Skip to content

Terraform AWS EC2 Instance

EC2 instances with IAM roles, EBS encryption, IMDSv2, security groups, detailed monitoring, user data, placement options, and optional Elastic IPs or attached volumes.

16 controls enforced26 frameworks

Controls Enforced

The following compliance controls are enforced by this module at terraform plan time.

Quick Start

module "ec2_instance" {
  source  = "acscessentialeight.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "acscism2023.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "awscontroltower.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "awsgenai.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "cccsmedium.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "cisv140.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "cisv500.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "cis.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "cisv80ig1.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "cisacyberessentials.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "eugmpannex11.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "fedramplow.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "ffiec.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "gdpr.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "iso27001.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "nis2.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "nist800171.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "nist80053.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "nydfs23.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "rbicybersecurity.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "rbiitfnbfc.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

module "ec2_instance" {
  source  = "soc2.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "<version>"

  # ... your arguments here
}

See the Get Started guide to get started and read the Features section for more details on how to customize the module for your requirements.

Migration from Upstream

Already using terraform-aws-modules? Change only the source URL:

module "ec2_instance" {
  source  = "terraform-aws-modules/ec2-instance/aws"
  version = "1.0"
}

module "ec2_instance" {
  source  = "soc2.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "1.0"
}

Same arguments. Same outputs. Compliance controls are enforced automatically at terraform plan. If a required value is missing, you get a clear validation error telling you what to set.

See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL to the upstream path:

module "ec2_instance" {
  source  = "terraform-aws-modules/ec2-instance/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

ACSC-EE-ML3-7.10: Multi-factor authentication ML3

ACSC-EE-ML3-8.7: Regular backups ML3

1.0.1 - Disallow launch of EC2 instance types that are not EBS-optimized

1.0.3 - Enable encryption for EBS volumes attached to EC2 instances

Data protection

Identity and access management

Infrastructure protection

CM-7: Least Functionality

11.10(d) Limiting system access to authorized individuals

11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records

11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand

11.10(k) Use of appropriate controls over systems documentation that includes adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance

11.30 Controls for open systems

1 Identity and Access Management

2 Storage

2.2.1: Ensure EBS volume encryption is enabled

1 Identity and Access Management

5 Networking

2 Identity and Access Management

6 Networking

3.3 Configure Data Access Control Lists

4.4: Implement and Manage a Firewall on Servers

4.6 Securely Manage Enterprise Assets and Software

11.3 Protect Recovery Data

11.4 Establish and Maintain an Isolated Instance of Recovery Data

Booting Up: Things to Do First-1

Your Data-1

Your Data-2

Your Systems-3

4.8 Validation - Data Transfer

7.1 Data Storage - Damage Protection

Access Enforcement (AC-3)

Account Management (AC-3)

Baseline Configuration (CM-2)

Boundary Protection (SC-7)

Continuous Monitoring (CA-7)

Denial Of Service Protection (SC-5)

Remote Access (AC-17)

AC-17(1) Automated Monitoring/Control

AC-21(b)

Access Enforcement (AC-3)

Baseline Configuration (CM-2)

Boundary Protection (SC-7)

CA-7(a)(b)

Information Flow Enforcement (AC-4)

Least Privilege (AC-6)

Protection of Information at Rest (SC-28)

SC-7: Boundary Protection

SC-7(3) Access Points

SI-4(2) Automated Tools For Real-Time Analysis

SI-4(4) Inbound and Outbound Communications Traffic

SI-4(5) System-Generated Alerts

SI-4(a)(b)(c)

D3.PC.Am.B.1

D3.PC.Am.B.12

D3.PC.Im.B.1

Article 32 Security of processing

164.308(a)(1)(ii)(B) Risk Management

164.308(a)(3)(i) Workforce security

164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions

164.312(a)(1) Access control

164.312(a)(2)(ii) Emergency access procedure

164.312(a)(2)(iv) Encryption and decryption

164.312(b) Audit controls

164.312(c)(1) Integrity

164.312(c)(2) Mechanism to authenticate electronic protected health information

164.312(e)(1) Transmission security

164.312(e)(2)(ii) Encryption

164.314(b)(2)(iv): Organizational Requirements

A.8.1 User endpoint devices

A.8.2 Privileged access rights

A.8.11 Data masking

A.8.20 Network security

A.8.21 Security of network services

A.8.22 Segregation of networks

A.8.24 Use of cryptography

3 Incident handling

6 Security in network and information systems acquisition, development and maintenance

11 Access control

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)

3.1.2: Limit system access to the types of transactions and functions that authorized users are permitted to execute.

3.1.3 Control the flow of CUI in accordance with approved authorizations

3.1.14 Route remote access via managed access control points

3.5.10 Store and transmit only cryptographically-protected passwords

3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems

3.13.1: Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems

3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI

3.13.16: Protect the confidentiality of CUI at rest.

AC-2(6) Dynamic Privilege Management

AC-3(3) Mandatory Access Control

AC-3(3)(a)

AC-3(3)(b)(1)

AC-3(3)(c)

AC-3(4): Discretionary Access Control

AC-3(4)(a)

AC-3(4)(b)

AC-3(4)(c)

AC-3(4)(d)

AC-3(4)(e)

AC-3(7): Role-Based Access Control

AC-3(8) Revocation Of Access Authorizations

AC-3(12)(a)

AC-3(13) Attribute-Based Access Control

AC-3(15)(a)

AC-3(15)(b)

AC-4(21) Physical Or Logical Separation Of Infomation Flows

AC-4(28) Linear Filter Pipelines

AC-6: Least Privilege

AC-17(1) Monitoring And Control

AC-17(4)(a)

AC-17(9) Disconnect Or Disable Access

AC-17(10) Authenticate Remote Commands

AC-17(b)

Access Control Decisions (AC-24)

Access Enforcement (AC-3)

AU-9(3) Cryptographic Protection

CM-5(1)(a)

CM-6(a)

CM-9(b)

CP-9(d)

IA-9: Service Identification And Authentication

Media Access (MP-2)

SA-8(20): Secure Metadata Management

SC-7: Boundary Protection

SC-7(2) Public Access

SC-7(3) Access Points

SC-7(7) Split Tunneling For Remote Devices

SC-7(9)(a)

SC-7(11) Restrict Incoming communications Traffic

SC-7(12) Host-Based Protection

SC-7(16) Prevent Discovery Of System Components

SC-7(20) Prevent Discovery Of System Components

SC-7(21) Isolation Of System Components

SC-7(24)(b)

SC-7(25) Unclassified National Security System Connections

SC-7(26) Classified National Security System Connections

SC-7(27) Unclassified Non-National Security System Connections

SC-7(28): Connections To Public Networks

SC-7(a)

SC-7(b)

SC-7(c)

SC-8(3) Cryptographic Protection For Message Externals

SC-8(4) Conceal Or Ramdomize Communications

SC-13(a)

SC-23(3) Unique System-Generated Session Identifiers

SC-28(1): Cryptographic Protection

SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers

Thin Nodes (SC-25)

DE.CM-09

PR.AC-3

PR.DS-01

PR.IP-1

500.02(b)(2)

500.02(b)(3)

500.02(b)(5)

500.07 Access Privileges and Management

500.15(a)

1.3.2: Network access to and from the cardholder data environment is restricted.

1.4.4: System components that store cardholder data are not directly accessible from untrusted networks

3.5.1: Primary account number (PAN) is secured wherever it is stored.

7.2.1: Access to system components and data is appropriately defined and assigned.

7.2.2: Access to system components and data is appropriately defined and assigned.

7.2.5: Access to system components and data is appropriately defined and assigned.

7.3.1: Access to system components and data is managed via an access control system(s).

7.3.2: Access to system components and data is managed via an access control system(s).

7.3.3: Access to system components and data is managed via an access control system(s).

8.2.7: User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle.

8.2.8: If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session

8.2.8: User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle.

8.3.2: Strong authentication for users and administrators is established and managed.

8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components

8.3.4: Strong authentication for users and administrators is established and managed.

8.3.11: Where authentication factors such as physical or logical security tokens, smart cards, or certificates

10.2.1.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.4.1: Audit logs are reviewed to identify anomalies or suspicious activity.

10.4.1.1: Audit logs are reviewed to identify anomalies or suspicious activity.

10.4.2: Audit logs are reviewed to identify anomalies or suspicious activity.

10.6.3: Time-synchronization mechanisms support consistent time settings across all systems.

10.7.1: Failures of critical security control systems are detected, reported, and responded to promptly.

10.7.2: Failures of critical security control systems are detected, reported, and responded to promptly.

11.5.2: A change-detection mechanism (for example, file integrity monitoring tools) is deployed

A3.3.1: PCI DSS is incorporated into business-as-usual (BAU) activities.

A3.5.1: Suspicious events are identified and responded to.

Annex I (1.3)

4.4.h Capacity and performance analysis

8.1 IT Systems

8.I Basic Security Aspects

A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives

CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity

CC6.6: The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

CC7.2: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

PI1.5 Stored data is maintained complete, accurate, and protected from unauthorized modification to meet the entity's processing integrity commitments and system requirements

Framework Coverage

Which controls from this module are active under each framework endpoint. ● enforced by default · ○ not activated by this endpoint

ControlNIST SP 800-171 Rev 2PCI DSS v4.0ISO/IEC 27001:2022NIST SP 800-53 Rev 5Title 21 CFR Part 11FedRAMP Moderate Baseline Rev 4HIPAA Omnibus Rule 2013SOC 2
Attached EBS volumes should have encryption enabled
EBS volumes should have encryption at rest enabled
EC2 instances should have attached EBS volumes marked for deletion on termination
EC2 instances should have detailed monitoring enabled
EC2 instances should have EBS optimization enabled
EC2 instances should have IAM profile attached
EC2 instances should be in a VPC
EC2 instances should not use key pairs in running state
EC2 instances should not have a public IP address
EC2 instances should not use multiple ENIs
EC2 instances should have termination protection enabled
EC2 instances should use IMDSv2
EC2 instances should use IAM instance roles for AWS resource access
EC2 instances should not use paravirtual instance types
VPC Security groups should only allow unrestricted incoming traffic for authorized ports
VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888

Showing top 8 frameworks by coverage. All framework endpoints →