Skip to content

Title 21 CFR Part 11

Best for: Any organization that creates, modifies, maintains, or transmits electronic records under FDA-regulated processes: pharmaceutical manufacturers, biotech firms, medical device companies, CROs, clinical laboratories, and food producers subject to FDA oversight. No revenue or size threshold applies. If your QMS, MES, LIMS, or clinical trial platform runs under FDA jurisdiction, Part 11 applies. AWS-hosted GxP workloads fall under this requirement.

Mandatory?Mandatory for FDA-regulated industries using electronic records
Who validates?FDA inspection; no formal certification
RenewalNo fixed cycle; ongoing compliance
ScopeElectronic records and signatures in FDA-regulated industries

๐Ÿ› U.S. Food and Drug Administration (FDA), Department of Health and Human Services ยท 21 CFR Part 11 (1997, amended 2003) Official source โ†’

Get Started

module "..." {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

  • What Compliance.tf automates

    • Audit Trail Completeness: 9 controls validating CloudTrail and API Gateway logging configuration. Checks multi-region trail enablement, S3 object-level read/write event logging, CloudWatch integration, and security trail configuration. Gaps where regulated record changes would go unlogged surface as findings.
    • Encryption at Rest: 3 controls covering API Gateway cache encryption, backup recovery point encryption, and CloudTrail log encryption. Verifies that KMS customer-managed keys are in use for trail encryption rather than default AWS-managed keys.
    • Encryption in Transit: Flags deprecated SSL/TLS protocol versions and missing SSL certificates on API Gateway stages across 3 controls covering CloudFront and API Gateway TLS configuration.
    • Backup and Record Retention: 3 controls checking backup retention minimums, recovery point encryption, and deletion protection. Backup plans below the 35-day baseline and recovery points exposed to manual deletion both generate findings.
    • Access and Network Controls: 2 controls: AWS Organizations membership and public IP exposure on compute resources. Validates centralized account governance and that launch configurations do not assign public IPs by default.

  • What you handle

    • Audit Trail Completeness: Application-level audit trails within GxP systems (LIMS, MES, ERP) must capture old and new values and operator identity per Section 11.10(e). You also need to identify which S3 buckets hold regulated records, map them to predicate rules, and maintain documented audit trail review procedures with qualified reviewers.
    • Encryption at Rest: KMS key rotation policy, key access policy reviews, and documented rationale for key management decisions. Encryption must also extend to all data stores holding regulated records (RDS, EBS, DynamoDB) beyond the controls sampled here.
    • Encryption in Transit: Defining minimum TLS version policy at the organizational level, performing periodic cipher suite reviews, and documenting encryption-in-transit controls for system validation packages (IQ/OQ/PQ documentation).
    • Backup and Record Retention: Determining actual retention requirements based on predicate rules (e.g., 21 CFR 211.180 requires batch production records for at least 1 year past expiry). Retention periods in production GxP environments typically need to be configured well beyond 35 days. Testing restore procedures and documenting restore validation results is also on you.
    • Access and Network Controls: Implementing IAM policies, role-based access control, and unique user identification per Section 11.10(d). Establishing procedures for electronic signature management per Subpart C (Sections 11.100, 11.200, 11.300). Periodic access reviews and documentation of authority checks.

Controls by Category

Audit Trails - Section 11.10(e) (3 controls)

The most common findings under Section 11.10(e) are gaps in regional trail coverage, missing object-level S3 logging for GxP data buckets, and CloudTrail logs not forwarded to CloudWatch. The requirement is specific: secure, computer-generated, time-stamped trails that capture old and new values and the identity of the person behind each change. Assessors will also verify that trails cannot be modified or deleted by the same operators whose actions they record.

At least one enabled trail should be present in a region CloudTrail trails should be integrated with CloudWatch logs API Gateway stage logging should be enabled

Encryption at Rest - Section 11.10(c) (2 controls)

Assessors verify that backups, cached API responses, and audit trail logs are encrypted with customer-managed KMS keys, not AWS default service keys. The distinction matters under Section 11.10(c) because customer-managed keys give the organization documented control over access to regulated records. Unencrypted backup recovery points are a frequent gap, particularly when teams assume encryption is inherited from the source volume.

API Gateway stage cache encryption at rest should be enabled CloudTrail trail logs should be encrypted with KMS CMK

Encryption in Transit - Section 11.10(c) (1 control)

The first thing an assessor checks is whether deprecated SSL/TLS protocols (SSLv3, TLS 1.0, TLS 1.1) are still in use. CloudFront distributions configured with legacy origin SSL protocols and API Gateway stages missing client SSL certificates for backend authentication are the two most common findings. Evidence should include TLS configuration documentation and vulnerability scan results confirming no weak cipher suites are active.

API Gateway stage should uses SSL certificate

Record Retention and Protection - Section 11.10(b) (1 control)

Configuration showing recovery points cannot be manually deleted is the primary evidence auditors request here. Section 11.10(b) requires the ability to produce accurate, complete copies of records suitable for FDA inspection, which means those records cannot be subject to casual deletion by operators. The 35-day retention check is a floor, not a target: most GxP record types under predicate rules such as 21 CFR 211.180 require retention well beyond that, often tied to product expiry dates.

Backup plan min frequency and min retention check
Additional Controls (92)

AWS CloudTrail (1)

CloudTrail trail log file validation should be enabled

AWS CodeBuild (2)

CodeBuild project artifact encryption should be enabled CodeBuild project S3 logs should be encrypted

AWS Database Migration Service (1)

DMS replication instances should not be publicly accessible compliance.tf module

AWS IAM (7)

Ensure IAM password policy requires a minimum length of 14 or greater Ensure IAM password policy requires at least one lowercase letter Ensure IAM password policy requires at least one number Ensure IAM password policy requires at least one symbol Ensure IAM password policy requires at least one uppercase letter Password policies for IAM users should have strong configurations with minimum length of 8 or greater IAM password policies for users should have strong configurations

AWS KMS (1)

KMS CMK rotation should be enabled compliance.tf module

AWS Lambda (2)

Lambda functions should be in a VPC compliance.tf module Lambda functions should restrict public URL compliance.tf module

AWS Secrets Manager (1)

Secrets Manager secrets should be encrypted using CMK compliance.tf module

Amazon CloudWatch (1)

Log group retention period should be at least 365 days compliance.tf module

Amazon CloudWatch Logs (1)

Log group encryption at rest should be enabled compliance.tf module

Amazon DynamoDB (3)

DynamoDB table should be encrypted with AWS KMS compliance.tf module DynamoDB table should have encryption enabled compliance.tf module DynamoDB table point-in-time recovery should be enabled compliance.tf module

Amazon EBS (2)

Attached EBS volumes should have encryption enabled compliance.tf module EBS volume encryption at rest should be enabled compliance.tf module

Amazon EC2 (6)

EC2 instance should have EBS optimization enabled compliance.tf module EC2 instances should have IAM profile attached compliance.tf module EC2 instances should be in a VPC compliance.tf module EC2 instances should not have a public IP address compliance.tf module EC2 instances should use IMDSv2 compliance.tf module Ensure IAM instance roles are used for AWS resource access from instances compliance.tf module

Amazon EFS (2)

EFS file system encryption at rest should be enabled compliance.tf module EFS file systems should be encrypted with CMK compliance.tf module

Amazon EMR (1)

EMR cluster Kerberos should be enabled compliance.tf module

Amazon ElastiCache (1)

ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater compliance.tf module

Amazon Kinesis (1)

Kinesis streams should have server side encryption enabled

Amazon OpenSearch Service (5)

OpenSearch domains should have audit logging enabled. compliance.tf module OpenSearch domains should have encryption at rest enabled compliance.tf module OpenSearch domains should use HTTPS compliance.tf module OpenSearch domains logs to AWS CloudWatch Logs compliance.tf module OpenSearch domains node-to-node encryption should be enabled compliance.tf module

Amazon RDS (13)

RDS clusters should have deletion protection enabled compliance.tf module RDS DB instance backup should be enabled compliance.tf module RDS DB instances backup retention period should be greater than or equal to 7 compliance.tf module RDS DB instances should be integrated with CloudWatch logs compliance.tf module RDS DB instances should have deletion protection enabled compliance.tf module RDS DB instance encryption at rest should be enabled compliance.tf module Database logging should be enabled compliance.tf module RDS for MariaDB DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instance multiple az should be enabled compliance.tf module RDS DB instances should not use public subnet compliance.tf module RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instances should prohibit public access compliance.tf module RDS for SQL Server DB instances should publish logs to CloudWatch Logs compliance.tf module

Amazon Redshift (8)

AWS Redshift audit logging should be enabled compliance.tf module AWS Redshift clusters should have automatic snapshots enabled compliance.tf module Redshift cluster encryption in transit should be enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module AWS Redshift enhanced VPC routing should be enabled compliance.tf module AWS Redshift clusters should be encrypted with KMS compliance.tf module AWS Redshift should have required maintenance settings compliance.tf module Redshift clusters should prohibit public access compliance.tf module

Amazon S3 (15)

S3 bucket cross-region replication should be enabled compliance.tf module S3 bucket default encryption should be enabled compliance.tf module S3 bucket default encryption should be enabled with KMS compliance.tf module S3 buckets should have lifecycle policies configured compliance.tf module S3 bucket logging should be enabled compliance.tf module S3 bucket ACLs should not be accessible to all authenticated user compliance.tf module S3 bucket object lock should be enabled compliance.tf module S3 buckets object logging should be enabled S3 bucket policy should prohibit public access compliance.tf module S3 buckets should prohibit public read access compliance.tf module S3 buckets should prohibit public write access compliance.tf module S3 buckets with versioning enabled should have lifecycle policies configured compliance.tf module S3 bucket versioning should be enabled compliance.tf module S3 public access should be blocked at account level compliance.tf module S3 public access should be blocked at bucket levels compliance.tf module

Amazon SNS (1)

SNS topics should be encrypted at rest compliance.tf module

Amazon SageMaker (4)

SageMaker endpoint configuration encryption should be enabled SageMaker notebook instances should not have direct internet access SageMaker notebook instances should be encrypted using CMK SageMaker notebook instance encryption should be enabled

Amazon VPC (1)

VPC subnet auto assign public IP should be disabled compliance.tf module

Elastic Load Balancing (8)

ELB application and classic load balancer logging should be enabled compliance.tf module ELB application load balancer deletion protection should be enabled compliance.tf module Application and Network Load Balancers with listeners should use recommended security policies compliance.tf module ELB application and network load balancers should only use SSL or HTTPS listeners compliance.tf module Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit compliance.tf module ELB classic load balancers should have cross-zone load balancing enabled compliance.tf module ELB network load balancers should have TLS listener security policy configured compliance.tf module ELB listeners SSL/TLS protocol version should be checked compliance.tf module

Other (4)

ES domain encryption at rest should be enabled ES domains should be in a VPC Elasticsearch domain should send logs to CloudWatch Elasticsearch domain node-to-node encryption should be enabled

  • HIPAA Omnibus Rule 2013 โ€” ๐ŸŸก Medium overlap (40%)

    HIPAA and 21 CFR Part 11 share requirements around access controls, audit logging, encryption, and integrity verification. Organizations in pharma or biotech that handle both clinical trial data and protected health information often address both frameworks simultaneously. HIPAA is broader in its privacy requirements, while Part 11 is more prescriptive about audit trail content and electronic signature controls.

  • NIST 800-53 Rev 5 โ€” ๐ŸŸก Medium overlap (50%)

    NIST 800-53 Rev 5 provides the most comprehensive control catalog that maps to Part 11 requirements. AU (Audit and Accountability) controls align with Section 11.10(e), SC (System and Communications Protection) controls map to Section 11.10(c), and IA (Identification and Authentication) controls cover Sections 11.10(d) and 11.300. Many organizations use NIST 800-53 as the technical implementation backbone for their Part 11 compliance program.

  • SOC 2 โ€” ๐ŸŸก Medium overlap (35%)

    SOC 2 Trust Services Criteria for Security, Availability, and Processing Integrity partially overlaps with Part 11 technical controls around access management, logging, and encryption. Cloud service providers hosting GxP workloads often present SOC 2 Type II reports as supporting evidence during FDA inspections, though a SOC 2 report alone does not demonstrate Part 11 compliance.

Frequently Asked Questions

Does 21 CFR Part 11 apply to my organization if we use cloud-hosted systems?

Yes. Part 11 follows the records, not the infrastructure. If your FDA-regulated processes produce electronic records in AWS or any other cloud platform, you are responsible for demonstrating Part 11 compliance for those records. The FDA's 2003 guidance on scope and application did not exempt cloud environments. You need to qualify your cloud service provider (typically via a shared responsibility model and SOC 2 reports) and validate the application layer yourself.

What is the difference between Part 11 and predicate rules?

Predicate rules are the underlying FDA regulations that require records to be maintained (e.g., 21 CFR 211 for drug cGMP, 21 CFR 820 for device quality systems). Part 11 specifies how those records must be managed when they are in electronic form. You cannot comply with Part 11 in isolation: first identify which predicate rules apply to your products, then determine which records under those rules are electronic, and then apply Part 11 controls to those records.

How does the FDA's enforcement discretion guidance affect what I need to implement?

Treat the September 2003 enforcement discretion guidance as prioritization, not exemption. The FDA indicated it would exercise discretion on certain requirements, including validation, audit trails, record retention, and legacy systems, but did not waive them. Recent warning letters confirm active enforcement of audit trail and access control requirements. Section 11.10(e) audit trails for predicate-rule records are still expected, regardless of the 2003 guidance.

How long does it take to achieve Part 11 compliance in an AWS environment?

It depends on the number of GxP systems and their current state. Infrastructure-level controls (encryption, logging, access management) can be configured and validated in 4 to 8 weeks using Terraform and policy-as-code. Application-level validation (IQ/OQ/PQ) for each GxP system typically takes 3 to 6 months. A full program covering infrastructure, applications, SOPs, and training for a mid-size pharma company usually runs 6 to 12 months from kickoff to inspection readiness.

Are the 50 controls in this benchmark sufficient for full Part 11 compliance?

No. These 50 controls cover infrastructure-level technical requirements: audit trails, encryption, access restrictions, and backup retention. Part 11 also requires procedural controls that infrastructure checks cannot address, including system validation documentation (Section 11.10(a)), signed agreements with electronic signature users (Section 11.10(j)), unique user identification (Section 11.10(d)), and the biometric/non-biometric signature requirements in Subpart C. This benchmark is one layer in a broader compliance program that must also include SOPs, training records, and application-level validation.