeline. Track failures by category (access control, encryption, logging) to find patterns. When access control failures spike after a deployment, investigate before your next audit.

For cloud-native tools, watch for sudden spikes in high-severity findings. Usually this means someone pushed a misconfigured resource. Catch it in CI, not in the audit.

Set alerts on log storage utilization. Running out of storage mid-year means you cannot keep the logs you are required to store.

Key commands:

# Run InSpec and output JSON for metrics
inspec exec profile -t aws://production --reporter json > inspec-results.json

# Count failing controls by severity
jq '[.controls[] | select(.status == "failed") | .impact] | group_by(.) | map({impact: .[0], count: length})' inspec-results.json

# Check AWS Security Hub findings by severity
aws securityhub get-findings --filters '{"SeverityLabel": [{"Value": "CRITICAL", "Comparison": "EQUALS"}]}'

# Verify CloudTrail is capturing events in all regions
aws cloudtrail describe-trails --query 'trailList[?IsMultiRegionTrail==`true` && !contains(Name, `aws-org`)]'

# Check log retention for CloudWatch log group
aws logs describe-log-groups --query 'logGroups[?retentionInDays!=null]'

Common Anti-Patterns

Only running compliance checks before an audit. This is the most common mistake. By the time you run checks, it is too late to fix anything meaningful. Compliance checks should run continuously in CI/CD, not as a pre-audit exercise.

No defined exception process. Every organization has controls that are technically violated for legitimate business reasons. Without a documented exception process, these violations accumulate and create the false impression of non-compliance. Define exceptions in writing, set review dates, and track when they expire.

Treating compliance as a one-time project. Compliance is ongoing. After an audit, teams often stop running the checks. Set up automated monitoring so compliance remains continuous between audits.

Using compliance as a security substitute. Passing InSpec scans does not mean your environment is secure. Compliance checks verify that specific controls are in place; they do not test whether those controls actually prevent attacks. Use compliance for audit readiness and security monitoring for actual threat detection.

Ignoring false positives. When InSpec rules fire on legitimate configurations, teams start ignoring the alerts. Fix or tune the rules so alerts remain meaningful. Alerts that fire constantly are alerts that nobody reads.

Quick Recap

Key Takeaways

Automate compliance checks and run them continuously, not just before audits
SOC 2 and PCI-DSS share common controls; automating for one covers much of the other
InSpec works cross-cloud; cloud-native tools are faster to set up but single-provider only
Exception processes must be documented and reviewed periodically
Compliance is not security: use both compliance automation and security monitoring

Compliance Automation Checklist

# 1. Install InSpec and create your first profile
gem install inspec
inspec init profile --platform aws

# 2. Map your controls to compliance framework requirements
# SOC 2 CC6.1 → InSpec control access-control-001

# 3. Add InSpec to CI/CD pipeline
# inspec exec profile -t aws://production --reporter json

# 4. Enable CloudTrail in all regions
aws cloudtrail create-trail --name production-trail --s3-bucket-name my-trail-bucket --is-multi-region-trail

# 5. Configure log retention (longest requirement across all frameworks)
aws logs put-retention-policy --log-group-name /aws/cloudtrail/* --retention-in-days 2555

# 6. Set up automated evidence collection
# evidence-collection.sh runs weekly via EventBridge

# 7. Document your exception process
# exceptions.yaml reviewed quarterly

Conclusion

Compliance automation is not about making audits easier. It is about making compliance part of your normal operations. Run checks continuously, automate evidence collection, and respond to violations systematically.

The payoff is significant: lower audit costs, faster onboarding for new customers, and perhaps most importantly, actual security improvements, not just checkbox compliance.