compliance.tf
Compliance FrameworksSpecialized Frameworks

Title 21 CFR Part 11

Best for: Any organization that creates, modifies, maintains, or transmits electronic records under FDA-regulated processes: pharmaceutical manufacturers, biotech firms, medical device companies, CROs, clinical laboratories, and food producers subject to FDA oversight. No revenue or size threshold applies. If your QMS, MES, LIMS, or clinical trial platform runs under FDA jurisdiction, Part 11 applies. AWS-hosted GxP workloads fall under this requirement.

Mandatory?Mandatory for FDA-regulated industries using electronic records
Who validates?FDA inspection; no formal certification
RenewalNo fixed cycle; ongoing compliance
ScopeElectronic records and signatures in FDA-regulated industries

๐Ÿ› U.S. Food and Drug Administration (FDA), Department of Health and Human Services ยท 21 CFR Part 11 (1997, amended 2003) Official source โ†’

Get Started

module "..." {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

What Compliance.tf automates

  • Audit Trail Completeness: 9 controls validating CloudTrail and API Gateway logging configuration. Checks multi-region trail enablement, S3 object-level read/write event logging, CloudWatch integration, and security trail configuration. Gaps where regulated record changes would go unlogged surface as findings.
  • Encryption at Rest: 3 controls covering API Gateway cache encryption, backup recovery point encryption, and CloudTrail log encryption. Verifies that KMS customer-managed keys are in use for trail encryption rather than default AWS-managed keys.
  • Encryption in Transit: Flags deprecated SSL/TLS protocol versions and missing SSL certificates on API Gateway stages across 3 controls covering CloudFront and API Gateway TLS configuration.
  • Backup and Record Retention: 3 controls checking backup retention minimums, recovery point encryption, and deletion protection. Backup plans below the 35-day baseline and recovery points exposed to manual deletion both generate findings.
  • Access and Network Controls: 2 controls: AWS Organizations membership and public IP exposure on compute resources. Validates centralized account governance and that launch configurations do not assign public IPs by default.

What you handle

  • Audit Trail Completeness: Application-level audit trails within GxP systems (LIMS, MES, ERP) must capture old and new values and operator identity per Section 11.10(e). You also need to identify which S3 buckets hold regulated records, map them to predicate rules, and maintain documented audit trail review procedures with qualified reviewers.
  • Encryption at Rest: KMS key rotation policy, key access policy reviews, and documented rationale for key management decisions. Encryption must also extend to all data stores holding regulated records (RDS, EBS, DynamoDB) beyond the controls sampled here.
  • Encryption in Transit: Defining minimum TLS version policy at the organizational level, performing periodic cipher suite reviews, and documenting encryption-in-transit controls for system validation packages (IQ/OQ/PQ documentation).
  • Backup and Record Retention: Determining actual retention requirements based on predicate rules (e.g., 21 CFR 211.180 requires batch production records for at least 1 year past expiry). Retention periods in production GxP environments typically need to be configured well beyond 35 days. Testing restore procedures and documenting restore validation results is also on you.
  • Access and Network Controls: Implementing IAM policies, role-based access control, and unique user identification per Section 11.10(d). Establishing procedures for electronic signature management per Subpart C (Sections 11.100, 11.200, 11.300). Periodic access reviews and documentation of authority checks.

Controls by Category

Audit Trails - Section 11.10(e) (3 controls)

The most common findings under Section 11.10(e) are gaps in regional trail coverage, missing object-level S3 logging for GxP data buckets, and CloudTrail logs not forwarded to CloudWatch. The requirement is specific: secure, computer-generated, time-stamped trails that capture old and new values and the identity of the person behind each change. Assessors will also verify that trails cannot be modified or deleted by the same operators whose actions they record.

CloudTrail trails should have at least one enabled trail present in a regionCloudTrail trails should be integrated with CloudWatch logsAPI Gateway stages should have logging enabled

Encryption at Rest - Section 11.10(c) (2 controls)

Assessors verify that backups, cached API responses, and audit trail logs are encrypted with customer-managed KMS keys, not AWS default service keys. The distinction matters under Section 11.10(c) because customer-managed keys give the organization documented control over access to regulated records. Unencrypted backup recovery points are a frequent gap, particularly when teams assume encryption is inherited from the source volume.

API Gateway stages should have cache encryption at rest enabledCloudTrail trails should have logs encrypted using a customer managed KMS key

Encryption in Transit - Section 11.10(c) (1 control)

The first thing an assessor checks is whether deprecated SSL/TLS protocols (SSLv3, TLS 1.0, TLS 1.1) are still in use. CloudFront distributions configured with legacy origin SSL protocols and API Gateway stages missing client SSL certificates for backend authentication are the two most common findings. Evidence should include TLS configuration documentation and vulnerability scan results confirming no weak cipher suites are active.

API Gateway stages should not use client SSL certificates

Record Retention and Protection - Section 11.10(b) (1 control)

Configuration showing recovery points cannot be manually deleted is the primary evidence auditors request here. Section 11.10(b) requires the ability to produce accurate, complete copies of records suitable for FDA inspection, which means those records cannot be subject to casual deletion by operators. The 35-day retention check is a floor, not a target: most GxP record types under predicate rules such as 21 CFR 211.180 require retention well beyond that, often tied to product expiry dates.

Backup plans should have minimum frequency and minimum retention configured
Additional Controls (92)

AWS CloudTrail (1)

CloudTrail trails should have log file validation enabled

AWS CodeBuild (2)

CodeBuild projects should have artifact encryption enabledCodeBuild projects should have S3 logs encrypted

AWS Database Migration Service (1)

DMS replication instances should not be publicly accessiblecompliance.tf module

AWS IAM (7)

IAM password policies should have minimum length set to 14 or greaterIAM password policies should require at least one lowercase letterIAM password policies should require at least one numberIAM password policies should require at least one symbolIAM password policies should require at least one uppercase letterIAM password policies should have strong configurations with minimum length of 8 or greaterIAM password policies should have strong configurations

AWS KMS (1)

KMS CMK rotation should be enabledcompliance.tf module

AWS Lambda (2)

Lambda functions should be in a VPCcompliance.tf moduleLambda functions should restrict public URLcompliance.tf module

AWS Secrets Manager (1)

Secrets Manager secrets should be encrypted using CMKcompliance.tf module

Amazon CloudWatch (1)

CloudWatch log groups should have retention period of at least 365 dayscompliance.tf module

Amazon CloudWatch Logs (1)

Log groups should have encryption at rest enabledcompliance.tf module

Amazon DynamoDB (3)

DynamoDB tables should have AWS KMS encryption enabledcompliance.tf moduleDynamoDB tables should have encryption enabledcompliance.tf moduleDynamoDB tables should have point-in-time recovery enabledcompliance.tf module

Amazon EBS (2)

Attached EBS volumes should have encryption enabledcompliance.tf moduleEBS volumes should have encryption at rest enabledcompliance.tf module

Amazon EC2 (6)

EC2 instances should have EBS optimization enabledcompliance.tf moduleEC2 instances should have IAM profile attachedcompliance.tf moduleEC2 instances should be in a VPCcompliance.tf moduleEC2 instances should not have a public IP addresscompliance.tf moduleEC2 instances should use IMDSv2compliance.tf moduleEC2 instances should use IAM instance roles for AWS resource accesscompliance.tf module

Amazon EFS (2)

EFS file systems should have encryption at rest enabledcompliance.tf moduleEFS file systems should be encrypted with CMKcompliance.tf module

Amazon EMR (1)

EMR cluster Kerberos should be enabledcompliance.tf module

Amazon ElastiCache (1)

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greatercompliance.tf module

Amazon Kinesis (1)

Kinesis streams should have server side encryption enabled

Amazon OpenSearch Service (5)

OpenSearch domains should have audit logging enabledcompliance.tf moduleOpenSearch domains should have encryption at rest enabledcompliance.tf moduleOpenSearch domains should use HTTPScompliance.tf moduleOpenSearch domains should have logging to CloudWatch Logs enabledcompliance.tf moduleOpenSearch domains node-to-node encryption should be enabledcompliance.tf module

Amazon RDS (13)

RDS clusters should have deletion protection enabledcompliance.tf moduleRDS DB instance backup should be enabledcompliance.tf moduleRDS DB instances backup retention period should be greater than or equal to 7compliance.tf moduleRDS DB instances should be integrated with CloudWatch logscompliance.tf moduleRDS DB instances should have deletion protection enabledcompliance.tf moduleRDS DB instance encryption at rest should be enabledcompliance.tf moduleRDS DB instances should have logging enabledcompliance.tf moduleRDS for MariaDB DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should have multiple AZ enabledcompliance.tf moduleRDS DB instances should not use public subnetcompliance.tf moduleRDS for PostgreSQL DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should prohibit public accesscompliance.tf moduleRDS for SQL Server DB instances should publish logs to CloudWatch Logscompliance.tf module

Amazon Redshift (8)

Redshift clusters should have audit logging enabledcompliance.tf moduleRedshift clusters should have automatic snapshots enabledcompliance.tf moduleRedshift cluster encryption in transit should be enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should have enhanced VPC routing enabledcompliance.tf moduleRedshift clusters should have KMS encryption enabledcompliance.tf moduleRedshift clusters should have required maintenance settingscompliance.tf moduleRedshift clusters should prohibit public accesscompliance.tf module

Amazon S3 (15)

S3 buckets should have cross-region replication enabledcompliance.tf moduleS3 buckets should have default encryption enabledcompliance.tf moduleS3 buckets should have default encryption enabled using KMScompliance.tf moduleS3 buckets should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have logging enabledcompliance.tf moduleS3 buckets should not be accessible to all authenticated userscompliance.tf moduleS3 buckets should have object lock enabledcompliance.tf moduleS3 buckets should have object logging enabledS3 buckets should have policies that prohibit public accesscompliance.tf moduleS3 buckets should prohibit public read accesscompliance.tf moduleS3 buckets should prohibit public write accesscompliance.tf moduleS3 buckets with versioning enabled should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have versioning enabledcompliance.tf moduleS3 public access should be blocked at account levelcompliance.tf moduleS3 public access should be blocked at bucket levelcompliance.tf module

Amazon SNS (1)

SNS topics should be encrypted at restcompliance.tf module

Amazon SageMaker (4)

SageMaker endpoint configuration encryption should be enabledSageMaker notebook instances should not have direct internet accessSageMaker notebook instances should be encrypted using CMKSageMaker notebook instance encryption should be enabled

Amazon VPC (1)

VPC subnet auto assign public IP should be disabledcompliance.tf module

Elastic Load Balancing (8)

ELB application and classic load balancer logging should be enabledcompliance.tf moduleELB application load balancer deletion protection should be enabledcompliance.tf moduleELB application and network load balancers should use recommended security policiescompliance.tf moduleELB application and network load balancers should only use SSL or HTTPS listenerscompliance.tf moduleELB application and network load balancer listeners should use secure protocolscompliance.tf moduleELB classic load balancers should have cross-zone load balancing enabledcompliance.tf moduleELB network load balancers should have TLS listener security policy configuredcompliance.tf moduleELB listeners should use approved SSL/TLS protocol versionscompliance.tf module

Other (4)

ES domain encryption at rest should be enabledES domains should be in a VPCElasticsearch domain should send logs to CloudWatchElasticsearch domain node-to-node encryption should be enabled

Related Frameworks

HIPAA Omnibus Rule 2013 โ€” ๐ŸŸก Medium overlap (40%)

HIPAA and 21 CFR Part 11 share requirements around access controls, audit logging, encryption, and integrity verification. Organizations in pharma or biotech that handle both clinical trial data and protected health information often address both frameworks simultaneously. HIPAA is broader in its privacy requirements, while Part 11 is more prescriptive about audit trail content and electronic signature controls.

NIST 800-53 Rev 5 โ€” ๐ŸŸก Medium overlap (50%)

NIST 800-53 Rev 5 provides the most comprehensive control catalog that maps to Part 11 requirements. AU (Audit and Accountability) controls align with Section 11.10(e), SC (System and Communications Protection) controls map to Section 11.10(c), and IA (Identification and Authentication) controls cover Sections 11.10(d) and 11.300. Many organizations use NIST 800-53 as the technical implementation backbone for their Part 11 compliance program.

SOC 2 โ€” ๐ŸŸก Medium overlap (35%)

SOC 2 Trust Services Criteria for Security, Availability, and Processing Integrity partially overlaps with Part 11 technical controls around access management, logging, and encryption. Cloud service providers hosting GxP workloads often present SOC 2 Type II reports as supporting evidence during FDA inspections, though a SOC 2 report alone does not demonstrate Part 11 compliance.

Frequently Asked Questions

Does 21 CFR Part 11 apply to my organization if we use cloud-hosted systems?
Yes. Part 11 follows the records, not the infrastructure. If your FDA-regulated processes produce electronic records in AWS or any other cloud platform, you are responsible for demonstrating Part 11 compliance for those records. The FDA's 2003 guidance on scope and application did not exempt cloud environments. You need to qualify your cloud service provider (typically via a shared responsibility model and SOC 2 reports) and validate the application layer yourself.
What is the difference between Part 11 and predicate rules?
Predicate rules are the underlying FDA regulations that require records to be maintained (e.g., 21 CFR 211 for drug cGMP, 21 CFR 820 for device quality systems). Part 11 specifies how those records must be managed when they are in electronic form. You cannot comply with Part 11 in isolation: first identify which predicate rules apply to your products, then determine which records under those rules are electronic, and then apply Part 11 controls to those records.
How does the FDA's enforcement discretion guidance affect what I need to implement?
Treat the September 2003 enforcement discretion guidance as prioritization, not exemption. The FDA indicated it would exercise discretion on certain requirements, including validation, audit trails, record retention, and legacy systems, but did not waive them. Recent warning letters confirm active enforcement of audit trail and access control requirements. Section 11.10(e) audit trails for predicate-rule records are still expected, regardless of the 2003 guidance.
How long does it take to achieve Part 11 compliance in an AWS environment?
It depends on the number of GxP systems and their current state. Infrastructure-level controls (encryption, logging, access management) can be configured and validated in 4 to 8 weeks using Terraform and policy-as-code. Application-level validation (IQ/OQ/PQ) for each GxP system typically takes 3 to 6 months. A full program covering infrastructure, applications, SOPs, and training for a mid-size pharma company usually runs 6 to 12 months from kickoff to inspection readiness.
Are the 50 controls in this benchmark sufficient for full Part 11 compliance?
No. These 50 controls cover infrastructure-level technical requirements: audit trails, encryption, access restrictions, and backup retention. Part 11 also requires procedural controls that infrastructure checks cannot address, including system validation documentation (Section 11.10(a)), signed agreements with electronic signature users (Section 11.10(j)), unique user identification (Section 11.10(d)), and the biometric/non-biometric signature requirements in Subpart C. This benchmark is one layer in a broader compliance program that must also include SOPs, training records, and application-level validation.

EU GMP Annex 11

Previous Page

RBI Cyber Security Framework for UCBs

Next Page

On this page

Get StartedWhat Compliance.tf Covers vs. What You HandleControls by CategoryAudit Trails - Section 11.10(e) (3)Encryption at Rest - Section 11.10(c) (2)Encryption in Transit - Section 11.10(c) (1)Record Retention and Protection - Section 11.10(b) (1)Related FrameworksFrequently Asked Questions

Ask AI about this

Help improve this page