compliance.tf
Compliance FrameworksCommon Frameworks

AWS Well-Architected Framework v10

Best for: Any organization running workloads on AWS that needs to evaluate architectural decisions against AWS best practices. Most relevant for teams preparing for Well-Architected Reviews with a Solutions Architect, companies pursuing AWS Partner certifications, or engineering teams that need to justify infrastructure decisions to leadership. No revenue or size threshold applies. A startup with a single account benefits as much as an enterprise managing hundreds.

Mandatory?Voluntary โ€” AWS best-practice framework
Who validates?Self-assessment via AWS Well-Architected Tool; optional AWS partner review
RenewalNo fixed cycle; review at architecture changes
ScopeAll AWS workloads; six pillars including Security

๐Ÿ› Amazon Web Services (AWS) ยท AWS Well-Architected Framework v10 Official source โ†’

Get Started

module "..." {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

What Compliance.tf automates

  • Account Governance: Runs controls checking AWS Organizations membership, security contact registration, and account contact detail completeness. Covers account_alternate_contact_security_registered, account_maintain_current_contact_details, and account_part_of_organizations.
  • API Security and Access Control: Checks API Gateway REST and HTTP API configurations for missing authorizers, public endpoint exposure, WAF association, and SSL certificate attachment. Covers 7 API Gateway controls across both V1 and V2 APIs.
  • Certificate Lifecycle: Detects ACM certificates expiring within 30 days and verifies certificate transparency logging is enabled. Flags API Gateway stages missing SSL certificates.
  • Resilience and Multi-AZ Architecture: Validates that EC2 auto scaling groups span multiple Availability Zones per the Reliability pillar.
  • Sensitive Data Exposure: Scans EC2 auto scaling launch configuration user data fields for embedded secrets, passwords, and sensitive configuration values.
  • Session and Timeout Configuration: Evaluates AppStream fleet timeout settings (idle disconnect, session disconnect, max user duration) and internet access configuration against recommended thresholds.

What you handle

  • Account Governance: Defining and enforcing the organizational unit (OU) structure, setting up Service Control Policies (SCPs), and maintaining a process to update contacts when personnel change.
  • API Security and Access Control: Designing the authorization strategy (Cognito, Lambda authorizer, IAM), writing and maintaining authorizer logic, and configuring WAF rules appropriate to your threat model.
  • Certificate Lifecycle: Investigating why auto-renewal failed for flagged certificates, managing certificates outside ACM (such as imported certificates), and monitoring Certificate Transparency logs for unauthorized issuance.
  • Resilience and Multi-AZ Architecture: Determining the right number of AZs for your RPO/RTO targets, testing failover scenarios, and ensuring application-level state management supports AZ loss.
  • Sensitive Data Exposure: Migrating secrets to AWS Secrets Manager or Parameter Store, rotating any exposed credentials, and implementing preventive controls such as SCPs or CI/CD pipeline scanning.
  • Session and Timeout Configuration: Adjusting timeout values to match actual user workflow requirements and configuring VPC egress controls for fleets with internet access disabled.

Controls by Category

API Gateway Security (4 controls)

This is where most findings accumulate. Reviewers look for unauthenticated API methods, publicly accessible REST API endpoints that should be private, and stages missing WAF associations or access logging. A recurring gap is V2 (HTTP API) routes left with no authorization type because teams assume V1 settings carry over.

API Gateway methods should require an authorizerAPI Gateway routes should require an authorization typeAPI Gateway V2 routes should require an authorizerAPI Gateway stages should have logging enabled

AppStream Fleet Configuration (4 controls)

The two things reviewers want to see: internet access disabled on fleets (traffic should route through a VPC with controlled egress) and session timeouts configured to reduce idle exposure windows. Evidence is pulled from fleet configuration details in the AppStream console or via describe-fleets API calls.

AppStream fleets should have default internet access disabledAppStream fleets should have idle disconnect timeout set to 10 minutes or lessAppStream fleets should limit maximum user duration to 10 hours or lessAppStream fleets should have session disconnect timeout set to 5 minutes or less

Certificate and Encryption Management (2 controls)

Auditors check for expiring ACM certificates and confirm transparency logging is enabled to catch misissued certificates. For API Gateway, they want to see SSL certificates attached to custom domain stages. Expired certificates cause outages, and teams frequently miss renewals when auto-renewal fails silently due to DNS validation issues.

ACM certificates should have transparency logging enabledcompliance.tf moduleAPI Gateway stages should not use client SSL certificates
Additional Controls (113)

AWS CloudTrail (4)

CloudTrail trails should have at least one enabled trail present in a regionCloudTrail trails should be integrated with CloudWatch logsCloudTrail trails should have logs encrypted using a customer managed KMS keyCloudTrail trails should have log file validation enabled

AWS IAM (9)

IAM password policies should have minimum length set to 14 or greaterIAM password policies should require at least one lowercase letterIAM password policies should require at least one numberIAM password policies should require at least one symbolIAM password policies should require at least one uppercase letterIAM password policies should prevent password reuseIAM password policies should have strong configurations with minimum length of 8 or greaterIAM password policies should have strong configurationsIAM password policies should expire passwords within 90 days or less

AWS KMS (1)

KMS CMK rotation should be enabledcompliance.tf module

AWS Lambda (2)

Lambda functions CORS configuration should not allow all originscompliance.tf moduleLambda functions should restrict public URLcompliance.tf module

Amazon CloudFront (4)

CloudFront distributions should require encryption in transitcompliance.tf moduleCloudFront distributions should have field level encryption enabledcompliance.tf moduleCloudFront distributions access logs should be enabledcompliance.tf moduleCloudFront distributions should have AWS WAF enabledcompliance.tf module

Amazon CloudWatch (2)

CloudWatch alarms should have an action configuredcompliance.tf moduleCloudWatch log groups should have retention period of at least 365 dayscompliance.tf module

Amazon CloudWatch Logs (1)

Log groups should have encryption at rest enabledcompliance.tf module

Amazon DynamoDB (2)

DynamoDB tables should have AWS KMS encryption enabledcompliance.tf moduleDynamoDB tables should have encryption enabledcompliance.tf module

Amazon DynamoDB Accelerator (1)

DynamoDB Accelerator (DAX) clusters should be encrypted at rest

Amazon EBS (3)

Attached EBS volumes should have encryption enabledcompliance.tf moduleEBS snapshots should be encryptedEBS volumes should have encryption at rest enabledcompliance.tf module

Amazon EC2 (4)

EC2 instances should have IAM profile attachedcompliance.tf moduleEC2 instances should not have a public IP addresscompliance.tf moduleEC2 instances should use IMDSv2compliance.tf moduleEC2 instances should use IAM instance roles for AWS resource accesscompliance.tf module

Amazon ECR (1)

ECR repositories should have image scan on push enabledcompliance.tf module

Amazon EFS (2)

EFS file systems should have encryption at rest enabledcompliance.tf moduleEFS file systems should be encrypted with CMKcompliance.tf module

Amazon EKS (4)

EKS clusters should have control plane audit logging enabledcompliance.tf moduleEKS clusters endpoint public access should be restrictedcompliance.tf moduleEKS clusters endpoint should restrict public accesscompliance.tf moduleEKS clusters should be configured to have kubernetes secrets encrypted using KMScompliance.tf module

Amazon OpenSearch Service (8)

OpenSearch domains should have audit logging enabledcompliance.tf moduleOpenSearch domains should have Cognito authentication enabled for Kibanacompliance.tf moduleOpenSearch domains should have encryption at rest enabledcompliance.tf moduleOpenSearch domains should use HTTPScompliance.tf moduleOpenSearch domains should be in a VPCcompliance.tf moduleOpenSearch domains internal user database should be disabledcompliance.tf moduleOpenSearch domains should have logging to CloudWatch Logs enabledcompliance.tf moduleOpenSearch domains node-to-node encryption should be enabledcompliance.tf module

Amazon RDS (10)

RDS DB clusters should have automatic minor version upgrade enabledRDS DB instance automatic minor version upgrade should be enabledcompliance.tf moduleRDS DB instances should be integrated with CloudWatch logscompliance.tf moduleRDS DB instance encryption at rest should be enabledcompliance.tf moduleRDS DB instances should have logging enabledcompliance.tf moduleRDS for MariaDB DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should not use public subnetcompliance.tf moduleRDS for PostgreSQL DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should prohibit public accesscompliance.tf moduleRDS for SQL Server DB instances should publish logs to CloudWatch Logscompliance.tf module

Amazon Redshift (5)

Redshift clusters should have audit logging enabledcompliance.tf moduleRedshift clusters should have automatic upgrades to major versions enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should have required maintenance settingscompliance.tf moduleRedshift clusters should prohibit public accesscompliance.tf module

Amazon Route 53 (2)

Route 53 domains should have privacy protection enabledRoute 53 domains should have transfer lock enabled

Amazon S3 (14)

S3 buckets should not use ACLs for user access controlcompliance.tf moduleS3 buckets should have default encryption enabledcompliance.tf moduleS3 buckets should have default encryption enabled using KMScompliance.tf moduleS3 buckets should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have logging enabledcompliance.tf moduleS3 buckets should have MFA delete enabledcompliance.tf moduleS3 buckets should not be accessible to all authenticated userscompliance.tf moduleS3 buckets should have object logging enabledS3 buckets should have policies that prohibit public accesscompliance.tf moduleS3 buckets should prohibit public read accesscompliance.tf moduleS3 buckets should prohibit public write accesscompliance.tf moduleS3 buckets with versioning enabled should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have versioning enabledcompliance.tf moduleS3 public access should be blocked at account levelcompliance.tf module

Amazon SNS (1)

SNS topics should be encrypted at restcompliance.tf module

Amazon SQS (2)

SQS queues should have encryption at rest enabledcompliance.tf moduleSQS queues should be encrypted with KMS CMKcompliance.tf module

Amazon SageMaker (7)

SageMaker models should be in a VPCSageMaker models should have network isolation enabledSageMaker notebook instances should not have direct internet accessSageMaker notebook instances should be encrypted using CMKSageMaker notebook instance encryption should be enabledSageMaker notebook instances should be in a VPCSageMaker notebook instances root access should be disabled

Amazon VPC (1)

VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888compliance.tf module

Elastic Load Balancing (10)

ELB application and classic load balancer logging should be enabledcompliance.tf moduleELB load balancers should prohibit public accesscompliance.tf moduleELB application load balancers should be configured with defensive or strictest desync mitigation modecompliance.tf moduleELB application load balancers should be configured to drop HTTP headerscompliance.tf moduleELB application load balancers should drop invalid HTTP headerscompliance.tf moduleELB application and network load balancers should use recommended security policiescompliance.tf moduleELB application and network load balancer listeners should use secure protocolscompliance.tf moduleELB classic load balancers should span multiple availability zonescompliance.tf moduleELB network load balancers should have TLS listener security policy configuredcompliance.tf moduleELB listeners should use approved SSL/TLS protocol versionscompliance.tf module

Other (13)

CloudFormation stacks should have notifications enabledElasticsearch domains should have audit logging enabledElasticsearch domains should have cognito authentication enabledES domain encryption at rest should be enabledElasticsearch domains should have internal user database enabledElasticsearch domain should send logs to CloudWatchElasticsearch domain node-to-node encryption should be enabledAPI Gateway V2 stages should have access logging configuredcompliance.tf moduleGlue data catalog metadata encryption should be enabledGlue data catalog connection password encryption should be enabledGlue jobs bookmarks encryption should be enabledGlue jobs CloudWatch logs encryption should be enabledGlue jobs S3 encryption should be enabled

Related Frameworks

AWS Foundational Security Best Practices โ€” ๐ŸŸก Medium overlap (55%)

AWS Foundational Security Best Practices (FSBP) shares many of the same underlying controls, particularly around API Gateway, ACM, and auto scaling. FSBP is more prescriptive and audit-oriented, while WAF is advisory and architecture-focused.

NIST 800-53 Rev 5 โ€” ๐ŸŸก Medium overlap (30%)

The Security pillar of WAF maps loosely to NIST 800-53 control families such as AC (Access Control), SC (System and Communications Protection), and SI (System and Information Integrity). WAF lacks the granularity of 800-53 and does not cover administrative or physical controls.

NIST CSF v1.0 โ€” โšช Low overlap (25%)

The NIST Cybersecurity Framework shares conceptual alignment with WAF's Security and Reliability pillars. CSF's Protect and Detect functions map to WAF security controls, but CSF addresses organizational governance topics that WAF does not cover.

Frequently Asked Questions

Does the Well-Architected Framework require a formal audit or certification?
No. WAF is a self-assessment framework with no certification body, no external auditor requirement, and no pass/fail outcome. You conduct reviews using the AWS Well-Architected Tool in the console, which produces a list of high-risk issues and improvement plans. AWS Solutions Architects can assist but are not auditors.
How does WAF v10 differ from earlier versions?
The "v10" label is a benchmark or package version label, not an AWS official framework version number. AWS updates Well-Architected guidance continuously across all six pillars. The most significant historical change was adding the Sustainability pillar in 2021. In the AWS Well-Architected Tool, you can update existing workload reviews to newer lens versions.
Can I use WAF review results to satisfy compliance requirements for other frameworks like SOC 2 or ISO 27001?
Not directly. WAF findings can inform remediation priorities and provide evidence of architectural review discipline, but no compliance framework accepts a WAF review as a substitute for its own assessment. Mapping WAF controls to SOC 2 or ISO 27001 controls can reduce duplicate effort, but each framework still requires its own evidence collection.
How long does a Well-Architected Review take?
A small, well-documented workload typically takes 2 to 4 hours. Complex workloads involving multiple teams can take days. The bottleneck is usually getting the right people (developers, ops, security) in the same room. Automated checks via compliance.tf can pre-populate technical findings and cut that time down.
Should every AWS workload go through a WAF review?
AWS recommends it, but in practice, prioritize production workloads handling sensitive data or business-critical functions. Development and sandbox workloads can be reviewed less frequently. A common policy is to require a WAF review before production launch and annually after that.

AWS Control Tower Guardrails

Previous Page

CISA Cyber Essentials

Next Page

On this page

Get StartedWhat Compliance.tf Covers vs. What You HandleControls by CategoryAPI Gateway Security (4)AppStream Fleet Configuration (4)Certificate and Encryption Management (2)Related FrameworksFrequently Asked Questions

Ask AI about this

Help improve this page