Terraform AWS KMS
KMS keys, aliases, grants, key policies, rotation, multi Region options, and tightly scoped permissions used to encrypt data across AWS services.
Controls enforced
These compliance controls are checked at terraform plan time.
- KMS CMK rotation should be enabled(low effort)
Quick start
See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.
Migration from upstream
Already using terraform-aws-modules? Change only the source URL:
module "kms" {
source = "terraform-aws-modules/kms/aws"
version = "1.0"
}module "kms" {
source = "soc2.compliance.tf/terraform-aws-modules/kms/aws"
version = "1.0"
}Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.
Reversibility
No lock-in. Switch back by reverting the source URL:
module "kms" {
source = "terraform-aws-modules/kms/aws"
}Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.
Mapped compliance frameworks
Framework coverage
Which controls from this module are active under each framework endpoint.
| Control | Well-Architected Framework v10 | AWS Benchmark v1.4.0 | AWS Benchmark v5.0.0 | AWS Benchmark v6.0.0 | Controls v8.0 IG1 | CISA Cyber Essentials | CCCS Medium Cloud Control Profile | Title 21 CFR Part 11 |
|---|---|---|---|---|---|---|---|---|
| KMS CMK rotation should be enabled | ● | ● | ● | ● | ● | ● | ● | ● |
● enforced by default · ○ not activated by this endpoint