SOC 2 CC6.1 logical-access-controls-how-do-you-prove-segregation-in-terraform-managed-envs

Jurisdiction: US, EU, AGNOSTIC When your infrastructure is fully Terraform-managed with ephemeral workloads, proving logical access segregation (SOC 2 CC6.1) to auditors gets tricky. Traditional screenshots of IAM policies don't capture the dynamic nature of containerized environments. How has your team documented and demonstrated access segregation for SOC 2 when: - Roles are assumed via OIDC federation, not static credentials - Workloads spin up/down multiple times per day - Terraform state is the single source of truth but auditors want runtime evidence Curious about the gap between what auditors expect and what modern infra actually produces.