NIST Cybersecurity Framework v2.0¶

The National Institute of Standards and Technology (NIST) Cybersecurity Framework version 2.0 provides an updated policy framework of standards, guidelines, and best practices to manage cybersecurity-related risk. Published in February 2024 by the U.S. Department of Commerce, this version adds a sixth core function (Govern) and expands guidance on supply chain risk management and cybersecurity measurement. It is applicable to organizations of all sizes across all sectors globally.

Terraform Registry Subdomain: nistcsf¶

module "..." {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

module "..." {
  source = "https://nistcsf.compliance.tf/terraform-aws-modules/<module>/aws"
}

Refer to the Terraform Registry Endpoints section for more details.

Implemented Controls¶

The following controls are implemented as part of this framework.

• RSA certificates managed by ACM should use a key length of at least 2,048 bits
• ACM certificates should have transparency logging enabled
• API Gateway stage logging should be enabled
• AppSync graphql API logging should be enabled
• Athena workgroups should be encrypted at rest
• Backup plan min frequency and min retention check
• CloudFormation stacks should have notifications enabled
• CloudFront distributions access logs should be enabled
• CloudFront distributions should use custom SSL/TLS certificates
• At least one enabled trail should be present in a region
• CloudTrail trails should be integrated with CloudWatch logs
• CloudTrail trail logs should be encrypted with KMS CMK
• CloudTrail trail log file validation should be enabled
• CloudWatch alarm should have an action configured
• CloudWatch alarm action should be enabled
• Log group retention period should be at least 365 days
• CodeBuild projects should have logging enabled
• CodeBuild project S3 logs should be encrypted
• DynamoDB table point-in-time recovery should be enabled
• Attached EBS volumes should have encryption enabled
• EBS snapshots should be encrypted
• EBS volume encryption at rest should be enabled
• EC2 instance detailed monitoring should be enabled
• EC2 transit gateways should have auto accept shared attachments disabled
• ECR repositories should have image scan on push enabled
• ECR private repositories should have tag immutability configured
• ECS task definitions should not share the host's process namespace
• EFS file system encryption at rest should be enabled
• EFS file systems should be encrypted with CMK
• ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• ELB application and classic load balancer logging should be enabled
• ELB application load balancer deletion protection should be enabled
• ELB application and network load balancers should only use SSL or HTTPS listeners
• ELB network load balancers should have TLS listener security policy configured
• ELB listeners SSL/TLS protocol version should be checked
• Elasticsearch domains should have audit logging enabled
• Connections to Elasticsearch domains should be encrypted using TLS 1.2
• Elasticsearch domain error logging to CloudWatch Logs should be enabled
• Elasticsearch domain should send logs to CloudWatch
• IAM password policies for users should have strong configurations
• KMS CMK rotation should be enabled
• Log group encryption at rest should be enabled
• MSK clusters should be encrypted in transit among broker nodes
• Neptune DB clusters should publish audit logs to CloudWatch Logs
• Neptune DB clusters should have automated backups enabled
• Neptune DB clusters should be configured to copy tags to snapshots
• Neptune DB clusters should have deletion protection enabled
• Neptune DB clusters should be encrypted at rest
• The default stateless action for Network Firewall policies should be drop or forward for fragmented packets
• The default stateless action for Network Firewall policies should be drop or forward for full packets
• OpenSearch domains node-to-node encryption should be enabled
• RDS clusters should have deletion protection enabled
• RDS DB clusters should be encrypted at rest
• RDS DB clusters should be configured for multiple Availability Zones
• RDS DB instance and cluster enhanced monitoring should be enabled
• RDS DB instance backup should be enabled
• RDS DB instances should have deletion protection enabled
• RDS DB instance encryption at rest should be enabled
• RDS DB instance multiple az should be enabled
• AWS Redshift clusters should have automatic snapshots enabled
• AWS Redshift should have automatic upgrades to major versions enabled
• Redshift cluster encryption in transit should be enabled
• Redshift cluster audit logging and encryption should be enabled
• AWS Redshift enhanced VPC routing should be enabled
• AWS Redshift should have required maintenance settings
• S3 access points should have block public access settings enabled
• S3 buckets access control lists (ACLs) should not be used to manage user access to buckets
• S3 bucket cross-region replication should be enabled
• S3 bucket default encryption should be enabled
• S3 bucket default encryption should be enabled with KMS
• S3 buckets should have event notifications enabled
• S3 buckets should have lifecycle policies configured
• S3 bucket logging should be enabled
• S3 bucket object lock should be enabled
• S3 buckets object logging should be enabled
• S3 bucket policy should prohibit public access
• S3 bucket cross-account permissions should be restricted
• S3 buckets should prohibit public read access
• S3 buckets should prohibit public write access
• S3 buckets with versioning enabled should have lifecycle policies configured
• S3 bucket versioning should be enabled
• S3 public access should be blocked at account level
• S3 public access should be blocked at bucket levels
• SNS topics should be encrypted at rest
• AWS SQS queues should be encrypted at rest
• SQS queues should be encrypted with KMS CMK
• SSM parameters encryption should be enabled

Enable/Disable Controls¶

You can customize the Terraform module for the desired compliance requirements by enabling/disabling individual controls.

Examples¶

S3 bucket module with NIST Cybersecurity Framework v2.0 compliance framework controls enabled, and a couple of controls disabled¶

module "..." {
  source = "https://nistcsf.compliance.tf/terraform-aws-modules/s3-bucket/aws?disable=acm_certificate_rsa_key_length_2048_bits_or_greater,acm_certificate_transparency_logging_enabled"
}