Terraform Modules for AWS Databases, Caching & Analytics Terraform AWS DynamoDB Table DynamoDB tables with server side encryption, point in time recovery, TTL, streams, autoscaling, global tables, IAM access controls, and backup oriented settings.
Controls enforced These compliance controls are checked at terraform plan time.
Quick start NIST Cybersecurity Framework v2.0 Title 21 CFR Part 11 CISA Cyber Essentials EU GMP Annex 11 HIPAA Omnibus Rule 2013 NIST SP 800-171 Rev 2 NIST SP 800-53 Rev 5 PCI DSS v4.0
module "dynamodb-table" { source = "nistcsf.compliance.tf/terraform-aws-modules/dynamodb-table/aws" version = "1.0" # ... your arguments here } module "dynamodb-table" { source = "cfrpart11.compliance.tf/terraform-aws-modules/dynamodb-table/aws" version = "1.0" # ... your arguments here } module "dynamodb-table" { source = "cisacyberessentials.compliance.tf/terraform-aws-modules/dynamodb-table/aws" version = "1.0" # ... your arguments here } module "dynamodb-table" { source = "eugmpannex11.compliance.tf/terraform-aws-modules/dynamodb-table/aws" version = "1.0" # ... your arguments here } module "dynamodb-table" { source = "hipaa.compliance.tf/terraform-aws-modules/dynamodb-table/aws" version = "1.0" # ... your arguments here } module "dynamodb-table" { source = "nist800171.compliance.tf/terraform-aws-modules/dynamodb-table/aws" version = "1.0" # ... your arguments here } module "dynamodb-table" { source = "nist80053.compliance.tf/terraform-aws-modules/dynamodb-table/aws" version = "1.0" # ... your arguments here } module "dynamodb-table" { source = "pcidss.compliance.tf/terraform-aws-modules/dynamodb-table/aws" version = "1.0" # ... your arguments here } See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.
Migration from upstream Already using terraform-aws-modules? Change only the source URL:
Before After
module "dynamodb-table" { source = "terraform-aws-modules/dynamodb-table/aws" version = "1.0" } module "dynamodb-table" { source = "soc2.compliance.tf/terraform-aws-modules/dynamodb-table/aws" version = "1.0" } Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.
Reversibility No lock-in. Switch back by reverting the source URL:
module "dynamodb-table" { source = "terraform-aws-modules/dynamodb-table/aws" } Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.
Mapped compliance frameworks NIST Cybersecurity Framework v2.0 Title 21 CFR Part 11 CISA Cyber Essentials EU GMP Annex 11 HIPAA Omnibus Rule 2013 NIST SP 800-171 Rev 2 NIST SP 800-53 Rev 5 PCI DSS v4.0
11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records
11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records
11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand
11.30 Controls for open systems
Booting Up: Things to Do First-1
4.8 Validation - Data Transfer
7.1 Data Storage - Damage Protection
7.2 Data Storage - Backups
164.308(a)(1)(ii)(B) Risk Management
164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions
164.308(a)(7)(i) Contingency plan
164.308(a)(7)(ii)(A) Data backup plan
164.308(a)(7)(ii)(B) Disaster recovery plan
164.308(a)(7)(ii)(C) Emergency mode operation plan
164.312(a)(2)(ii) Emergency access procedure
164.312(a)(2)(iv) Encryption and decryption
164.312(e)(2)(ii) Encryption
164.314(b)(2)(iv): Organizational Requirements
3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI
3.13.16: Protect the confidentiality of CUI at rest.
3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems
AU-9(3) Cryptographic Protection
CP-10(2): Transaction Recovery
CP-2(5) Continue Mission And Business Functions
CP-6(2) Recovery Time And Recovery Point Objectives
SC-28(1): Cryptographic Protection
SC-5(2) Capacity, Bandwidth, And Redundancy
SC-8(3) Cryptographic Protection For Message Externals
SC-8(4) Conceal Or Ramdomize Communications
SI-13(5) Failover Capability
SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers
System Recovery And Reconstitution (CP-10)
10.3.3: Audit log files, including those for externalfacing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify
10.3.3: Audit logs are protected from destruction and unauthorized modifications.
10.5.1: Audit log history is retained and available for analysis.
10.5.1: Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis
3.2.1: Storage of account data is kept to a minimum.
3.3.1.1: Sensitive authentication data (SAD) is not stored after authorization.
3.3.1.3: Sensitive authentication data (SAD) is not stored after authorization.
3.3.2: Sensitive authentication data (SAD) is not stored after authorization.
3.3.3: Sensitive authentication data (SAD) is not stored after authorization.
3.5.1: Primary account number (PAN) is secured wherever it is stored.
8.3.2: Strong authentication for users and administrators is established and managed.
8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components
Framework coverage Which controls from this module are active under each framework endpoint.
● enforced by default · ○ not activated by this endpoint
