Compliance-Ready Terraform Modules
Drop-in replacements for terraform-aws-modules with compliance controls enforced by default. Change the source URL — same interface, same arguments, same outputs.
34 modules · 300+ controls · 36 frameworks
How It Works
- Pick your framework — SOC 2, PCI DSS, CIS, HIPAA, NIST, and 30+ more
- Change the source URL — from
terraform-aws-modules/...tosoc2.compliance.tf/... - Run
terraform plan— controls are validated automatically at plan time
Storage
EFSAmazon EFS file systems with mount targets, access points, backup policies, lifecycle management, encryption at rest, and security group controlled NFS access. FSxAmazon FSx file systems for Windows, Lustre, NetApp ONTAP, or OpenZFS with storage capacity, throughput, backups, encryption, and deployment in private subnets. S3 BucketS3 buckets with versioning, default encryption, public access blocks, bucket policies, access logging, lifecycle rules, replication, event notifications, and optional object lock controls.
Compute & Containers
AutoscalingAuto Scaling groups with launch templates, instance refresh, health checks, scaling policies, mixed instance options, IAM instance profiles, and security group based network controls. EC2 InstanceEC2 instances with IAM roles, EBS encryption, IMDSv2, security groups, detailed monitoring, user data, placement options, and optional Elastic IPs or attached volumes. ECRECR repositories with image scanning, immutable tags, KMS encryption, lifecycle policies, repository policies, replication, and controlled push and pull access. ECSECS clusters, services, and task definitions with IAM roles, logging, load balancer integration, service discovery, capacity providers, and Fargate or EC2 runtime settings. EKSEKS clusters with managed node groups, Fargate profiles, cluster encryption, IAM and OIDC integration, VPC networking, control plane logging, security groups, and core add-ons. LambdaLambda functions with IAM execution roles, VPC configuration, log groups, reserved concurrency, dead letter handling, environment variables, code signing support, and optional KMS encryption.
Networking & Edge
ALBApplication Load Balancers with listeners, listener rules, target groups, TLS certificates, access logs, WAF integration, and security group restricted ingress. CloudFrontCloudFront distributions with origins, origin access control, TLS certificates, cache behaviors, WAF association, logging, geo restrictions, and HTTPS only content delivery. ELBClassic Load Balancers with listeners, health checks, SSL certificates, cross zone balancing, connection draining, access logging, and security group controlled ingress. Network FirewallAWS Network Firewall rule groups, firewall policies, firewalls, logging destinations, stateless and stateful inspection rules, and subnet placement for traffic filtering. VPCVPCs with public and private subnets, route tables, NAT gateways, Internet gateways, VPC endpoints, flow logs, network ACLs, and security group foundations for workload isolation. VPN GatewaySite to site VPN connections with customer gateways, VPN gateways or transit gateway attachments, tunnels, routing propagation, and encrypted connectivity between on premises networks and AWS.
Databases, Caching & Analytics
DMSDatabase Migration Service replication instances, source and target endpoints, replication tasks, subnet groups, logging, and controlled network placement for data migration. DynamoDB TableDynamoDB tables with server side encryption, point in time recovery, TTL, streams, autoscaling, global tables, IAM access controls, and backup oriented settings. ElasticacheRedis or Memcached clusters and replication groups with subnet groups, security groups, transit and at rest encryption, auth tokens, parameter groups, and automatic failover. EMREMR clusters and instance groups with security configurations, encryption in transit and at rest, Kerberos, IAM roles, bootstrap actions, logging, and deployment in private subnets. OpenSearchOpenSearch domains with VPC placement, encryption at rest, node to node encryption, fine grained access control, audit logs, TLS enforcement, and snapshot configuration. RDSRDS instances with subnet groups, security groups, storage encryption, automated backups, maintenance windows, performance insights, IAM authentication, and log exports. RDS AuroraAurora clusters and instances with private subnet placement, storage encryption, automated backups, reader endpoints, IAM authentication, log exports, and multi AZ high availability. RedshiftRedshift clusters or serverless workgroups with VPC networking, encryption, audit logging, snapshot settings, parameter groups, enhanced VPC routing, and controlled access.
Security, Keys & Configuration
ACMACM certificates and validation records for public or private TLS, certificate renewal, and associations used by load balancers, CloudFront distributions, and APIs. KMSKMS keys, aliases, grants, key policies, rotation, multi Region options, and tightly scoped permissions used to encrypt data across AWS services. Secrets ManagerSecrets, secret versions, rotation schedules, KMS encryption, resource policies, replication, and controlled retrieval of database passwords, API keys, and tokens. SSM ParameterSystems Manager Parameter Store parameters with KMS encryption, parameter policies, versioning, tier selection, and controlled access to application configuration and secret values.
Messaging & Streaming
MSK Kafka ClusterMSK clusters with broker configuration, encryption in transit and at rest, client authentication, logging, VPC networking, and cluster policies for streaming workloads. SNSSNS topics and subscriptions with KMS encryption, topic policies, delivery policies, dead letter configuration, and controlled fan out of events and notifications. SQSSQS queues with server side encryption, access policies, FIFO options, visibility timeout, redrive policies, and dead letter queues for durable message processing.
API & Application Integration
API Gateway v2HTTP and WebSocket APIs with routes, stages, custom domains, TLS certificates, access logs, JWT or Lambda authorizers, throttling, and private or public integrations. AppSyncGraphQL APIs with resolvers, data sources, API keys or IAM and Cognito authentication, logging, caching, custom domains, and fine grained access patterns. Step FunctionsState machines with IAM execution roles, logging, tracing, retries, timeouts, and workflow definitions for auditable application orchestration.