How is this different from OPA or Sentinel?

OPA and Sentinel are policy engines where you write rules in Rego or Sentinel language. With compliance.tf, compliance controls are pre-built into the modules — no policy authoring or engine deployment needed. Many teams use both. Starting Q2 2026, compliance.tf custom rules can scan, edit, and enforce organizational policies directly in the modules.

Which Terraform modules are available today?

34 modules based on terraform-aws-modules, including S3, VPC, EKS, RDS, Lambda, ALB, DynamoDB, and more. Same variables, same outputs, same interface. Custom module support is in beta.

Does this work with OpenTofu, Terragrunt, or Terramate?

Yes. Our registry uses the standard Terraform module protocol, which OpenTofu supports natively. Run tofu login registry.compliance.tf instead of terraform login and everything else works the same way. Terragrunt and Terramate orchestrate runs without changing how modules are resolved, so they work out of the box.

What does Compliance.tf cover vs. what do I still own?

We enforce controls at the Terraform module level — encryption, logging, versioning, access blocking for 34 AWS modules. You still own IAM policies, network architecture, application security, runtime monitoring, and incident response.

What if I need to disable a control for a legitimate reason?

Disable specific controls via a query parameter in the module source. Every exception is logged with the control ID, who authorized it, and why.

Does this replace Vanta, Drata, or Sprinto?

No. We enforce controls inside Terraform modules. Your GRC platform tracks policies, collects evidence, and manages audit workflows. We feed evidence into your GRC platform, not the other way around.

How do I get started?

Sign up at compliance.tf — no AWS account or credit card required. Run terraform login registry.compliance.tf, change your module source line, and run terraform init. If you use OpenTofu, run tofu login registry.compliance.tf instead. You can also subscribe through AWS Marketplace.

What if Compliance.tf shuts down or I want to leave?

Our modules are standard Terraform. They work with Terraform, OpenTofu, Terragrunt, Terramate, and any tool that speaks the Terraform module protocol. Every module is a drop-in replacement for upstream terraform-aws-modules (same variables, same outputs). Change your module source back and run terraform init. No lock-in, no proprietary state.

CIS Compliant Terraform Modules
Enforced Before `terraform apply`

Level 1 and Level 2 Benchmark recommendations for AWS, enforced at the module level. Identity controls, logging, monitoring, and storage security in every Terraform resource.

CIS Benchmarks are a prescriptive baseline when you want concrete security recommendations without a specific industry mandate. Many teams start here and map upward to SOC 2 or NIST when audits come.

123

Controls

Recommendations

AWS Modules

Start Free Trial View All Controls

No credit card or AWS account needed to start.

From the team behind terraform-aws-modules. 2B+ provisions worldwide.

General · IAM · CloudWatch Logs · CloudTrail · VPC · RDS|SOC 2 Type II Certified|Available on AWS Marketplace

Three Steps to CIS Compliant Infrastructure

For terraform-aws-modules users, migration is a one-line change. Same workflow, same interface. Bringing your own modules? We can make those compliant too. Join the beta.

Change One Line

main.tf

module "s3" {
- source = "registry.terraform.io/..."
+ source = "cis.compliance.tf/..."
 
  bucket = "awesome-docs"
}

Run Terraform Commands

terminal

$ terraform init
Initializing modules...
- module.s3 in cis.compliance.tf/...
Terraform has been successfully initialized!
$ terraform apply
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Compliance Enforced

2.1.1 · S3 Default Encryption

2.1.2 · S3 SSL Requests Only

2.1.4 · S3 Public Access Blocked

3.1 · CloudTrail Enabled

3.4 · CloudTrail Log Validation

3.7 · CloudTrail KMS Encryption

2.2 · Security Contact Registered

2.4 · Root MFA Enabled

Every compliance requirement you define is enforced automatically. Nothing to scan, nothing to remediate.

Controls Enforced for CIS

123 controls across 62 recommendations and AWS services

Enforced (13)Detected (50)

2.1 Maintain current contact details
2.20 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments

Additional Controls

60 additional controls enforced for CIS

Enforced (0)Detected (60)

View full control documentation with implementation details

View CIS reference documentation

CIS Scope: What We Handle vs. What You Own

compliance.tf handles the infrastructure configuration layer for CIS. Here is what it covers and what stays with your team.

compliance.tf Enforces for CIS

CIS Benchmark Level 1 and Level 2 infrastructure controls
CIS AWS Foundations Benchmark v6.0 recommendation mapping
Deployment-time evidence generation via AWS-native tools
Upstream module updates (terraform-aws-modules kept in sync)
Exception management with audit trail
Control documentation and benchmark mapping matrices

See which modules are covered

View CIS reference documentation

Your Team Still Handles for CIS

Network monitoring and VPC flow log analysis
Malware defense and endpoint protection
Data recovery testing and validation procedures
Security awareness and skills training
Audit log monitoring and alerting configuration
Account and identity management policies
Penetration testing and vulnerability assessments

compliance.tf enforces the CIS Benchmark recommendations that map to AWS resource configuration. Operational recommendations around monitoring, alerting, and access review processes remain your team's responsibility.

CIS Audit Evidence, Generated Automatically

Your auditor does not need to trust compliance.tf. Evidence comes from AWS-native tools they already accept.

Evidence your auditor already trusts

Every compliance.tf module enforces controls at deploy time. When AWS Config, Security Hub, or Audit Manager evaluates your resources, they report clean findings because the controls are built into the modules, not bolted on after the fact.

AWS Config rules validate resource configuration continuously
Security Hub aggregates findings across accounts and regions
Audit Manager generates assessment reports mapped to CIS
Downloadable control mapping matrices for your auditor

evidence.json

{
    "framework": "CIS",
    "clause": "2.1.1",
    "control": "s3_bucket_default_encryption_enabled",
   "status": "COMPLIANT",
    "source": "AWS Config",
    "resource": "arn:aws:s3:::awesome-docs",
    "evaluated": "2026-03-04T10:30:00Z"
}

Prevention vs. Detection for CIS

compliance.tf prevents non-compliant deployments. Scanning tools detect them after the fact. Most mature programs use both.

Dimension	IaC Scanning Checkov / Trivy / Prowler	compliance.tf
Prevents non-compliant configs before terraform apply	No (post-plan scan)	Yes
Maps controls to framework clause IDs	Partial	Yes
Produces auditor-accepted evidence (AWS-native)	Scan reports only	Yes
Exception management with audit trail	Suppression rules	Yes
Same interface as terraform-aws-modules	N/A	Yes
Keeps pace with upstream module updates	N/A	Yes
Catches runtime drift / console changes	Yes	No
Covers non-Terraform resources	Yes	No
Internal engineering time	Medium	Low

We recommend keeping scanning tools active alongside compliance.tf for defense in depth. The scanner validates what compliance.tf already enforces.

CIS Compliance Questions

Which CIS Benchmark version is supported?

compliance.tf maps controls to CIS Amazon Web Services Foundations Benchmark v6.0, the latest version. We also maintain mappings for v5.0 and v1.4.0 for teams that reference older benchmark versions. The module registry subdomain cis.compliance.tf serves the v1.4.0 mappings by default; use cisv600.compliance.tf for v6.0-specific modules.

Does this cover Level 1 and Level 2?

Yes, compliance.tf enforces both Level 1 (essential security) and Level 2 (defense-in-depth) recommendations where they map to infrastructure configuration. Some Level 2 recommendations are operational (monitoring review processes, log analysis) and remain your team's responsibility.

How is this different from Checkov, Trivy, or Prowler?

Those tools are detective controls. They scan infrastructure after you write it and report findings you fix manually. compliance.tf is a preventive control. The modules themselves cannot produce non-compliant resources. There is nothing to scan, nothing to remediate. Most teams keep their scanners running alongside compliance.tf for defense in depth.

Can I adopt this gradually, or is it all-or-nothing?

Fully incremental. Start with one module in one environment. Your existing modules continue working untouched. If you use Terragrunt or Terramate to orchestrate your runs, nothing changes — you’re only swapping the module source line. There is no global policy agent to deploy, no wrapper binary, no sidecar. Each module source line is independent.

Will my auditor accept this as evidence?

Your auditor does not need to trust compliance.tf directly. Evidence comes from AWS-native tools they already accept: AWS Config, Security Hub, and Audit Manager. We enforce controls at deploy time so those AWS tools always report clean findings.

What if I want to switch back or compliance.tf shuts down?

Our modules are standard Terraform. They work with Terraform, OpenTofu, Terragrunt, Terramate, and any tool that speaks the Terraform module protocol. Every module is a drop-in replacement for its upstream terraform-aws-modules equivalent with the same variables and outputs. Change your module source line back, run terraform init. Your infrastructure does not change. No lock-in, no proprietary state.

Start Deploying CIS-Compliant Infrastructure

$100/year for all 34 modules, all frameworks. 30-day free trial.

Start Free Trial Contact Sales

No credit card required. Switch back at any time.

Stay Informed About New Features

Join the mailing list for releases, new modules, and roadmap updates. No spam. Unsubscribe anytime.

Not convinced yet or dying for a feature we don't have? Send us an email — we really want to hear your feedback!

CIS Compliant Terraform ModulesEnforced Before terraform apply

Three Steps to CIS Compliant Infrastructure

Change One Line

Run Terraform Commands

Compliance Enforced

Controls Enforced for CIS

2 Identity and Access Management

2.10 Do not create access keys during initial setup for IAM users with a console password

2.11 Ensure credentials unused for 45 days or more are disabled

2.12 Ensure there is only one active access key for any single IAM user

2.13 Ensure access keys are rotated every 90 days or less

2.14 Ensure IAM users receive permissions only through groups

2.15 Ensure IAM policies that allow full "*:*" administrative privileges are not attached

2.16 Ensure a support role has been created to manage incidents with AWS Support

2.17 Ensure IAM instance roles are used for AWS resource access from instances

2.18 Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed

2.19 Ensure that IAM External Access Analyzer is enabled for all regions

2.2 Ensure security contact information is registered

2.21 Ensure access to AWSCloudShellFullAccess is restricted

2.3 Ensure no 'root' user account access key exists

2.4 Ensure MFA is enabled for the 'root' user account

2.5 Ensure hardware MFA is enabled for the 'root' user account

2.6 Eliminate use of the 'root' user for administrative and daily tasks

2.7 Ensure IAM password policy requires minimum length of 14 or greater

2.8 Ensure IAM password policy prevents password reuse

2.9 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password

3.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests

3.1.2 Ensure MFA Delete is enabled on S3 buckets

3.1.3 Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary

3.1.4 Ensure that S3 is configured with 'Block Public Access' enabled

3.2.1 Ensure that encryption-at-rest is enabled for RDS instances

3.2.2 Ensure the Auto Minor Version Upgrade feature is enabled for RDS instances

3.2.3 Ensure that RDS instances are not publicly accessible

3.2.4 Ensure Multi-AZ deployments are used for enhanced availability in Amazon RDS

3.3.1 Ensure that encryption is enabled for EFS file systems

4.1 Ensure CloudTrail is enabled in all regions

4.2 Ensure CloudTrail log file validation is enabled

4.3 Ensure AWS Config is enabled in all regions

4.4 Ensure that server access logging is enabled on the CloudTrail S3 bucket

4.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs

4.6 Ensure rotation for customer-created symmetric CMKs is enabled

4.7 Ensure VPC flow logging is enabled in all VPCs

4.8 Ensure that object-level logging for write events is enabled for S3 buckets

4.9 Ensure that object-level logging for read events is enabled for S3 buckets

5.1 Ensure unauthorized API calls are monitored

5.10 Ensure security group changes are monitored

5.11 Ensure Network Access Control List (NACL) changes are monitored

5.12 Ensure changes to network gateways are monitored

5.13 Ensure route table changes are monitored

5.14 Ensure VPC changes are monitored

5.15 Ensure AWS Organizations changes are monitored

5.16 Ensure AWS Security Hub is enabled

5.2 Ensure management console sign-in without MFA is monitored

5.3 Ensure usage of the 'root' account is monitored

5.4 Ensure IAM policy changes are monitored

5.5 Ensure CloudTrail configuration changes are monitored

5.6 Ensure AWS Management Console authentication failures are monitored

5.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored

5.8 Ensure S3 bucket policy changes are monitored

5.9 Ensure AWS Config configuration changes are monitored

6 Networking

6.1.1 Ensure EBS volume encryption is enabled in all regions

6.1.2 Ensure CIFS access is restricted to trusted networks to prevent unauthorized access

6.2 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports

6.3 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports

6.4 Ensure no security groups allow ingress from ::/0 to remote server administration ports

6.5 Ensure the default security group of every VPC restricts all traffic

6.7 Ensure that the EC2 Metadata Service only allows IMDSv2