compliance.tf
Terraform Modules for AWSNetworking & Edge

Terraform AWS CloudFront

CloudFront distributions with origins, origin access control, TLS certificates, cache behaviors, WAF association, logging, geo restrictions, and HTTPS only content delivery.

Controls enforced

These compliance controls are checked at terraform plan time.

Quick start

module "cloudfront" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/cloudfront/aws"
  version = "1.0"

  # ... your arguments here
}
module "cloudfront" {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/cloudfront/aws"
  version = "1.0"

  # ... your arguments here
}
module "cloudfront" {
  source  = "iso27001.compliance.tf/terraform-aws-modules/cloudfront/aws"
  version = "1.0"

  # ... your arguments here
}
module "cloudfront" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/cloudfront/aws"
  version = "1.0"

  # ... your arguments here
}
module "cloudfront" {
  source  = "soc2.compliance.tf/terraform-aws-modules/cloudfront/aws"
  version = "1.0"

  # ... your arguments here
}
module "cloudfront" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/cloudfront/aws"
  version = "1.0"

  # ... your arguments here
}
module "cloudfront" {
  source  = "nis2.compliance.tf/terraform-aws-modules/cloudfront/aws"
  version = "1.0"

  # ... your arguments here
}
module "cloudfront" {
  source  = "acscessentialeight.compliance.tf/terraform-aws-modules/cloudfront/aws"
  version = "1.0"

  # ... your arguments here
}

See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.

Migration from upstream

Already using terraform-aws-modules? Change only the source URL:

module "cloudfront" {
  source  = "terraform-aws-modules/cloudfront/aws"
  version = "1.0"
}
module "cloudfront" {
  source  = "soc2.compliance.tf/terraform-aws-modules/cloudfront/aws"
  version = "1.0"
}

Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL:

module "cloudfront" {
  source  = "terraform-aws-modules/cloudfront/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

1.3.1: Network access to and from the cardholder data environment is restricted.

1.3.2: Network access to and from the cardholder data environment is restricted.

1.4.2: Network connections between trusted and untrusted networks are controlled.

1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks

1.5.1: Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.

10.2.1.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.3: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.4: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.5: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.6: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.7: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.3.1: Audit logs are protected from destruction and unauthorized modifications.

10.6.3: Time-synchronization mechanisms support consistent time settings across all systems.

2.2.5: System components cannot be compromised by exploiting insecure services, protocols, or daemons

2.2.7: System components are configured and managed securely.

3.5.1.1: Primary account number (PAN) is secured wherever it is stored.

3.5.1.3: Primary account number (PAN) is secured wherever it is stored.

3.6.1.2: Cryptographic keys used to protect stored account data are secured.

3.6.1.3: Cryptographic keys used to protect stored account data are secured.

3.6.1.4: Cryptographic keys used to protect stored account data are secured.

3.6.1: Cryptographic keys used to protect stored account data are secured.

3.7.1: Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.

3.7.2: Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.

3.7.4: Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.

3.7.6: Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.

3.7.7: Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.

4.2.1.1: An inventory of the entity's trusted keys and certificates used to protect PAN during transmission is maintained

4.2.1: PAN is protected with strong cryptography during transmission.

5.3.4: Anti-malware mechanisms and processes are active, maintained, and monitored.

6.4.1: Public-facing web applications are protected against attacks.

6.4.2: For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks

6.4.2: Public-facing web applications are protected against attacks.

8.3.2: Strong authentication for users and administrators is established and managed.

8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components

A1.1.2: Multi-tenant service providers protect and separate all customer environments and data.

A1.1.3: Multi-tenant service providers protect and separate all customer environments and data.

A1.2.1: Multi-tenant service providers facilitate logging and incident response for all customers.

A1.2.3: Processes or mechanisms are implemented for reporting and addressing suspected or confirmed security incidents and vulnerabilities

A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives

CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives

PI1.2 System inputs are measured and recorded completely, accurately, and timely to meet the entity's processing integrity commitments and system requirements

PI1.4 System outputs are complete, accurate, distributed only to intended parties, and retained to meet the entity's processing integrity commitments and system requirements

164.308(a)(1)(ii)(D): Administrative Safeguards

164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions

ACSC-EE-ML2-7.7: Multi-factor authentication ML2

Framework coverage

Which controls from this module are active under each framework endpoint.

ControlPCI DSS v4.0SOC 2HIPAA Omnibus Rule 2013
CloudFront distributions should have a default root object configured
CloudFront distributions should require encryption in transit
CloudFront distributions should have field level encryption enabled
CloudFront distributions should have geo restriction enabled
CloudFront distributions should have latest TLS version
CloudFront distributions access logs should be enabled
CloudFront distributions should use SNI to serve HTTPS requests
CloudFront distributions should use custom SSL/TLS certificates
CloudFront distributions should use the recommended TLS security policy
CloudFront distributions should have AWS WAF enabled

enforced by default · not activated by this endpoint

ALB

Previous Page

ELB

Next Page

On this page

Controls enforcedQuick startMigration from upstreamReversibilityMapped compliance frameworksFramework coverage

Ask AI about this

Help improve this page