RBI IT Framework for NBFCs¶

The Reserve Bank of India (RBI) Information Technology Framework for Non-Banking Financial Companies (NBFCs) establishes IT governance, security, and risk management requirements for non-banking financial institutions in India. This framework covers areas including IT strategy, cybersecurity, business continuity, and outsourcing arrangements for NBFCs. It applies to all deposit-taking and systemically important non-deposit taking NBFCs regulated by the Reserve Bank of India.

Terraform Registry Subdomain: rbiitfnbfc¶

module "..." {
  source  = "rbiitfnbfc.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

module "..." {
  source = "https://rbiitfnbfc.compliance.tf/terraform-aws-modules/<module>/aws"
}

Refer to the Terraform Registry Endpoints section for more details.

Implemented Controls¶

The following controls are implemented as part of this framework.

• API Gateway stage should uses SSL certificate
• API Gateway stage logging should be enabled
• Backup plan min frequency and min retention check
• At least one enabled trail should be present in a region
• CloudTrail trails should be integrated with CloudWatch logs
• Log group retention period should be at least 365 days
• CodeBuild projects should have logging enabled
• DMS replication instances should not be publicly accessible
• DynamoDB table point-in-time recovery should be enabled
• EC2 instance detailed monitoring should be enabled
• EC2 instance should have EBS optimization enabled
• EC2 instances should have IAM profile attached
• EC2 instances should be in a VPC
• EC2 instances should not have a public IP address
• ECR private repositories should have tag immutability configured
• EFS access points should enforce a root directory
• EFS access points should enforce a user identity
• ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• ELB application and classic load balancer logging should be enabled
• ELB application load balancer deletion protection should be enabled
• ELB application load balancers should be configured to drop HTTP headers
• Application Load Balancer should be configured to drop invalid http headers
• ELB application and network load balancers should only use SSL or HTTPS listeners
• ELB classic load balancers should have cross-zone load balancing enabled
• ELB classic load balancers should span multiple availability zones
• EMR cluster Kerberos should be enabled
• ES domains should be in a VPC
• Elasticsearch domain should send logs to CloudWatch
• IAM password policies for users should have strong configurations
• KMS CMK rotation should be enabled
• Lambda functions concurrent execution limit configured
• Lambda functions should be configured with a dead-letter queue
• Lambda functions should be in a VPC
• OpenSearch domains should use HTTPS
• OpenSearch domains should be in a VPC
• OpenSearch domains logs to AWS CloudWatch Logs
• RDS DB instance and cluster enhanced monitoring should be enabled
• RDS DB instance automatic minor version upgrade should be enabled
• RDS DB instance backup should be enabled
• RDS DB instances should have deletion protection enabled
• Database logging should be enabled
• RDS DB instance multiple az should be enabled
• RDS DB instances should prohibit public access
• AWS Redshift audit logging should be enabled
• AWS Redshift clusters should have automatic snapshots enabled
• Redshift cluster encryption in transit should be enabled
• Redshift cluster audit logging and encryption should be enabled
• AWS Redshift should have required maintenance settings
• Redshift clusters should prohibit public access
• S3 buckets access control lists (ACLs) should not be used to manage user access to buckets
• S3 bucket cross-region replication should be enabled
• S3 bucket logging should be enabled
• S3 bucket object lock should be enabled
• S3 bucket policy should prohibit public access
• S3 buckets should prohibit public read access
• S3 buckets should prohibit public write access
• S3 bucket versioning should be enabled
• S3 public access should be blocked at bucket levels
• SageMaker notebook instances should not have direct internet access
• VPC subnet auto assign public IP should be disabled

Enable/Disable Controls¶

You can customize the Terraform module for the desired compliance requirements by enabling/disabling individual controls.

Examples¶

S3 bucket module with RBI IT Framework for NBFCs compliance framework controls enabled, and a couple of controls disabled¶

module "..." {
  source = "https://rbiitfnbfc.compliance.tf/terraform-aws-modules/s3-bucket/aws?disable=apigateway_rest_api_stage_use_ssl_certificate,apigateway_stage_logging_enabled"
}