Skip to content

Terraform AWS DynamoDB Table

DynamoDB tables with server side encryption, point in time recovery, TTL, streams, autoscaling, global tables, IAM access controls, and backup oriented settings.

4 controls enforced20 frameworks

Controls Enforced

The following compliance controls are enforced by this module at terraform plan time.

Quick Start

module "dynamodb_table" {
  source  = "acscessentialeight.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "acscism2023.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "awscontroltower.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "awsgenai.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "cccsmedium.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "cisv140.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "cisv500.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "cis.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "cisv80ig1.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "cisacyberessentials.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "eugmpannex11.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "fedramplow.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "ffiec.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "gdpr.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "iso27001.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "nis2.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "nist800171.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "nist80053.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "nydfs23.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "rbicybersecurity.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "rbiitfnbfc.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

module "dynamodb_table" {
  source  = "soc2.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "<version>"

  # ... your arguments here
}

See the Get Started guide to get started and read the Features section for more details on how to customize the module for your requirements.

Migration from Upstream

Already using terraform-aws-modules? Change only the source URL:

module "dynamodb_table" {
  source  = "terraform-aws-modules/dynamodb-table/aws"
  version = "1.0"
}

module "dynamodb_table" {
  source  = "soc2.compliance.tf/terraform-aws-modules/dynamodb-table/aws"
  version = "1.0"
}

Same arguments. Same outputs. Compliance controls are enforced automatically at terraform plan. If a required value is missing, you get a clear validation error telling you what to set.

See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL to the upstream path:

module "dynamodb_table" {
  source  = "terraform-aws-modules/dynamodb-table/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

ACSC-EE-ML3-8.3: Regular backups ML3

Data protection

11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records

11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records

11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand

11.30 Controls for open systems

11.4 Establish and Maintain an Isolated Instance of Recovery Data

Booting Up: Things to Do First-1

Your Data-1

Your Data-2

Your Data-4

Your Systems-3

4.8 Validation - Data Transfer

5 Data

7.1 Data Storage - Damage Protection

7.2 Data Storage - Backups

16 Business Continuity

17 Archiving

Denial Of Service Protection (SC-5)

Information System Backup (CP-9)

Information System Recovery And Reconstitution (CP-10)

CP-9(b))

Denial Of Service Protection (SC-5)

Information Handling and Retention (SI-12)

Information System Recovery And Reconstitution (CP-10)

D5.IR.Pl.B.6

Article 32 Security of processing

164.308(a)(1)(ii)(B) Risk Management

164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions

164.308(a)(7)(i) Contingency plan

164.308(a)(7)(ii)(A) Data backup plan

164.308(a)(7)(ii)(B) Disaster recovery plan

164.308(a)(7)(ii)(C) Emergency mode operation plan

164.312(a)(2)(ii) Emergency access procedure

164.312(a)(2)(iv) Encryption and decryption

164.312(e)(2)(ii) Encryption

164.314(b)(2)(iv): Organizational Requirements

A.8.5 Secure authentication

A.8.11 Data masking

A.8.24 Use of cryptography

3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems

3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI

3.13.16: Protect the confidentiality of CUI at rest.

AU-9(3) Cryptographic Protection

CP-1(2)

CP-2(5) Continue Mission And Business Functions

CP-6(2) Recovery Time And Recovery Point Objectives

CP-9(a)

CP-9(b)

CP-9(c)

CP-10(2): Transaction Recovery

SC-5(2) Capacity, Bandwidth, And Redundancy

SC-8(3) Cryptographic Protection For Message Externals

SC-8(4) Conceal Or Ramdomize Communications

SC-13(a)

SC-28(1): Cryptographic Protection

SI-13(5) Failover Capability

SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers

System Recovery And Reconstitution (CP-10)

PR.DS-1

PR.DS-3

PR.DS-4

PR.PT-5

RC.RP-05

500.02(b)(5)

500.15(a)

3.2.1: Storage of account data is kept to a minimum.

3.3.1.1: Sensitive authentication data (SAD) is not stored after authorization.

3.3.1.3: Sensitive authentication data (SAD) is not stored after authorization.

3.3.2: Sensitive authentication data (SAD) is not stored after authorization.

3.3.3: Sensitive authentication data (SAD) is not stored after authorization.

3.5.1: Primary account number (PAN) is secured wherever it is stored.

8.3.2: Strong authentication for users and administrators is established and managed.

8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components

10.3.3: Audit log files, including those for externalfacing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify

10.3.3: Audit logs are protected from destruction and unauthorized modifications.

10.5.1: Audit log history is retained and available for analysis.

10.5.1: Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis

Annex I (1.3)

Annex I (12)

8.IX Backup and Recovery

A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives

CC7.4 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate

PI1.5 Stored data is maintained complete, accurate, and protected from unauthorized modification to meet the entity's processing integrity commitments and system requirements

Framework Coverage

Which controls from this module are active under each framework endpoint. ● enforced by default · ○ not activated by this endpoint

ControlNIST Cybersecurity Framework v2.0Title 21 CFR Part 11CISA Cyber EssentialsEU GMP Annex 11HIPAA Omnibus Rule 2013NIST SP 800-171 Rev 2NIST SP 800-53 Rev 5PCI DSS v4.0
DynamoDB tables should have deletion protection enabled
DynamoDB tables should have AWS KMS encryption enabled
DynamoDB tables should have encryption enabled
DynamoDB tables should have point-in-time recovery enabled

Showing top 8 frameworks by coverage. All framework endpoints →