AWS Compliance Frameworks

Compliance.tf supports 36 AWS compliance frameworks spanning industry standards, government mandates, and security benchmarks. Each framework maps to a dedicated Terraform registry endpoint. When you source a supported terraform-aws-modules module through that endpoint, compliance.tf applies the framework's technical controls to the module configuration.

Customize which frameworks appear in navigation →

Core Frameworks

SOC 2Service Organization Control 2 (SOC 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA) for evalua...111 controlsGeneral PCI DSS v4.0The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 is an information security standard for organizations that handle branded credi...170 controlsGeneralFinancial Services HIPAA Omnibus Rule 2013The Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule of 2013 strengthened privacy and security protections for health in...104 controlsGeneralHealthcare/Life Sciences ISO/IEC 27001:2022ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS). The 2022 revision reorganizes Annex A controls in...146 controlsGeneral GDPRThe General Data Protection Regulation (GDPR) is a comprehensive data privacy law that regulates how personal data of individuals within the European ...52 controlsGeneralRegional NIS2 Directive (EU 2022/2555)The NIS2 Directive (EU 2022/2555) is the European Union's updated cybersecurity legislation that strengthens security requirements for essential and i...102 controlsRegional NIST SP 800-53 Rev 5The National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5 provides a comprehensive catalog of security and priva...97 controlsPublic Sector NIST Cybersecurity Framework v2.0The National Institute of Standards and Technology (NIST) Cybersecurity Framework version 2.0 provides an updated policy framework of standards, guide...133 controlsGeneral FedRAMP Moderate Baseline Rev 4The Federal Risk and Authorization Management Program (FedRAMP) Moderate Impact Baseline Revision 4 establishes security requirements for cloud servic...96 controlsPublic Sector

Common Frameworks

CIS AWS Benchmark v6.0.0The Center for Internet Security (CIS) AWS Foundations Benchmark version 6.0.0 provides prescriptive guidance for establishing a secure baseline confi...27 controlsAWS-specific CIS Controls v8.0 IG1The Center for Internet Security (CIS) Controls version 8.0 is a prioritized set of actions to protect organizations from known cyber attack vectors. ...47 controlsGeneral NIST SP 800-171 Rev 2The National Institute of Standards and Technology (NIST) Special Publication 800-171 Revision 2 provides guidelines for protecting Controlled Unclass...105 controlsPublic Sector AWS Control Tower GuardrailsAWS Control Tower Guardrails are high-level rules that provide ongoing governance for AWS Control Tower environments. These guardrails help enforce po...13 controlsAWS-specific AWS Well-Architected Framework v10The AWS Well-Architected Framework helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for applications and ...123 controlsAWS-specific CISA Cyber EssentialsThe Cybersecurity and Infrastructure Security Agency (CISA) Cyber Essentials is a guide for leaders of small businesses and state, local, tribal, and ...86 controlsAWS-specific NYDFS Cybersecurity RegulationThe New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies, codified as 23 NYCRR 500, establish...74 controlsFinancial Services CIS AWS Benchmark v1.4.0The Center for Internet Security (CIS) AWS Foundations Benchmark version 1.4.0 provides prescriptive guidance for establishing a secure baseline confi...24 controlsAWS-specific CIS AWS Benchmark v5.0.0The Center for Internet Security (CIS) AWS Foundations Benchmark version 5.0.0 provides prescriptive guidance for establishing a secure baseline confi...27 controlsAWS-specific

Specialized Frameworks

FFIEC Cybersecurity Assessment ToolThe Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool helps financial institutions identify cybersecurity risks...84 controlsFinancial Services CCCS Medium Cloud Control ProfileThe Canadian Centre for Cyber Security (CCCS) Medium Cloud Control Profile provides security control baselines for cloud services used by the Governme...21 controlsPublic SectorRegional ACSC Essential EightThe Australian Cyber Security Centre (ACSC) Essential Eight is a baseline cybersecurity framework designed to protect Australian organizations against...65 controlsRegional ACSC ISM March 2023The Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) is a comprehensive cybersecurity framework developed by the Australian G...27 controlsRegional EU GMP Annex 11The European Union Good Manufacturing Practice (GMP) Annex 11 provides guidance on computerized systems used in pharmaceutical manufacturing and quali...47 controlsHealthcare/Life Sciences Title 21 CFR Part 11The Code of Federal Regulations (CFR) is the codification of the general and permanent rules published in the Federal Register by the departments and ...99 controlsHealthcare/Life Sciences RBI Cyber Security Framework for UCBsThe Reserve Bank of India (RBI) Cyber Security Framework for Urban Cooperative Banks (UCBs) provides baseline cybersecurity standards for urban cooper...79 controlsFinancial ServicesRegional RBI IT Framework for NBFCsThe Reserve Bank of India (RBI) Information Technology Framework for Non-Banking Financial Companies (NBFCs) establishes IT governance, security, and ...60 controlsFinancial ServicesRegional AWS Generative AI Best Practices v2The AWS Generative AI Best Practices Framework version 2 provides guidance for building, deploying, and operating generative AI applications on AWS in...5 controlsAWS-specific FedRAMP Low Baseline Rev 4The Federal Risk and Authorization Management Program (FedRAMP) Low Impact Baseline Revision 4 establishes security requirements for cloud services ha...74 controlsPublic Sector

Retired Frameworks (8)

CIS AWS Benchmark v1.2.0 — The Center for Internet Security (CIS) AWS Foundations Benchmark version 1.2.
CIS AWS Benchmark v1.3.0 — The Center for Internet Security (CIS) AWS Foundations Benchmark version 1.3.
CIS Controls v7.1 IG1 — The Center for Internet Security (CIS) Controls version 7.1 is a prioritized set of actions to protect organizations from known cyber attack vectors.
HIPAA Security Rule 2003 — The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, published in February 2003, establishes national standards to protect e...
ISO/IEC 27001:2013 — The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) 27001:2013 standard specifies requirement...
NIST Cybersecurity Framework v1.1 — The National Institute of Standards and Technology (NIST) Cybersecurity Framework version 1.
NIST SP 800-53 Rev 4 — The National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4 provides a catalog of security and privacy controls fo...
PCI DSS v3.2.1 — The Payment Card Industry Data Security Standard (PCI DSS) version 3.2.