FFIEC Cybersecurity Assessment Tool¶

The Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool helps financial institutions identify cybersecurity risks and determine their cybersecurity preparedness. Developed by U.S. financial regulatory agencies including the Federal Reserve, FDIC, and OCC, this framework provides a repeatable and measurable process for assessing inherent risk and cybersecurity maturity. It applies to all U.S. financial institutions including banks, credit unions, and savings associations.

Terraform Registry Subdomain: ffiec¶

module "..." {
  source  = "ffiec.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

module "..." {
  source = "https://ffiec.compliance.tf/terraform-aws-modules/<module>/aws"
}

Refer to the Terraform Registry Endpoints section for more details.

Implemented Controls¶

The following controls are implemented as part of this framework.

• API Gateway stage should uses SSL certificate
• API Gateway stage logging should be enabled
• Backup plan min frequency and min retention check
• At least one enabled trail should be present in a region
• CloudTrail trails should be integrated with CloudWatch logs
• CloudWatch alarm should have an action configured
• Log group retention period should be at least 365 days
• DMS replication instances should not be publicly accessible
• DynamoDB table point-in-time recovery should be enabled
• Attached EBS volumes should have encryption enabled
• EC2 instances should have IAM profile attached
• EC2 instances should be in a VPC
• EC2 instances should not have a public IP address
• EFS file system encryption at rest should be enabled
• ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• ELB application and classic load balancer logging should be enabled
• ELB application load balancer deletion protection should be enabled
• ELB application and network load balancers should only use SSL or HTTPS listeners
• ELB classic load balancers should have cross-zone load balancing enabled
• EMR cluster Kerberos should be enabled
• ES domain encryption at rest should be enabled
• ES domains should be in a VPC
• Elasticsearch domain should send logs to CloudWatch
• Elasticsearch domain node-to-node encryption should be enabled
• IAM password policies for users should have strong configurations
• Lambda functions concurrent execution limit configured
• Lambda functions should be configured with a dead-letter queue
• Lambda functions should be in a VPC
• RDS DB instance and cluster enhanced monitoring should be enabled
• RDS DB instance automatic minor version upgrade should be enabled
• RDS DB instance backup should be enabled
• RDS DB instances should have deletion protection enabled
• RDS DB instance encryption at rest should be enabled
• Database logging should be enabled
• RDS DB instance multiple az should be enabled
• RDS DB instances should prohibit public access
• AWS Redshift clusters should have automatic snapshots enabled
• Redshift cluster encryption in transit should be enabled
• Redshift cluster audit logging and encryption should be enabled
• AWS Redshift enhanced VPC routing should be enabled
• AWS Redshift clusters should be encrypted with KMS
• AWS Redshift should have required maintenance settings
• Redshift clusters should prohibit public access
• S3 bucket cross-region replication should be enabled
• S3 bucket default encryption should be enabled with KMS
• S3 bucket logging should be enabled
• S3 bucket object lock should be enabled
• S3 buckets should prohibit public read access
• S3 buckets should prohibit public write access
• S3 bucket versioning should be enabled
• S3 public access should be blocked at account level
• SageMaker notebook instances should not have direct internet access
• VPC subnet auto assign public IP should be disabled

Enable/Disable Controls¶

You can customize the Terraform module for the desired compliance requirements by enabling/disabling individual controls.

Examples¶

S3 bucket module with FFIEC Cybersecurity Assessment Tool compliance framework controls enabled, and a couple of controls disabled¶

module "..." {
  source = "https://ffiec.compliance.tf/terraform-aws-modules/s3-bucket/aws?disable=apigateway_rest_api_stage_use_ssl_certificate,apigateway_stage_logging_enabled"
}