compliance.tf
Compliance FrameworksSpecialized Frameworks

FedRAMP Low Baseline Rev 4

Best for: Cloud service providers (CSPs) seeking or maintaining a FedRAMP Low authorization to operate (ATO) for systems handling low-impact federal data under FIPS 199. This applies to any CSP, regardless of size, that sells cloud services to U.S. federal agencies where loss of confidentiality, integrity, or availability would have limited adverse effects. If your agency sponsor issued your ATO under NIST 800-53 Rev 4, this baseline applied to you. New authorizations require Rev 5.

Mandatory?Mandatory for CSPs selling to U.S. federal agencies
Who validates?3PAO (Third Party Assessment Organization) ยท No self-assessment
RenewalContinuous monitoring; annual assessment
ScopeCloud service offering for federal use (low impact)

๐Ÿ› U.S. General Services Administration (GSA), FedRAMP Program Management Office (PMO) ยท FedRAMP Low Rev 4 Official source โ†’

Get Started

module "..." {
  source  = "fedramplow.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

What Compliance.tf automates

  • Audit Logging and Monitoring: Runs 11 controls validating CloudTrail configuration across regions, S3 data event logging, CloudWatch integration, log file validation, alarm actions, and log retention periods. Covers the technical requirements for AU-2, AU-3, AU-6, AU-9, and AU-12.
  • Encryption and Certificate Management: ACM certificate expiration windows and KMS CMK encryption on CloudTrail logs are both evaluated. Customer-managed keys satisfy SC-28; AWS-managed defaults do not, and the check distinguishes between them.
  • Boundary Protection and Network Segmentation: Three SC-7 boundary checks: Auto Scaling launch configurations must not assign public IPs, DMS replication instances must not be publicly accessible, and API Gateway stages must have WAF web ACLs attached.
  • Backup and Recovery: Validates that AWS Backup plan retention meets the 35-day minimum and that Auto Scaling groups behind load balancers use health checks to support automatic instance recovery.
  • Secure Development and Build Configuration: Two CodeBuild checks: whether projects store sensitive AWS values in plaintext environment variables, and whether source repositories authenticate via OAuth rather than personal access tokens.

What you handle

  • Audit Logging and Monitoring: Defining audit event types in your SSP, performing regular log reviews (the procedural requirement under AU-6), documenting your audit reduction and report generation process, and establishing and testing alerting thresholds for security-relevant events.
  • Encryption and Certificate Management: Documenting key management procedures, implementing rotation schedules, managing key access policies, and confirming FIPS 140-2 validated cryptographic modules are used where SC-13 requires them.
  • Boundary Protection and Network Segmentation: Documenting the full authorization boundary in your SSP, maintaining current network architecture diagrams, configuring WAF rule sets appropriate to your threat model, and managing security group rules outside the scope of these specific checks.
  • Backup and Recovery: Writing and testing your Contingency Plan (CP), conducting annual contingency plan tests per CP-4, defining recovery time and recovery point objectives, and documenting backup restoration test results.
  • Secure Development and Build Configuration: Establishing a full secure development lifecycle under SA-11, routing secrets through a dedicated secrets manager, and maintaining documented configuration baselines for all build and deployment pipelines.

Controls by Category

Audit and Accountability (AU) (6 controls)

3PAOs verify that audit logging covers the full authorization boundary with no gaps. They expect CloudTrail enabled across all regions (AU-2, AU-3, AU-12), log integrity validation confirming logs have not been tampered with (AU-9), and centralized aggregation through CloudWatch (AU-6). Trails scoped to a single region and log groups with retention periods too short to support incident investigation timelines are the most common findings in this category.

CloudTrail trails should have at least one enabled trail present in a regionCloudTrail trails should be integrated with CloudWatch logsCloudTrail trails should have log file validation enabledAPI Gateway stages should have logging enabledCloudWatch alarms should have an action configuredcompliance.tf moduleCloudWatch log groups should have retention period of at least 365 dayscompliance.tf module

Contingency Planning (CP) (1 control)

CP-9 backup retention is what assessors ask for first: the 35-day minimum aligns with FedRAMP continuous monitoring requirements for data recovery. Health check configuration on Auto Scaling groups covers the CP-10 automatic recovery requirement by ensuring unhealthy instances are replaced without manual intervention. Come prepared with evidence of tested recovery procedures, not just configured backup policies.

Backup plans should have minimum frequency and minimum retention configured

System and Communications Protection (SC) (2 controls)

Assessors check encryption in transit and at rest (SC-8, SC-28) and boundary protection controls (SC-7), treating expired or near-expiry ACM certificates as direct findings rather than observations. Public IP assignment on Auto Scaling launch configurations and DMS replication instances violates SC-7, as does an API Gateway stage without a WAF web ACL attached.

CloudTrail trails should have logs encrypted using a customer managed KMS keyDMS replication instances should not be publicly accessiblecompliance.tf module
Additional Controls (65)

AWS IAM (3)

IAM password policies should have minimum length set to 14 or greaterIAM password policies should have strong configurations with minimum length of 8 or greaterIAM password policies should have strong configurations

AWS KMS (1)

KMS CMK rotation should be enabledcompliance.tf module

AWS Lambda (4)

Lambda functions should have concurrent execution limit configuredcompliance.tf moduleLambda functions should be configured with a dead-letter queuecompliance.tf moduleLambda functions should be in a VPCcompliance.tf moduleLambda functions should restrict public URLcompliance.tf module

Amazon CloudWatch Logs (1)

Log groups should have encryption at rest enabledcompliance.tf module

Amazon DynamoDB (1)

DynamoDB tables should have point-in-time recovery enabledcompliance.tf module

Amazon EC2 (5)

EC2 instances should have detailed monitoring enabledcompliance.tf moduleEC2 instances should have EBS optimization enabledcompliance.tf moduleEC2 instances should be in a VPCcompliance.tf moduleEC2 instances should not have a public IP addresscompliance.tf moduleEC2 instances should use IMDSv2compliance.tf module

Amazon ElastiCache (1)

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greatercompliance.tf module

Amazon OpenSearch Service (2)

OpenSearch domains should have logging to CloudWatch Logs enabledcompliance.tf moduleOpenSearch domains node-to-node encryption should be enabledcompliance.tf module

Amazon RDS (13)

RDS clusters should have deletion protection enabledcompliance.tf moduleRDS DB instances and clusters should have enhanced monitoring enabledcompliance.tf moduleRDS DB instance backup should be enabledcompliance.tf moduleRDS DB instances backup retention period should be greater than or equal to 7compliance.tf moduleRDS DB instances should be integrated with CloudWatch logscompliance.tf moduleRDS DB instances should have deletion protection enabledcompliance.tf moduleRDS DB instances should have logging enabledcompliance.tf moduleRDS for MariaDB DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should have multiple AZ enabledcompliance.tf moduleRDS DB instances should not use public subnetcompliance.tf moduleRDS for PostgreSQL DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should prohibit public accesscompliance.tf moduleRDS for SQL Server DB instances should publish logs to CloudWatch Logscompliance.tf module

Amazon Redshift (7)

Redshift clusters should have audit logging enabledcompliance.tf moduleRedshift clusters should have automatic snapshots enabledcompliance.tf moduleRedshift cluster encryption in transit should be enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should have KMS encryption enabledcompliance.tf moduleRedshift clusters should have required maintenance settingscompliance.tf moduleRedshift clusters should prohibit public accesscompliance.tf module

Amazon S3 (12)

S3 buckets should have cross-region replication enabledcompliance.tf moduleS3 buckets should have default encryption enabledcompliance.tf moduleS3 buckets should have default encryption enabled using KMScompliance.tf moduleS3 buckets should have logging enabledcompliance.tf moduleS3 buckets should not be accessible to all authenticated userscompliance.tf moduleS3 buckets should have object logging enabledS3 buckets should have policies that prohibit public accesscompliance.tf moduleS3 buckets should prohibit public read accesscompliance.tf moduleS3 buckets should prohibit public write accesscompliance.tf moduleS3 buckets should have versioning enabledcompliance.tf moduleS3 public access should be blocked at account levelcompliance.tf moduleS3 public access should be blocked at bucket levelcompliance.tf module

Amazon SNS (1)

SNS topics should be encrypted at restcompliance.tf module

Amazon SageMaker (4)

SageMaker endpoint configuration encryption should be enabledSageMaker notebook instances should not have direct internet accessSageMaker notebook instances should be encrypted using CMKSageMaker notebook instance encryption should be enabled

Amazon VPC (1)

VPC subnet auto assign public IP should be disabledcompliance.tf module

Elastic Load Balancing (6)

ELB application and classic load balancer logging should be enabledcompliance.tf moduleELB application load balancer deletion protection should be enabledcompliance.tf moduleELB application load balancers should be configured to drop HTTP headerscompliance.tf moduleELB application load balancers should drop invalid HTTP headerscompliance.tf moduleELB application and network load balancer listeners should use secure protocolscompliance.tf moduleELB classic load balancers should have cross-zone load balancing enabledcompliance.tf module

Other (3)

ES domains should be in a VPCElasticsearch domain should send logs to CloudWatchElasticsearch domain node-to-node encryption should be enabled

Related Frameworks

NIST 800-53 Rev 4 โ€” ๐ŸŸข High overlap (85%)

FedRAMP Low Rev 4 is a direct subset of NIST 800-53 Rev 4, selecting 125 controls from the full catalog and adding FedRAMP-specific parameter values. If you have already mapped to the full 800-53 Rev 4 catalog, the FedRAMP Low controls are covered, though FedRAMP imposes stricter parameter settings on several of them.

FedRAMP Moderate Rev 4 โ€” ๐ŸŸข High overlap (70%)

FedRAMP Moderate Rev 4 is a superset of the Low baseline, adding approximately 200 controls. Every Low control appears in Moderate, so Low compliance is a useful foundation if you later need Moderate authorization.

NIST 800-53 Rev 5 โ€” ๐ŸŸข High overlap (65%)

NIST 800-53 Rev 5 reorganized and expanded the control catalog relative to Rev 4. Many Rev 4 controls map directly to Rev 5 equivalents, but Rev 5 introduced new control families (PT, SR) and consolidated others. The FedRAMP Rev 5 baselines draw from this updated catalog.

Frequently Asked Questions

Is FedRAMP Low Rev 4 still valid for new authorizations?
No. New authorization packages must use the Rev 5 baselines. CSPs with existing Rev 4 ATOs were required to transition during their annual assessment cycle. If you are starting a new FedRAMP effort, use the Rev 5 Low baseline.
What is the difference between FedRAMP Low and FedRAMP Moderate?
FedRAMP Low requires approximately 125 controls and applies to systems where loss of confidentiality, integrity, or availability would have limited adverse effect. FedRAMP Moderate requires roughly 325 controls and applies where that loss would have serious adverse effect. Most federal systems handling PII or sensitive operational data require Moderate. Low is typically used for publicly available information or collaboration tools that do not carry sensitive data.
How long does a FedRAMP Low authorization take?
Expect 6 to 12 months for a new authorization. The timeline depends on your organization's security maturity, documentation readiness, and whether you pursue a Joint Authorization Board (JAB) provisional ATO or an agency-specific ATO. Agency ATOs can move faster when the sponsoring agency is engaged. The 3PAO assessment itself typically runs 4 to 8 weeks, but SSP development and finding remediation consume most of the overall timeline.
Can I reuse my FedRAMP Low Rev 4 controls for the Rev 5 transition?
Partially. Many Rev 4 controls map directly to Rev 5 equivalents, so existing implementation evidence carries over. Rev 5 did introduce new controls, changed parameter requirements, and restructured some control families, so you will need a gap analysis against the Rev 5 Low baseline. The FedRAMP PMO published transition guidance with a mapping spreadsheet to help identify what needs to change.
What does compliance.tf cover versus what the 3PAO assesses?
compliance.tf automates checks for technical control implementations: whether CloudTrail is enabled, encryption is configured, public access is restricted, and similar infrastructure-level settings. A 3PAO assessment covers the full 125-control baseline, including procedural controls (personnel security, physical access, incident response plans), policy documentation, and organizational processes that infrastructure scanning cannot reach. compliance.tf covers the technical subset and generates continuous evidence between annual assessments.

AWS Generative AI Best Practices v2

Previous Page

CIS AWS Benchmark v1.2.0

Next Page

On this page

Get StartedWhat Compliance.tf Covers vs. What You HandleControls by CategoryAudit and Accountability (AU) (6)Contingency Planning (CP) (1)System and Communications Protection (SC) (2)Related FrameworksFrequently Asked Questions

Ask AI about this

Help improve this page