compliance.tf
Terraform Modules for AWSCompute & Containers

Terraform AWS EC2 Instance

EC2 instances with IAM roles, EBS encryption, IMDSv2, security groups, detailed monitoring, user data, placement options, and optional Elastic IPs or attached volumes.

Controls enforced

These compliance controls are checked at terraform plan time.

Quick start

module "ec2-instance" {
  source  = "nist800171.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "1.0"

  # ... your arguments here
}
module "ec2-instance" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "1.0"

  # ... your arguments here
}
module "ec2-instance" {
  source  = "iso27001.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "1.0"

  # ... your arguments here
}
module "ec2-instance" {
  source  = "nist80053.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "1.0"

  # ... your arguments here
}
module "ec2-instance" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "1.0"

  # ... your arguments here
}
module "ec2-instance" {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "1.0"

  # ... your arguments here
}
module "ec2-instance" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "1.0"

  # ... your arguments here
}
module "ec2-instance" {
  source  = "soc2.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "1.0"

  # ... your arguments here
}

See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.

Migration from upstream

Already using terraform-aws-modules? Change only the source URL:

module "ec2-instance" {
  source  = "terraform-aws-modules/ec2-instance/aws"
  version = "1.0"
}
module "ec2-instance" {
  source  = "soc2.compliance.tf/terraform-aws-modules/ec2-instance/aws"
  version = "1.0"
}

Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL:

module "ec2-instance" {
  source  = "terraform-aws-modules/ec2-instance/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)

3.1.14 Route remote access via managed access control points

3.1.2: Limit system access to the types of transactions and functions that authorized users are permitted to execute.

3.1.3 Control the flow of CUI in accordance with approved authorizations

3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems

3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI

3.13.1: Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems

3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

3.5.10 Store and transmit only cryptographically-protected passwords

1.3.2: Network access to and from the cardholder data environment is restricted.

1.4.4: System components that store cardholder data are not directly accessible from untrusted networks

10.2.1.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.4.1.1: Audit logs are reviewed to identify anomalies or suspicious activity.

10.4.1: Audit logs are reviewed to identify anomalies or suspicious activity.

10.4.2: Audit logs are reviewed to identify anomalies or suspicious activity.

10.6.3: Time-synchronization mechanisms support consistent time settings across all systems.

10.7.1: Failures of critical security control systems are detected, reported, and responded to promptly.

10.7.2: Failures of critical security control systems are detected, reported, and responded to promptly.

11.5.2: A change-detection mechanism (for example, file integrity monitoring tools) is deployed

3.5.1: Primary account number (PAN) is secured wherever it is stored.

7.2.1: Access to system components and data is appropriately defined and assigned.

7.2.2: Access to system components and data is appropriately defined and assigned.

7.2.5: Access to system components and data is appropriately defined and assigned.

7.3.1: Access to system components and data is managed via an access control system(s).

7.3.2: Access to system components and data is managed via an access control system(s).

7.3.3: Access to system components and data is managed via an access control system(s).

8.2.7: User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle.

8.2.8: If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session

8.2.8: User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle.

8.3.11: Where authentication factors such as physical or logical security tokens, smart cards, or certificates

8.3.2: Strong authentication for users and administrators is established and managed.

8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components

8.3.4: Strong authentication for users and administrators is established and managed.

A3.3.1: PCI DSS is incorporated into business-as-usual (BAU) activities.

A3.5.1: Suspicious events are identified and responded to.

AC-17(10) Authenticate Remote Commands

AC-17(9) Disconnect Or Disable Access

AC-3(13) Attribute-Based Access Control

AC-3(3) Mandatory Access Control

AC-3(4): Discretionary Access Control

AC-3(8) Revocation Of Access Authorizations

AC-4(21) Physical Or Logical Separation Of Infomation Flows

AC-4(28) Linear Filter Pipelines

Access Control Decisions (AC-24)

SA-8(20): Secure Metadata Management

SC-23(3) Unique System-Generated Session Identifiers

SC-7(11) Restrict Incoming communications Traffic

SC-7(16) Prevent Discovery Of System Components

SC-7(20) Prevent Discovery Of System Components

SC-7(21) Isolation Of System Components

SC-7(25) Unclassified National Security System Connections

SC-7(26) Classified National Security System Connections

SC-7(27) Unclassified Non-National Security System Connections

SC-7(28): Connections To Public Networks

SC-7(7) Split Tunneling For Remote Devices

SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers

11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records

11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand

11.10(k) Use of appropriate controls over systems documentation that includes adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance

AC-17(1) Automated Monitoring/Control

Information Flow Enforcement (AC-4)

SI-4(2) Automated Tools For Real-Time Analysis

SI-4(4) Inbound and Outbound Communications Traffic

SI-4(5) System-Generated Alerts

164.308(a)(3)(i) Workforce security

164.312(a)(2)(ii) Emergency access procedure

164.312(c)(2) Mechanism to authenticate electronic protected health information

164.314(b)(2)(iv): Organizational Requirements

A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives

CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity

CC6.6: The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

CC7.2: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

PI1.5 Stored data is maintained complete, accurate, and protected from unauthorized modification to meet the entity's processing integrity commitments and system requirements

Framework coverage

Which controls from this module are active under each framework endpoint.

ControlPCI DSS v4.0HIPAA Omnibus Rule 2013SOC 2
Attached EBS volumes should have encryption enabled
EBS volumes should have encryption at rest enabled
EC2 instances should have attached EBS volumes marked for deletion on termination
EC2 instances should have detailed monitoring enabled
EC2 instances should have EBS optimization enabled
EC2 instances should have IAM profile attached
EC2 instances should be in a VPC
EC2 instances should not use key pairs in running state
EC2 instances should not have a public IP address
EC2 instances should not use multiple ENIs
EC2 instances should have termination protection enabled
EC2 instances should use IMDSv2
EC2 instances should use IAM instance roles for AWS resource access
EC2 instances should not use paravirtual instance types
VPC Security groups should only allow unrestricted incoming traffic for authorized ports
VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888

enforced by default · not activated by this endpoint

Autoscaling

Previous Page

Lambda

Next Page

On this page

Controls enforcedQuick startMigration from upstreamReversibilityMapped compliance frameworksFramework coverage

Ask AI about this

Help improve this page