RBI Cyber Security Framework for UCBs
Best for: All Urban Cooperative Banks (UCBs) regulated by the Reserve Bank of India, regardless of size or asset base. The RBI circular applies uniformly to scheduled and non-scheduled UCBs. If your institution holds a UCB license from RBI and operates core banking or digital payment channels, this framework applies. Technology service providers and managed security vendors serving UCBs should also align to these requirements to support their clients' compliance obligations.
🏛 Reserve Bank of India (RBI), Department of Supervision · RBI Cyber Security Framework for UCBs (2018) Official source →
Get Started
module "..." {
source = "rbicybersecurity.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}
What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Encryption at Rest: Runs controls checking DynamoDB table encryption (both default and KMS CMK), API Gateway cache encryption, and CloudTrail log encryption with customer-managed keys. Flags any resource using only default encryption when the framework expects KMS CMK.
- Encryption in Transit: Validates that API Gateway stages have SSL certificates attached and checks ACM certificate expiry within 30 days. Detects endpoints without TLS enforcement.
- Audit Trail and Logging: Checks for multi-region CloudTrail enablement, S3 data event logging (read and write), CloudWatch integration, API Gateway stage logging, and log group retention of at least 365 days. Covers 10 controls in this area.
- Network Exposure Prevention: Detects Auto Scaling launch configs with public IPs enabled, DMS replication instances with public accessibility, and API Gateway stages missing WAF web ACL association.
- Backup and Disaster Recovery: Verifies DynamoDB tables are included in AWS Backup plans. Flags tables without any backup configuration.
- Governance and Account Structure: Checks whether the AWS account belongs to an AWS Organizations structure, confirming centralized governance and policy enforcement.
What you handle
- Encryption at Rest: Key rotation schedules, IAM access policies on CMKs, and a key custodian register are your responsibility. RBI expects documented key management procedures, not just the technical controls.
- Encryption in Transit: Procure and renew certificates before expiry, enforce minimum TLS version policies across all banking channels, and document SSL/TLS configurations for audit evidence.
- Audit Trail and Logging: Log review is a function, not a configuration. Your SOC or designated monitoring team owns alerting thresholds and SIEM integration. Periodic log analysis is explicitly called out in RBI's monitoring provisions.
- Network Exposure Prevention: Design and maintain network architecture diagrams, implement firewall rules beyond AWS-native controls, conduct periodic penetration testing, and document network segmentation rationale.
- Backup and Disaster Recovery: Define recovery time objectives (RTO) and recovery point objectives (RPO) per RBI guidelines, conduct periodic DR drills, maintain offsite backup documentation, and test restoration procedures at least annually.
- Governance and Account Structure: Establish an IT Steering Committee and a dedicated information security function as mandated by RBI. Document organizational reporting lines, define roles and responsibilities, and maintain board-approved cybersecurity policies.
Controls by Category
Audit Logging and Trail Management (3 controls)
Auditors verify that all API and infrastructure activity is logged across every region with no gaps. They expect evidence of centralized log aggregation via CloudWatch integration and will flag accounts where trails cover only a single region. Common finding: CloudTrail enabled but S3 data event logging missing, leaving object-level access unaudited.
Data Protection and Encryption (5 controls)
KMS customer-managed keys, not AWS default encryption, are what assessors want to see on DynamoDB tables, CloudTrail logs, and API Gateway cache. Valid SSL certificates on all external endpoints are checked as well. Expired or soon-to-expire ACM certificates are a recurring finding during assessments.
compliance.tf module DynamoDB table should have encryption enabled compliance.tf module Log Retention and Evidence Preservation (1 control)
Unset retention policies on CloudWatch log groups are one of the most common findings in this category. The minimum bar is 365 days, and assessors check this directly during RBI supervisory inspections. Left unaddressed, default groups either accumulate cost indefinitely or get cleaned up, destroying the forensic record in the process.
Network Security and Access Restrictions (1 control)
RBI expects UCBs to prevent unauthorized network exposure of banking infrastructure. Auditors check that compute instances and database replication endpoints are not directly internet-accessible, and WAF association on API stages is verified to confirm protection against OWASP Top 10 threats. Legacy launch configurations that still assign public IPs are a persistent problem.
Additional Controls (69)
AWS IAM (2)
AWS KMS (1)
AWS Lambda (2)
compliance.tf module Lambda functions should restrict public URL compliance.tf module Amazon CloudWatch Logs (1)
Amazon DynamoDB (1)
Amazon EBS (2)
compliance.tf module EBS volume encryption at rest should be enabled compliance.tf module Amazon EC2 (2)
compliance.tf module EC2 instances should not have a public IP address compliance.tf module Amazon EFS (2)
compliance.tf module EFS file systems should be encrypted with CMK compliance.tf module Amazon ElastiCache (1)
Amazon OpenSearch Service (5)
compliance.tf module OpenSearch domains should have encryption at rest enabled compliance.tf module OpenSearch domains should use HTTPS compliance.tf module OpenSearch domains logs to AWS CloudWatch Logs compliance.tf module OpenSearch domains node-to-node encryption should be enabled compliance.tf module Amazon RDS (12)
compliance.tf module RDS DB instance backup should be enabled compliance.tf module RDS DB instances backup retention period should be greater than or equal to 7 compliance.tf module RDS DB instances should be integrated with CloudWatch logs compliance.tf module RDS DB instance encryption at rest should be enabled compliance.tf module Database logging should be enabled compliance.tf module RDS for MariaDB DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instances should not use public subnet compliance.tf module RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instances should prohibit public access compliance.tf module RDS for SQL Server DB instances should publish logs to CloudWatch Logs compliance.tf module Amazon Redshift (8)
compliance.tf module AWS Redshift clusters should have automatic snapshots enabled compliance.tf module AWS Redshift should have automatic upgrades to major versions enabled compliance.tf module Redshift cluster encryption in transit should be enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module AWS Redshift clusters should be encrypted with KMS compliance.tf module AWS Redshift should have required maintenance settings compliance.tf module Redshift clusters should prohibit public access compliance.tf module Amazon S3 (11)
compliance.tf module S3 bucket default encryption should be enabled compliance.tf module S3 bucket default encryption should be enabled with KMS compliance.tf module S3 bucket logging should be enabled compliance.tf module S3 bucket ACLs should not be accessible to all authenticated user compliance.tf module S3 buckets object logging should be enabledS3 bucket policy should prohibit public access compliance.tf module S3 buckets should prohibit public read access compliance.tf module S3 buckets should prohibit public write access compliance.tf module S3 bucket versioning should be enabled compliance.tf module S3 public access should be blocked at account level compliance.tf module Amazon SNS (1)
Amazon SageMaker (4)
Amazon VPC (1)
Elastic Load Balancing (8)
compliance.tf module ELB application load balancers should be configured to drop HTTP headers compliance.tf module Application Load Balancer should be configured to drop invalid http headers compliance.tf module Application and Network Load Balancers with listeners should use recommended security policies compliance.tf module ELB application and network load balancers should only use SSL or HTTPS listeners compliance.tf module Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit compliance.tf module ELB network load balancers should have TLS listener security policy configured compliance.tf module ELB listeners SSL/TLS protocol version should be checked compliance.tf module Other (5)
Related Frameworks
Frequently Asked Questions
Does this framework apply to all cooperative banks or only certain categories?
It applies to all Urban Cooperative Banks (UCBs) regulated by RBI, both scheduled and non- scheduled. State cooperative banks and district central cooperative banks fall under separate NABARD guidelines, not this framework. If your banking license is from RBI and you are classified as a UCB, you must comply.
What is the compliance timeline and reporting cadence?
UCBs were expected to implement baseline controls upon issuance of the circular in December 2019. Ongoing compliance requires annual self-assessment and submission of a cyber security posture report to RBI's Regional Office. RBI supervisory inspection teams may also evaluate controls during scheduled or thematic inspections.
Is there a formal certification or just self-assessment?
RBI does not mandate third-party certification. Compliance is demonstrated through self- assessment reports submitted to RBI, internal audit findings, and evidence produced during RBI inspections. That said, many UCBs engage external IS auditors (CERT-In empaneled or CISA- certified professionals) to strengthen their assessment credibility.
How does this framework interact with RBI's broader IT governance guidelines?
This cyber security framework supplements the RBI Master Direction on Information Technology Framework for UCBs (2018). The IT Framework covers broader IT governance, IS audit, and IT service management. The cyber security circular adds specific requirements for SOC operations, incident reporting to CERT-In and RBI, vulnerability management, and advanced threat detection. Both must be addressed together.
What happens if a UCB fails to comply?
RBI can issue supervisory directions, impose monetary penalties under Section 46 of the Banking Regulation Act 1949, or restrict certain digital banking services. Repeated non-compliance may trigger enhanced supervisory scrutiny, restrictions on branch expansion, or other corrective action under RBI's Prompt Corrective Action framework for UCBs.