How to Pass SOC 2 CC6 Privileged Access Controls — A Practical Guide
SOC 2 Type II readiness is a marathon. Most organizations get through the policy documentation, the vendor risk questionnaires, and the network segmentation diagrams without too much pain. Then they hit CC6 — Logical and Physical Access Controls — and the audit gets difficult.
CC6 is where auditors spend the most time and where companies most often receive exceptions. It covers who has access to your systems, how that access is controlled, how it is monitored, and how it is reviewed. If your privileged access management answer is "we use VPN plus RDP with shared admin credentials," you are not going to pass.
Here is exactly what CC6 requires, what auditors ask for, and how to produce the evidence.
CC6.1, CC6.2, CC6.3, CC6.6 — What Each Requires in Plain English
CC6.1 — Logical Access Security
The requirement: logical access to your systems, infrastructure, and data is restricted to authorized users.
In practice, this means:
- Every user who accesses a production system has a documented reason for that access
- Access is provisioned through a defined process (not ad hoc)
- Access is removed promptly when a user leaves or changes roles
- Privileged access (admin, root, DBA) is tracked separately and held to a higher standard
The evidence auditors want: a complete inventory of who has privileged access to what, how it was provisioned, and when it was last reviewed.
CC6.2 — Identification and Authentication
The requirement: users are authenticated before accessing systems, and authentication is sufficiently strong for the sensitivity of the resource.
In practice, this means:
- MFA is required on all accounts with privileged access
- Passwords meet complexity and rotation requirements
- Shared accounts (shared
Administrator, sharedroot) are eliminated or tightly controlled - Service accounts are inventoried and access is reviewed
The evidence auditors want: MFA enrollment screenshots, account inventory exports, evidence that shared admin accounts have been eliminated or have compensating controls.
CC6.3 — Access Removal
The requirement: access is removed when it is no longer needed (termination, role change, project end).
In practice, this means:
- You have a documented offboarding process that includes revoking privileged access
- Access revocation happens within a defined timeframe (24-48 hours for production access)
- You can demonstrate that terminated users no longer have active sessions or credentials
The evidence auditors want: offboarding tickets showing access revocation steps, before/after screenshots of access rights.
CC6.6 — Logical Access Restrictions
The requirement: transmission of data is encrypted, and logical access restrictions are in place to prevent unauthorized access.
In practice, this means:
- All administrative connections are encrypted in transit
- Access to sensitive systems is restricted to authorized endpoints or networks
- Session activity is monitored and logged
The evidence auditors want: network diagrams showing encrypted channels, session logs showing administrative activity.
What Auditors Actually Ask For
When a SOC 2 auditor examines CC6, they typically request the following evidence:
For CC6.1 (access inventory):
- Spreadsheet or system export showing all users with privileged access, the systems they can access, and the business justification
- Evidence that access was approved (email, ticket, approval workflow screenshot)
- Access review records showing quarterly or annual recertification
For CC6.2 (authentication):
- Screenshot of MFA enrollment for administrative accounts
- Password policy documentation and evidence it is enforced
- List of service accounts and evidence of inventory
For CC6.3 (access removal):
- Sample offboarding tickets (typically 3-5 examples from the audit period)
- Evidence that privileged access was revoked within SLA
- HR system integration or manual verification records
For CC6.6 (session monitoring):
- Session logs showing administrative activity (who logged in, when, to what system, what they did)
- Evidence that sessions are recorded
- Network diagram showing encryption in transit
The evidence must cover the full audit period (typically 12 months for a Type II audit). Auditors will sample events across that period — you cannot rely on evidence from the last two weeks before audit fieldwork.
Common CC6 Failures and How to Avoid Them
Shared admin credentials
The most common CC6 finding. "We use the shared Administrator account because some systems don't support individual accounts" is not an acceptable control. VaultPAM solves this: users connect through brokered sessions without receiving the credential. The vault holds the password; audit logs show exactly which user initiated each session.
MFA not enforced on all privileged accounts Organizations often have MFA on their corporate email but not on direct server access (RDP, SSH). Auditors check this specifically. Every privileged session must require MFA.
No access review evidence Many organizations conduct access reviews informally. Auditors want documented evidence: who reviewed, what was reviewed, when, and what actions were taken. "We did a review in Q3" without a ticket, spreadsheet, or report is not evidence.
Access not revoked promptly The gap between an employee leaving and their access being revoked is a recurring finding. If your offboarding process takes a week, and privileged access is included in that same queue, you have a CC6.3 problem.
Session logs that are incomplete or inaccessible Retaining session logs is only half the answer. Auditors want to see that you can retrieve specific events and that the logs are complete and tamper-evident. Logs in disparate silos (Windows Event Log on each server, SSH auth logs on each Linux box) without central aggregation are difficult to present as evidence.
How VaultPAM Produces Audit-Ready CC6 Evidence Automatically
VaultPAM is designed around the assumption that your auditor is reading over your shoulder. The evidence it produces maps directly to what CC6 requires:
| CC6 Control | What VaultPAM Produces |
|---|---|
| CC6.1 — access inventory | Complete report of all users, target systems, access policies, and approvals — exportable as CSV or accessible via API |
| CC6.2 — MFA enforcement | TOTP and WebAuthn enforced at session level — every privileged session requires authentication; MFA enrollment status visible in admin dashboard |
| CC6.2 — no shared credentials | Session brokering — users access targets without receiving passwords; the vault holds the credential, not the user |
| CC6.3 — access removal | Revoking a user in VaultPAM immediately terminates their ability to initiate new sessions; active sessions can be force-terminated |
| CC6.6 — session monitoring | Full session recording (video + activity log) for every RDP, SSH, VNC, and HTTP session; tamper-proof via BLAKE3 hash chain; searchable by user, target, and time range |
| CC6.6 — encryption in transit | All sessions brokered over mTLS; no direct inbound ports on target systems |
The access review process is supported by VaultPAM's audit log exports: you can produce a complete report of every privileged session in the last quarter, sorted by user and target, in minutes. Present that to your auditor alongside the access policy configuration and the MFA enrollment screenshot — that is your CC6 evidence package.
Building toward SOC 2 Type II readiness? VaultPAM produces audit-ready evidence for CC6 controls automatically — session recordings, access logs, MFA enforcement, and policy configuration are all reportable from a single dashboard.
Download our SOC 2 compliance summary for a complete mapping of VaultPAM controls to SOC 2 Trust Service Criteria.