compliance.tf
Terraform Modules for AWSNetworking & Edge

Terraform AWS ALB

Application Load Balancers with listeners, listener rules, target groups, TLS certificates, access logs, WAF integration, and security group restricted ingress.

Controls enforced

These compliance controls are checked at terraform plan time.

Quick start

module "alb" {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/alb/aws"
  version = "1.0"

  # ... your arguments here
}
module "alb" {
  source  = "nist800171.compliance.tf/terraform-aws-modules/alb/aws"
  version = "1.0"

  # ... your arguments here
}
module "alb" {
  source  = "rbicybersecurity.compliance.tf/terraform-aws-modules/alb/aws"
  version = "1.0"

  # ... your arguments here
}
module "alb" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/alb/aws"
  version = "1.0"

  # ... your arguments here
}
module "alb" {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/alb/aws"
  version = "1.0"

  # ... your arguments here
}
module "alb" {
  source  = "ffiec.compliance.tf/terraform-aws-modules/alb/aws"
  version = "1.0"

  # ... your arguments here
}
module "alb" {
  source  = "nist80053.compliance.tf/terraform-aws-modules/alb/aws"
  version = "1.0"

  # ... your arguments here
}
module "alb" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/alb/aws"
  version = "1.0"

  # ... your arguments here
}

See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.

Migration from upstream

Already using terraform-aws-modules? Change only the source URL:

module "alb" {
  source  = "terraform-aws-modules/alb/aws"
  version = "1.0"
}
module "alb" {
  source  = "soc2.compliance.tf/terraform-aws-modules/alb/aws"
  version = "1.0"
}

Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL:

module "alb" {
  source  = "terraform-aws-modules/alb/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

3.1.12: Monitor and control remote access sessions.

3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions

3.13.15 Protect the authenticity of communications sessions

3.13.1: Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems

3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

3.13.8: Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks

3.14.7: Identify unauthorized use of organizational systems.

3.3.1: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity

3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles

11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records

11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records

AC-17(2) Protection Of Confidentiality/Integrity Using Encryption

Information System Recovery And Reconstitution (CP-10)

AC-17(2) Protection Of Confidentiality And Integrity Using Encryption

AU-12(1) System-Wide And Time-Correlated Audit Trial

AU-12(4) Query Parameter Audits Of Personally Identifiable Information

AU-6(9) Correletion With From Nontechnical Sources

Architecture And Provisioning For Name/Address Resolution Service (SC-22)

CM-2(2) Automation Support For Accuracy And Currency

CM-8(6) Assessed Configurations And Approved Deviations

CP-2(5) Continue Mission And Business Functions

SC-8(3) Cryptographic Protection For Message Externals

SI-7(8) Auditing Capability For Significant Events

164.308(a)(1)(ii)(D): Administrative Safeguards

164.308(a)(3)(ii)(A) Authorization and/or supervision

164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions

164.308(a)(7)(ii)(C) Emergency mode operation plan

Framework coverage

Which controls from this module are active under each framework endpoint.

ControlHIPAA Omnibus Rule 2013
ELB application and classic load balancer logging should be enabled
ELB load balancers should prohibit public access
ELB application load balancer deletion protection should be enabled
ELB application load balancers should be configured with defensive or strictest desync mitigation mode
ELB application load balancers should be configured to drop HTTP headers
ELB application load balancers should drop invalid HTTP headers
ELB application and network load balancers should use recommended security policies
ELB application and network load balancers should only use SSL or HTTPS listeners
ELB application and network load balancer listeners should use secure protocols
ELB network load balancers should have TLS listener security policy configured
ELB listeners should use approved SSL/TLS protocol versions

enforced by default · not activated by this endpoint

ECR

Previous Page

CloudFront

Next Page

On this page

Controls enforcedQuick startMigration from upstreamReversibilityMapped compliance frameworksFramework coverage

Ask AI about this

Help improve this page