RBI Cyber Security Framework for UCBs
Best for: All Urban Cooperative Banks (UCBs) regulated by the Reserve Bank of India, regardless of size or asset base. The RBI circular applies uniformly to scheduled and non-scheduled UCBs. If your institution holds a UCB license from RBI and operates core banking or digital payment channels, this framework applies. Technology service providers and managed security vendors serving UCBs should also align to these requirements to support their clients' compliance obligations.
| Mandatory? | Mandatory for Urban Cooperative Banks regulated by RBI |
| Who validates? | RBI supervisory examination ยท No self-assessment |
| Renewal | Annual compliance reporting |
| Scope | Urban Cooperative Banks; IT systems and cybersecurity controls |
๐ Reserve Bank of India (RBI), Department of Supervision ยท RBI Cyber Security Framework for UCBs (2018) Official source โ
Get Started
module "..." {
source = "rbicybersecurity.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Encryption at Rest: Runs controls checking DynamoDB table encryption (both default and KMS CMK), API Gateway cache encryption, and CloudTrail log encryption with customer-managed keys. Flags any resource using only default encryption when the framework expects KMS CMK.
- Encryption in Transit: Validates that API Gateway stages have SSL certificates attached and checks ACM certificate expiry within 30 days. Detects endpoints without TLS enforcement.
- Audit Trail and Logging: Checks for multi-region CloudTrail enablement, S3 data event logging (read and write), CloudWatch integration, API Gateway stage logging, and log group retention of at least 365 days. Covers 10 controls in this area.
- Network Exposure Prevention: Detects Auto Scaling launch configs with public IPs enabled, DMS replication instances with public accessibility, and API Gateway stages missing WAF web ACL association.
- Backup and Disaster Recovery: Verifies DynamoDB tables are included in AWS Backup plans. Flags tables without any backup configuration.
- Governance and Account Structure: Checks whether the AWS account belongs to an AWS Organizations structure, confirming centralized governance and policy enforcement.
What you handle
- Encryption at Rest: Key rotation schedules, IAM access policies on CMKs, and a key custodian register are your responsibility. RBI expects documented key management procedures, not just the technical controls.
- Encryption in Transit: Procure and renew certificates before expiry, enforce minimum TLS version policies across all banking channels, and document SSL/TLS configurations for audit evidence.
- Audit Trail and Logging: Log review is a function, not a configuration. Your SOC or designated monitoring team owns alerting thresholds and SIEM integration. Periodic log analysis is explicitly called out in RBI's monitoring provisions.
- Network Exposure Prevention: Design and maintain network architecture diagrams, implement firewall rules beyond AWS-native controls, conduct periodic penetration testing, and document network segmentation rationale.
- Backup and Disaster Recovery: Define recovery time objectives (RTO) and recovery point objectives (RPO) per RBI guidelines, conduct periodic DR drills, maintain offsite backup documentation, and test restoration procedures at least annually.
- Governance and Account Structure: Establish an IT Steering Committee and a dedicated information security function as mandated by RBI. Document organizational reporting lines, define roles and responsibilities, and maintain board-approved cybersecurity policies.
Controls by Category
Audit Logging and Trail Management (3 controls)
Auditors verify that all API and infrastructure activity is logged across every region with no gaps. They expect evidence of centralized log aggregation via CloudWatch integration and will flag accounts where trails cover only a single region. Common finding: CloudTrail enabled but S3 data event logging missing, leaving object-level access unaudited.
Data Protection and Encryption (5 controls)
KMS customer-managed keys, not AWS default encryption, are what assessors want to see on DynamoDB tables, CloudTrail logs, and API Gateway cache. Valid SSL certificates on all external endpoints are checked as well. Expired or soon-to-expire ACM certificates are a recurring finding during assessments.
compliance.tf moduleDynamoDB tables should have encryption enabledcompliance.tf moduleLog Retention and Evidence Preservation (1 control)
Unset retention policies on CloudWatch log groups are one of the most common findings in this category. The minimum bar is 365 days, and assessors check this directly during RBI supervisory inspections. Left unaddressed, default groups either accumulate cost indefinitely or get cleaned up, destroying the forensic record in the process.
Network Security and Access Restrictions (1 control)
RBI expects UCBs to prevent unauthorized network exposure of banking infrastructure. Auditors check that compute instances and database replication endpoints are not directly internet-accessible, and WAF association on API stages is verified to confirm protection against OWASP Top 10 threats. Legacy launch configurations that still assign public IPs are a persistent problem.
Additional Controls (69)
AWS IAM (2)
AWS Lambda (2)
Amazon CloudWatch Logs (1)
Amazon EBS (2)
Amazon EC2 (2)
Amazon EFS (2)
Amazon ElastiCache (1)
Amazon OpenSearch Service (5)
compliance.tf moduleOpenSearch domains should have encryption at rest enabledcompliance.tf moduleOpenSearch domains should use HTTPScompliance.tf moduleOpenSearch domains should have logging to CloudWatch Logs enabledcompliance.tf moduleOpenSearch domains node-to-node encryption should be enabledcompliance.tf moduleAmazon RDS (12)
compliance.tf moduleRDS DB instance backup should be enabledcompliance.tf moduleRDS DB instances backup retention period should be greater than or equal to 7compliance.tf moduleRDS DB instances should be integrated with CloudWatch logscompliance.tf moduleRDS DB instance encryption at rest should be enabledcompliance.tf moduleRDS DB instances should have logging enabledcompliance.tf moduleRDS for MariaDB DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should not use public subnetcompliance.tf moduleRDS for PostgreSQL DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should prohibit public accesscompliance.tf moduleRDS for SQL Server DB instances should publish logs to CloudWatch Logscompliance.tf moduleAmazon Redshift (8)
compliance.tf moduleRedshift clusters should have automatic snapshots enabledcompliance.tf moduleRedshift clusters should have automatic upgrades to major versions enabledcompliance.tf moduleRedshift cluster encryption in transit should be enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should have KMS encryption enabledcompliance.tf moduleRedshift clusters should have required maintenance settingscompliance.tf moduleRedshift clusters should prohibit public accesscompliance.tf moduleAmazon S3 (11)
compliance.tf moduleS3 buckets should have default encryption enabledcompliance.tf moduleS3 buckets should have default encryption enabled using KMScompliance.tf moduleS3 buckets should have logging enabledcompliance.tf moduleS3 buckets should not be accessible to all authenticated userscompliance.tf moduleS3 buckets should have object logging enabledS3 buckets should have policies that prohibit public accesscompliance.tf moduleS3 buckets should prohibit public read accesscompliance.tf moduleS3 buckets should prohibit public write accesscompliance.tf moduleS3 buckets should have versioning enabledcompliance.tf moduleS3 public access should be blocked at account levelcompliance.tf moduleAmazon SageMaker (4)
Elastic Load Balancing (8)
compliance.tf moduleELB application load balancers should be configured to drop HTTP headerscompliance.tf moduleELB application load balancers should drop invalid HTTP headerscompliance.tf moduleELB application and network load balancers should use recommended security policiescompliance.tf moduleELB application and network load balancers should only use SSL or HTTPS listenerscompliance.tf moduleELB application and network load balancer listeners should use secure protocolscompliance.tf moduleELB network load balancers should have TLS listener security policy configuredcompliance.tf moduleELB listeners should use approved SSL/TLS protocol versionscompliance.tf moduleRelated Frameworks
NIST 800-53 Rev 5 โ ๐ก Medium overlap (45%)
RBI's cyber security framework draws heavily from NIST 800-53 concepts, particularly in the access control (AC), audit and accountability (AU), and system and communications protection (SC) families. NIST provides more granular control specifications, while RBI focuses on banking-specific implementation guidance.
PCI DSS v3.2.1 โ ๐ก Medium overlap (35%)
Both frameworks address encryption, logging, and network segmentation for payment infrastructure. PCI DSS is more prescriptive about cardholder data environments specifically, while RBI covers broader banking operations including core banking and SWIFT.
SOC 2 โ ๐ก Medium overlap (30%)
SOC 2 trust service criteria for security and availability partially overlap with RBI's requirements on access control, monitoring, and business continuity. SOC 2 is attestation-based with broader applicability, whereas RBI is a regulatory mandate specific to Indian UCBs.