compliance/controls-mapping.yaml

# =============================================================================
# SOC2 Type II Compliance Controls Mapping
# =============================================================================
# Maps platform components to SOC2 trust service criteria

controls:
  # --- CC6: Security ---
  CC6.1:
    description: "Logical and physical access controls"
    implemented_by:
      - terraform/modules/iam  # IAM roles with MFA requirement
      - terraform/modules/vpc  # VPC isolation, flow logs
      - k8s/base/rbac          # Kubernetes RBAC
      - k8s/base/network-policies  # Network segmentation
    evidence:
      - IAM access logs (CloudTrail)
      - VPC flow logs (S3)
      - RBAC audit logs (EKS)

  CC6.2:
    description: "Authentication and authorization"
    implemented_by:
      - k8s/manifests/external-secrets  # OIDC-based secret access
      - terraform/modules/iam            # MFA enforcement
    evidence:
      - OIDC token audit logs
      - MFA configuration records

  CC6.3:
    description: "Encryption of data at rest"
    implemented_by:
      - terraform/modules/kms  # KMS key rotation
      - terraform/modules/rds  # RDS encryption
      - terraform/modules/s3   # S3 SSE-KMS
      - k8s/manifests/external-secrets  # EKS secret encryption
    evidence:
      - KMS key rotation logs
      - RDS encryption config
      - S3 bucket policies

  CC6.6:
    description: "Encryption of data in transit"
    implemented_by:
      - k8s/manifests/istio         # mTLS enforcement
      - k8s/manifests/cert-manager   # TLS cert automation
    evidence:
      - mTLS policy (PeerAuthentication)
      - Certificate issuance logs

  CC6.8:
    description: "Vulnerability management"
    implemented_by:
      - k8s/manifests/trivy-operator  # Continuous scanning
      - security/trivy                # Image scanning
      - ci-cd/github-actions          # Pipeline scanning
    evidence:
      - Trivy scan reports
      - CVE remediation SLA tracking

  # --- CC7: Availability ---
  CC7.1:
    description: "System availability monitoring"
    implemented_by:
      - monitoring/prometheus   # Alerting rules
      - monitoring/grafana      # Dashboards
      - monitoring/otel         # Distributed tracing
    evidence:
      - Uptime SLO reports
      - Incident post-mortems

  CC7.2:
    description: "Disaster recovery"
    implemented_by:
      - terraform/modules/rds  # Multi-AZ RDS
      - terraform/modules/eks  # Multi-AZ EKS
    evidence:
      - DR test results (quarterly)
      - RTO/RPO measurements

  # --- CC8: Processing Integrity ---
  CC8.1:
    description: "Change management"
    implemented_by:
      - k8s/manifests/argo-cd    # GitOps deployments
      - ci-cd/github-actions      # CI/CD pipeline
    evidence:
      - PR approval records
      - Deployment audit trail

  # --- CC9: Confidentiality ---
  CC9.1:
    description: "Data classification and handling"
    implemented_by:
      - k8s/manifests/external-secrets  # Secrets management
      - k8s/manifests/kyverno           # Policy enforcement
    evidence:
      - Data classification policy
      - Secret rotation logs