Terraform AWS ACM

Controls enforced

These compliance controls are checked at terraform plan time.

• ACM certificates should not use wildcard certificates(medium effort)
• ACM RSA certificates should use a key length of at least 2,048 bits(low effort)
• ACM certificates should have transparency logging enabled(low effort)

Quick start

module "acm" {
  source  = "nis2.compliance.tf/terraform-aws-modules/acm/aws"
  version = "1.0"

  # ... your arguments here
}

module "acm" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/acm/aws"
  version = "1.0"

  # ... your arguments here
}

module "acm" {
  source  = "acscism2023.compliance.tf/terraform-aws-modules/acm/aws"
  version = "1.0"

  # ... your arguments here
}

module "acm" {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/acm/aws"
  version = "1.0"

  # ... your arguments here
}

module "acm" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/acm/aws"
  version = "1.0"

  # ... your arguments here
}

See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.

Migration from upstream

Already using terraform-aws-modules? Change only the source URL:

module "acm" {
  source  = "terraform-aws-modules/acm/aws"
  version = "1.0"
}

module "acm" {
  source  = "soc2.compliance.tf/terraform-aws-modules/acm/aws"
  version = "1.0"
}

Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL:

module "acm" {
  source  = "terraform-aws-modules/acm/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

Framework coverage

Which controls from this module are active under each framework endpoint.

● enforced by default · ○ not activated by this endpoint