Skip to content

FedRAMP Moderate Baseline Rev 4

The Federal Risk and Authorization Management Program (FedRAMP) Moderate Impact Baseline Revision 4 establishes security requirements for cloud services handling moderate-impact federal information. Managed by the U.S. General Services Administration (GSA), this is the most common FedRAMP baseline requiring implementation of 325 security controls derived from NIST SP 800-53. It applies to cloud service providers offering services to U.S. federal agencies for systems with moderate confidentiality, integrity, and availability requirements.

Terraform Registry Subdomain: fedrampmoderate

module "..." {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

module "..." {
  source = "https://fedrampmoderate.compliance.tf/terraform-aws-modules/<module>/aws"
}

Refer to the Terraform Registry Endpoints section for more details.

Implemented Controls

The following controls are implemented as part of this framework.

Enable/Disable Controls

You can customize the Terraform module for the desired compliance requirements by enabling/disabling individual controls.

Examples

S3 bucket module with FedRAMP Moderate Baseline Rev 4 compliance framework controls enabled, and a couple of controls disabled

module "..." {
  source = "https://fedrampmoderate.compliance.tf/terraform-aws-modules/s3-bucket/aws?disable=apigateway_rest_api_stage_use_ssl_certificate,apigateway_stage_cache_encryption_at_rest_enabled"
}