EU GMP Annex 11¶

The European Union Good Manufacturing Practice (GMP) Annex 11 provides guidance on computerized systems used in pharmaceutical manufacturing and quality control. This regulation, enforced by the European Medicines Agency (EMA), establishes requirements for validation, data integrity, and electronic record management in pharmaceutical operations. It applies to all pharmaceutical manufacturers operating within the European Union and those exporting to EU markets.

Terraform Registry Subdomain: eugmpannex11¶

module "..." {
  source  = "eugmpannex11.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

module "..." {
  source = "https://eugmpannex11.compliance.tf/terraform-aws-modules/<module>/aws"
}

Refer to the Terraform Registry Endpoints section for more details.

Implemented Controls¶

The following controls are implemented as part of this framework.

• API Gateway stage cache encryption at rest should be enabled
• Backup plan min frequency and min retention check
• At least one enabled trail should be present in a region
• CloudTrail trail logs should be encrypted with KMS CMK
• CloudWatch alarm should have an action configured
• CodeBuild project artifact encryption should be enabled
• CodeBuild project S3 logs should be encrypted
• DynamoDB Accelerator (DAX) clusters should be encrypted at rest
• DynamoDB table should be encrypted with AWS KMS
• DynamoDB table should have encryption enabled
• DynamoDB table point-in-time recovery should be enabled
• Attached EBS volumes should have encryption enabled
• EC2 instance should have EBS optimization enabled
• EFS file system encryption at rest should be enabled
• EKS clusters should be configured to have kubernetes secrets encrypted using KMS
• ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• ELB application and network load balancers should only use SSL or HTTPS listeners
• ELB classic load balancers should have cross-zone load balancing enabled
• ES domain encryption at rest should be enabled
• Kinesis streams should have server side encryption enabled
• Log group encryption at rest should be enabled
• OpenSearch domains should have encryption at rest enabled
• OpenSearch domains should use HTTPS
• OpenSearch domains node-to-node encryption should be enabled
• RDS DB instance backup should be enabled
• RDS DB instance encryption at rest should be enabled
• AWS Redshift clusters should have automatic snapshots enabled
• Redshift cluster audit logging and encryption should be enabled
• S3 bucket cross-region replication should be enabled
• S3 bucket default encryption should be enabled
• S3 bucket default encryption should be enabled with KMS
• S3 buckets with versioning enabled should have lifecycle policies configured
• S3 bucket versioning should be enabled
• SageMaker endpoint configuration encryption should be enabled
• SageMaker notebook instance encryption should be enabled
• Secrets Manager secrets should be encrypted using CMK
• Step Function state machines should have logging turned on
• SNS topics should be encrypted at rest

Enable/Disable Controls¶

You can customize the Terraform module for the desired compliance requirements by enabling/disabling individual controls.

Examples¶

S3 bucket module with EU GMP Annex 11 compliance framework controls enabled, and a couple of controls disabled¶

module "..." {
  source = "https://eugmpannex11.compliance.tf/terraform-aws-modules/s3-bucket/aws?disable=apigateway_stage_cache_encryption_at_rest_enabled,backup_plan_min_retention_35_days"
}