u/False-Character-1635

I built a small prototype to reduce the manual overhead of access reviews.

What it does:

• Pulls admin-level access from AWS IAM and GitHub
• Generates a one-click review interface for control owners
• Produces an evidence package (CSV + signed summary + audit trail)

Goal: eliminate screenshots, spreadsheets, and manual chasing.

This is not a product - just something I built to explore whether this can work in a real audit setting.

For those who’ve been through SOC 2 audits (especially CC6.1):

• Would this kind of evidence be accepted?
• Where would an auditor push back immediately?
• What’s the minimum requirement I’m missing for this to be audit-ready? (immutability? reviewer identity? logging depth? etc.)