SOC 2PCI DSSHIPAANIST 800-53CISFedRAMPISO 27001GDPR

Terraform Modules That Cannot Produce Non-Compliant Infrastructure

Make it ~~hard~~ impossible to deploy non-compliant resources. Preventive infrastructure-as-code controls, enforced at the module level, before terraform apply.

Start Free Trial See How It Works

No credit card or AWS account needed to start.

From the team behind terraform-aws-modules — 2B+ provisions worldwide

S3, VPC, EKS, RDS & 30 More Modules · 30+ Frameworks · 300+ Controls|SOC 2 Type II Certified|Available on AWS Marketplace

“If we were building governance from scratch today, your model is likely the direction we’d take.”
— VP of Engineering, Fortune 500 food & beverage company

“Companies want to pay for a compliance accelerator.”
— Cloud Security Architect, enterprise consultancy

“We spent 6 months building custom wrappers around terraform-aws-modules. compliance.tf does what we built, maintained by someone else.”
— Platform Engineering Lead, Series B fintech

Three Steps to Compliant Infrastructure

For terraform-aws-modules users, migration is a one-line change. Same workflow, same interface. Bringing your own modules? We can make those compliant too. Join the beta.

Change One Line

main.tf

module "s3" {
- source = "registry.terraform.io/..."
+ source = "soc2.compliance.tf/..."
 
  bucket = "awesome-docs"
}

Run Terraform Commands

terminal

$ terraform init
Initializing modules...
- module.s3 in soc2.compliance.tf/...
Terraform has been successfully initialized!
$ terraform apply
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Compliance Enforced

CC6.1 · Versioning Enabled

CC6.1 · Default Encryption

CC6.1 · Public Access Blocked

CC6.1 · Object Lock Enabled

CC6.6 · SSL Requests Only

CC7.2 · Logging Enabled

CC7.2 · Event Notifications

CC7.2 · Lifecycle Policy

Every compliance requirement you define is enforced automatically. Nothing to scan, nothing to remediate.

See Compliance.tf in Action

A quick walkthrough of how compliance.tf streamlines secure infrastructure delivery.

For Engineering, Platform, and SRE Teams

Same modules, same workflow. Compliance is already there.

34 AWS Modules, Ready to Use

Based on terraform-aws-modules — the same interface and variables you already use, with 30+ compliance frameworks enforced by default. Custom module support coming soon.

Zero Workflow Changes

Change one line in your module source. Run terraform init. That's it. No new CLI tools, no policy agents, no sidecars.

Controls You Can Override — With an Audit Trail

Need to disable object lock for a dev environment? Authorize the exception via query parameter. Every override is logged.

Runs in Any CI Pipeline

GitHub Actions, GitLab CI, Atlantis, Terraform Cloud — if it runs terraform init, it works. API tokens scoped per team and framework.

For CISOs, Compliance Leads, and GRC Teams

Controls that prevent non-compliance. Evidence your auditor already accepts.

One Subscription, 30+ Frameworks, Every Team

SOC 2, PCI DSS, HIPAA, NIST, CIS, FedRAMP, ISO 27001, GDPR, and more. Enforced by the module, not by a policy engine you maintain.

A Preventive Control, Not a Scanner

Unencrypted storage, public buckets, missing logging — the control failures that generate audit findings never make it to production. Your CSPM reports zero infrastructure findings on resources deployed through compliance.tf.

SOC 2 Type II Certified

We have a valid SOC 2 Type II report, audited by Atom Assurance Services. Request access through our Trust Center.

Audit Evidence From Every Deployment

Each terraform apply generates control evidence through AWS Config and Audit Manager, the AWS-native tools your auditor already trusts. Evidence maps directly to framework clauses (SOC 2 CC6.1, PCI DSS 3.4.1, HIPAA §164.312). No war room. No evidence collection sprint.

Where Compliance.tf Fits in Your Compliance Stack

Compliance.tf handles the infrastructure configuration layer. Here is what it covers and what stays with your team.

Compliance.tf Handles

Module-level control enforcement (encryption, logging, access, versioning)
Framework-to-control mapping (SOC 2, PCI DSS, HIPAA, NIST, CIS, FedRAMP, ISO 27001, GDPR)
Deployment-time evidence generation via AWS-native tools
Upstream module updates (terraform-aws-modules kept in sync)
Exception management with audit trail
Control documentation and compliance mapping matrices

See which modules are covered

Your Team Still Owns

IAM policies and identity management
Network architecture and segmentation
Application-layer security
Runtime monitoring (GuardDuty, CloudTrail, SIEM)
Incident response procedures
Organizational policies, training, vendor management
Resources outside compliance.tf module coverage

Most teams pair compliance.tf with a GRC platform (Vanta, Drata, Sprinto) for organizational controls and a CSPM tool (Wiz, Prowler) for runtime monitoring. Compliance.tf is the infrastructure configuration layer in that stack.

We eliminate the infrastructure controls portion of SOC 2 preparation, typically 30–40% of audit findings. Your team focuses on organizational controls while compliance.tf handles the infrastructure layer.

Prevention vs. Detection: A Different Approach

Compliance.tf prevents non-compliant deployments. Scanning tools detect them after the fact. Most mature programs use both.

Dimension	DIY Forked Modules	DIY Your Modules	IaC Scanning Checkov / Trivy / Prowler	Compliance.tf
Prevents non-compliant configs before `terraform apply`	Partial	Partial	No (post-plan scan)	Yes
Same interface as terraform-aws-modules	Yes	No	N/A	Yes
Keeps pace with upstream module updates	No	N/A	N/A	Yes
Maps controls to framework clause IDs	No	Manual	Partial	Yes
Produces auditor-accepted evidence (AWS-native)	No	No	Scan reports only	Yes
Exception management with audit trail	No	No	Suppression rules	Yes
Catches runtime drift / console changes	No	No	Yes	No
Covers non-Terraform resources	No	No	Yes	No
Works without changing module sources	Yes	Yes	Yes	No
Gradual per-module adoption	Yes	Yes	Yes	Yes
Control / check coverage	Varies (you maintain)	Varies (you build)	800+ checks	300+ controls across 34 modules
Internal engineering time	High	High	Medium	Low
Custom rule authoring	Full (you build)	Full (you build)	Scan-time checks only	Yes — scan, edit, enforce (Q2 2026)
Best suited for	Teams already using terraform-aws-modules who want quick control	Teams with custom module standards	Broad coverage across all resource types	Preventive module-level compliance with audit evidence

Dimension	IaC Scanning	Compliance.tf
Prevents non-compliant configs before `terraform apply`	No (post-plan scan)	Yes
Keeps pace with upstream module updates	N/A	Yes
Maps controls to framework clause IDs	Partial	Yes
Produces auditor-accepted evidence (AWS-native)	Scan reports only	Yes
Exception management with audit trail	Suppression rules	Yes
Catches runtime drift / console changes	Yes	No
Covers non-Terraform resources	Yes	No
Internal engineering time	Medium	Low
Custom rule authoring	Scan-time checks only	Yes — scan, edit, enforce (Q2 2026)

We recommend keeping scanning tools active alongside compliance.tf for defense in depth. The scanner validates what compliance.tf already enforces.

Choose Your Plan

Start free. Lock in early access pricing before prices increase. Enterprise benefits included as they launch.

Free Trial

Get started with compliance automation

$0/ 30 days

All compliance frameworks
1 AWS account
Compliant S3 bucket module
Email support

Start Free with AWS No AWS Account? Start Here

Pro

Early access pricing — introductory rate for early adopters.

$100/ year

All compliance frameworks
Up to 5 AWS accounts
All Terraform AWS modules
Priority email support
Influence roadmap priorities

Buy with AWS

Custom

For organizations with advanced needs

Custom/ contact sales

All compliance frameworks
Unlimited AWS accounts
All Terraform AWS modules
Priority email & Slack support
Custom module development

Contact Sales

Early access pricing locks in at $100/year. Standard pricing will increase soon.

Common Questions From Platform and Security Teams

How is this different from Checkov, Trivy, or Prowler?

Those tools are detective controls — they scan infrastructure after you write it and report findings you fix manually. compliance.tf is a preventive control. The modules themselves cannot produce non-compliant resources — there is nothing to scan, nothing to remediate.

Think of it this way: a scanner is a smoke detector. Compliance.tf is fireproof construction.

Most teams keep their scanners running alongside compliance.tf for defense in depth.

How is this different from OPA or Sentinel?

OPA and Sentinel are policy engines — you write rules in Rego or Sentinel language, deploy an engine, and maintain policies as your infrastructure changes. With compliance.tf, the controls are already built into the modules. You do not need to write policies or run a policy engine. Many teams use both. We handle framework-specific infrastructure controls (encryption, logging, access blocking, versioning) at the module level. OPA or Sentinel can verify organizational policies (naming conventions, tagging standards, allowed regions) across the broader stack, but they only flag violations. Starting Q2 2026, compliance.tf custom rules can scan, edit, and enforce those same policies directly in the modules.

Which Terraform modules are available today?

34 modules based on terraform-aws-modules, including S3, VPC, EKS, RDS, Lambda, ALB, DynamoDB, and more. Same variables, same outputs, same interface. See the full list with controls per framework.

Module versions track upstream terraform-aws-modules releases and publish within minutes. Pin versions using Terraform's standard version argument in your module block. Ranges like ~> 4.0 work the same way as any other module.

If you need a module we do not support yet, contact us — custom module support is in beta.

Can I adopt this gradually, or is it all-or-nothing?

Fully incremental. Start with one module in one environment. Your existing modules continue working untouched. There is no global policy agent to deploy, no wrapper binary, no sidecar. Each module source line is independent.

Does changing the module source replace my existing resources?

No. Terraform tracks resources by their address in state, not by the source URL. Changing the source updates where Terraform downloads the module code. Run terraform plan after switching. If your existing resources don't meet compliance controls yet (unversioned buckets, unencrypted storage), the plan will show those changes. Review the plan before applying.

What does Compliance.tf cover vs. what do I still own?

We enforce controls at the Terraform module level — encryption, logging, versioning, access blocking for 34 AWS modules. You still own IAM policies, network architecture, application security, runtime monitoring, and incident response. We are transparent about this because compliance is a stack, not a single tool. We handle the infrastructure configuration layer.

What if I need to disable a control for a legitimate reason?

Disable specific controls via a query parameter in the module source. Every exception is logged with the control ID, who authorized it, and why. Your audit trail shows exactly which controls were overridden — the exact documentation auditors need during exception reviews.

Does this replace Vanta, Drata, or Sprinto?

No. We enforce controls inside Terraform modules. Your GRC platform tracks policies, collects evidence, and manages audit workflows. We feed evidence into your GRC platform, not the other way around.

Will my auditor accept this as evidence?

Your auditor does not need to trust compliance.tf directly. Evidence comes from AWS-native tools they already accept: AWS Config, Security Hub, and Audit Manager. We enforce controls at deploy time so those AWS tools always report clean findings. We can also help you prepare downloadable control mapping matrices for your environments — the exact artifact auditors request.

How do I get started?

Click Start Free Trial and sign in — no AWS account or credit card required. Run terraform login compliance.tf, change your module source line, and run terraform init. 34 modules with compliance controls are available today. You can also subscribe directly through AWS Marketplace.

What if Compliance.tf shuts down or I want to leave?

Our modules are standard Terraform. Every module is a drop-in replacement for its upstream terraform-aws-modules equivalent (same variables, same outputs). To revert, change your module source line back to the upstream registry and run terraform init. Your infrastructure does not change. No lock-in, no proprietary state.

Stay Informed About New Features

Join the mailing list for releases, new modules, and roadmap updates. No spam. Unsubscribe anytime.

Not convinced yet or dying for a feature we don't have? Send us an email — we really want to hear your feedback!