Skip to content

Terraform AWS ALB

Application Load Balancers with listeners, listener rules, target groups, TLS certificates, access logs, WAF integration, and security group restricted ingress.

11 controls enforced23 frameworks

Controls Enforced

The following compliance controls are enforced by this module at terraform plan time.

Quick Start

module "alb" {
  source  = "acscessentialeight.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "acscism2023.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "awscontroltower.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "awsgenai.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "cccsmedium.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "cisv140.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "cisv500.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "cis.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "cisv80ig1.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "cisacyberessentials.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "eugmpannex11.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "fedramplow.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "ffiec.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "gdpr.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "iso27001.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "nis2.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "nist800171.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "nist80053.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "nydfs23.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "rbicybersecurity.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "rbiitfnbfc.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

module "alb" {
  source  = "soc2.compliance.tf/terraform-aws-modules/alb/aws"
  version = "<version>"

  # ... your arguments here
}

See the Get Started guide to get started and read the Features section for more details on how to customize the module for your requirements.

Migration from Upstream

Already using terraform-aws-modules? Change only the source URL:

module "alb" {
  source  = "terraform-aws-modules/alb/aws"
  version = "1.0"
}

module "alb" {
  source  = "soc2.compliance.tf/terraform-aws-modules/alb/aws"
  version = "1.0"
}

Same arguments. Same outputs. Compliance controls are enforced automatically at terraform plan. If a required value is missing, you get a clear validation error telling you what to set.

See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL to the upstream path:

module "alb" {
  source  = "terraform-aws-modules/alb/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

ACSC-EE-ML2-7.7: Multi-factor authentication ML2

ISM-0260: Using web proxies

Data protection

Detection

Identity and access management

Infrastructure protection

SC-8: Transmission Confidentiality and Integrity

11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records

11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records

11.30 Controls for open systems

8.2 Collect Audit Logs

Your Data-2

Your Data-4

Your Surroundings-3

Your Systems-3

7.1 Data Storage - Damage Protection

Audit Events (AU-2)

Baseline Configuration (CM-2)

Boundary Protection (SC-7)

Denial Of Service Protection (SC-5)

Information System Recovery And Reconstitution (CP-10)

Remote Access (AC-17)

AC-17(2) Protection Of Confidentiality/Integrity Using Encryption

AU-2(a)(d)

AU-6(1)(3)

AU-12(a)(c)

Boundary Protection (SC-7)

Content of Audit Records (AU-3)

Denial Of Service Protection (SC-5)

Information System Recovery And Reconstitution (CP-10)

SC-8(1) Cryptographic Or Alternate Physical Protection

Session Authenticity (SC-23)

Transmission Integrity (SC-8)

D2.MA.Ma.B.1

D2.MA.Ma.B.2

D3.DC.An.B.3

D3.DC.An.B.4

D3.DC.Ev.B.1

D3.PC.Am.B.13

D3.PC.Im.B.3

D5.DR.De.B.3

D5.IR.Pl.B.6

Article 30 Records of processing activities

Article 32 Security of processing

164.308(a)(1)(ii)(B) Risk Management

164.308(a)(1)(ii)(D): Administrative Safeguards

164.308(a)(3)(ii)(A) Authorization and/or supervision

164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions

164.308(a)(6)(ii) Response and reporting

164.308(a)(7)(ii)(C) Emergency mode operation plan

164.312(b) Audit controls

164.312(e)(1) Transmission security

164.312(e)(2)(i) Integrity controls

164.312(e)(2)(ii) Encryption

A.8.1 User endpoint devices

A.8.15 Logging

3 Incident handling

6 Security in network and information systems acquisition, development and maintenance

3.1.12: Monitor and control remote access sessions.

3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions

3.3.1: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity

3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles

3.5.10 Store and transmit only cryptographically-protected passwords

3.13.1: Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems

3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

3.13.8: Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

3.13.15 Protect the authenticity of communications sessions

3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks

3.14.7: Identify unauthorized use of organizational systems.

AC-4(22) Access Only

AC-4(26) Audit Filtering Actions

AC-17(2) Protection Of Confidentiality And Integrity Using Encryption

AC-24(1)

Architecture And Provisioning For Name/Address Resolution Service (SC-22)

AU-2(b)

AU-3(a)

AU-3(b)

AU-3(c)

AU-3(d)

AU-3(e)

AU-3(f)

AU-6(3) Correlate Audit Record Repositories

AU-6(4) Central Review And Analysis

AU-6(6) Correletion With Physical Monitoring

AU-6(9) Correletion With From Nontechnical Sources

AU-8(b)

AU-9(3) Cryptographic Protection

AU-12(1) System-Wide And Time-Correlated Audit Trial

AU-12(2) Standardized Formats

AU-12(3) Changes By Authorized Individuals

AU-12(4) Query Parameter Audits Of Personally Identifiable Information

AU-12(a)

AU-12(c)

AU-14(3) Remote Viewing And Listening

AU-14(a)

AU-14(b)

CA-7(4)(c)

CA-7(b)

CA-9(b)

CM-2(2) Automation Support For Accuracy And Currency

CM-2(a)

CM-3(a)

CM-5(1)(b)

CM-8(6) Assessed Configurations And Approved Deviations

Continuous Monitoring Strategy (PM-31)

CP-1(a)(1)(b)

CP-2(5) Continue Mission And Business Functions

CP-2(a)

CP-2(d)

CP-2(e)

IA-3(3)(b)

IA-5(1)(c)

Information Flow Enforcement (AC-4)

MA-4(1)(a)

Non-Repudiation (AU-10)

PM-14(a)(1)

PM-14(b)

PM-17(b)

SA-15(a)(4)

SC-5(2) Capacity, Bandwidth, And Redundancy

SC-7(4)(b)

SC-7(4)(g)

SC-7(5) Deny By Default -- Allow By Exception

SC-7(9)(b)

SC-8(1): Cryptographic Protection

SC-8(2) Pre- And Post-Transmission Handling

SC-8(3) Cryptographic Protection For Message Externals

SC-8(4) Conceal Or Ramdomize Communications

SC-8(5) Protected Distribution System

SC-13(a)

SC-23(5) Allowed Certificate Authorities

Session Authenticity (SC-23)

SI-1(a)(2)

SI-4(17) Integrated Situational Awareness

SI-7(8) Auditing Capability For Significant Events

Transmission Confidentiality And Integrity (SC-8)

DE.CM-01

ID.AM-08

PR.DS-02

PR.DS-3

500.02(a)

500.14(a)

500.15(a)

1.2.5: Network security controls (NSCs) are configured and maintained.

1.2.8: Network security controls (NSCs) are configured and maintained.

1.3.1: Network access to and from the cardholder data environment is restricted.

1.3.2: Network access to and from the cardholder data environment is restricted.

1.4.2: Network connections between trusted and untrusted networks are controlled.

1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks

1.5.1: Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.

2.2.5: System components are configured and managed securely.

2.2.5: System components cannot be compromised by exploiting insecure services, protocols, or daemons

2.2.7: System components are configured and managed securely.

3.5.1.1: Primary account number (PAN) is secured wherever it is stored.

3.5.1.3: Primary account number (PAN) is secured wherever it is stored.

3.6.1: Cryptographic keys used to protect stored account data are secured.

3.6.1.2: Cryptographic keys used to protect stored account data are secured.

3.6.1.3: Cryptographic keys used to protect stored account data are secured.

3.6.1.4: Cryptographic keys used to protect stored account data are secured.

3.7.1: Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.

3.7.2: Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.

3.7.4: Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.

3.7.6: Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.

3.7.7: Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.

4.2.1: PAN is protected with strong cryptography during transmission.

4.2.1.1: An inventory of the entity's trusted keys and certificates used to protect PAN during transmission is maintained

4.2.1.1: PAN is protected with strong cryptography during transmission.

5.3.4: Anti-malware mechanisms and processes are active, maintained, and monitored.

8.3.2: Strong authentication for users and administrators is established and managed.

8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components

10.2.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.3: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.4: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.5: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.6: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.7: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.3.1: Audit logs are protected from destruction and unauthorized modifications.

10.6.3: Time-synchronization mechanisms support consistent time settings across all systems.

A1.1.2: Multi-tenant service providers protect and separate all customer environments and data.

A1.1.3: Multi-tenant service providers protect and separate all customer environments and data.

A1.2.1: Multi-tenant service providers facilitate logging and incident response for all customers.

A1.2.3: Processes or mechanisms are implemented for reporting and addressing suspected or confirmed security incidents and vulnerabilities

Annex I (1.3)

Annex I (7.4)

3.1.a Identification and Classification of Information Assets

8.1 IT Systems

A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives

CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives

CC7.2: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

CC7.3 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures

PI1.2 System inputs are measured and recorded completely, accurately, and timely to meet the entity's processing integrity commitments and system requirements

Framework Coverage

Which controls from this module are active under each framework endpoint. ● enforced by default · ○ not activated by this endpoint

ControlAWS Well-Architected Framework v10NIST SP 800-171 Rev 2RBI Cyber Security Framework for UCBsTitle 21 CFR Part 11FedRAMP Moderate Baseline Rev 4FFIEC Cybersecurity Assessment ToolNIST SP 800-53 Rev 5HIPAA Omnibus Rule 2013
ELB application and classic load balancer logging should be enabled
ELB load balancers should prohibit public access
ELB application load balancer deletion protection should be enabled
ELB application load balancers should be configured with defensive or strictest desync mitigation mode
ELB application load balancers should be configured to drop HTTP headers
ELB application load balancers should drop invalid HTTP headers
ELB application and network load balancers should use recommended security policies
ELB application and network load balancers should only use SSL or HTTPS listeners
ELB application and network load balancer listeners should use secure protocols
ELB network load balancers should have TLS listener security policy configured
ELB listeners should use approved SSL/TLS protocol versions

Showing top 8 frameworks by coverage. All framework endpoints →