Terraform AWS Lambda
Lambda functions with IAM execution roles, VPC configuration, log groups, reserved concurrency, dead letter handling, environment variables, code signing support, and optional KMS encryption.
Controls Enforced
The following compliance controls are enforced by this module at terraform plan time.
- CloudWatch log groups should have retention period of at least 365 days low effort
- Lambda functions should have concurrent execution limit configured low effort
- Lambda functions CORS configuration should not allow all origins low effort
- Lambda functions should be configured with a dead-letter queue low effort
- Lambda functions should have encryption in transit enabled for environment variables low effort
- Lambda functions should be in a VPC medium effort
- Lambda functions should have logging config enabled low effort
- Lambda functions should restrict public URL low effort
- Lambda functions tracing should be enabled low effort
- Lambda functions should use latest runtimes low effort
- Log groups should have encryption at rest enabled low effort
Quick Start
module "lambda" {
source = "acscessentialeight.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "acscism2023.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "awscontroltower.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "awsgenai.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "awswellarchitected.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "cccsmedium.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "cfrpart11.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "cisv140.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "cisv500.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "cis.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "cisv80ig1.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "cisacyberessentials.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "eugmpannex11.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "fedramplow.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "fedrampmoderate.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "ffiec.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "gdpr.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "hipaa.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "iso27001.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "nis2.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "nist800171.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "nist80053.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "nistcsf.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "nydfs23.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "pcidss.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "rbicybersecurity.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "rbiitfnbfc.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
module "lambda" {
source = "soc2.compliance.tf/terraform-aws-modules/lambda/aws"
version = "<version>"
# ... your arguments here
}
See the Get Started guide to get started and read the Features section for more details on how to customize the module for your requirements.
Migration from Upstream
Already using terraform-aws-modules? Change only the source URL:
module "lambda" {
source = "terraform-aws-modules/lambda/aws"
version = "1.0"
}
module "lambda" {
source = "soc2.compliance.tf/terraform-aws-modules/lambda/aws"
version = "1.0"
}
Same arguments. Same outputs. Compliance controls are enforced automatically at terraform plan. If a required value is missing, you get a clear validation error telling you what to set.
See the Migration Guide for step-by-step instructions.
Reversibility
No lock-in. Switch back by reverting the source URL to the upstream path:
module "lambda" {
source = "terraform-aws-modules/lambda/aws"
}
Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.
Mapped compliance frameworks
ACSC-EE-ML3-6.8: Patch operating systems ML3
ACSC-EE-ML3-7.9: Multi-factor authentication ML3
Data protection
Identity and access management
11.10(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period
11.10(d) Limiting system access to authorized individuals
11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records
11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand
11.30 Controls for open systems
3.3 Configure Data Access Control Lists
8.1: Establish and Maintain an Audit Log Management Process
Your Data-2
Your Systems-3
7.1 Data Storage - Damage Protection
Account Management (AC-3)
Audit Record Retention (AU-11)
Baseline Configuration (CM-2)
Boundary Protection (SC-7)
Continuous Monitoring (CA-7)
- Lambda functions should have concurrent execution limit configured
- Lambda functions should be configured with a dead-letter queue
Protection of Audit Information (AU-9)
Remote Access (AC-17)
AC-17(1) Automated Monitoring/Control
AC-21(b)
Access Enforcement (AC-3)
AU-6(1)(3)
Audit Record Retention (AU-11)
Baseline Configuration (CM-2)
Boundary Protection (SC-7)
Information Flow Enforcement (AC-4)
Information Handling and Retention (SI-12)
Information In Shared Resources (SC-4)
Least Privilege (AC-6)
Protection of Audit Information (AU-9)
Protection of Information at Rest (SC-28)
SC-7(3) Access Points
D2.MA.Ma.B.1
D3.PC.Im.B.1
D5.DR.De.B.2
D5.IR.Pl.B.6
Article 32 Security of processing
164.308(a)(1)(ii)(B) Risk Management
164.308(a)(3)(i) Workforce security
164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions
164.312(a)(1) Access control
164.312(a)(2)(iv) Encryption and decryption
164.312(b) Audit controls
- CloudWatch log groups should have retention period of at least 365 days
- Lambda functions should have concurrent execution limit configured
- Lambda functions should be configured with a dead-letter queue
164.312(e)(1) Transmission security
164.312(e)(2)(ii) Encryption
A.8.1 User endpoint devices
- Lambda functions CORS configuration should not allow all origins
- Lambda functions should restrict public URL
A.8.11 Data masking
A.8.15 Logging
- CloudWatch log groups should have retention period of at least 365 days
- Log groups should have encryption at rest enabled
A.8.16 Monitoring activities
- CloudWatch log groups should have retention period of at least 365 days
- Log groups should have encryption at rest enabled
A.8.20 Network security
A.8.21 Security of network services
A.8.22 Segregation of networks
A.8.24 Use of cryptography
1 Policy on the security of network and information systems
3 Incident handling
4 Business continuity and crisis management
3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)
3.1.2: Limit system access to the types of transactions and functions that authorized users are permitted to execute.
3.1.3 Control the flow of CUI in accordance with approved authorizations
3.1.14 Route remote access via managed access control points
3.3.1: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity
3.3.8: Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities
3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities
3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization
3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems
3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI
3.13.16: Protect the confidentiality of CUI at rest.
AC-2(6) Dynamic Privilege Management
AC-3(7): Role-Based Access Control
AC-4(21) Physical Or Logical Separation Of Infomation Flows
AC-6: Least Privilege
AC-16(b)
AC-17(1) Monitoring And Control
AC-17(4)(a)
AC-17(9) Disconnect Or Disable Access
AC-17(10) Authenticate Remote Commands
AC-17(b)
Access Enforcement (AC-3)
AU-6(3) Correlate Audit Record Repositories
AU-6(4) Central Review And Analysis
AU-6(6) Correletion With Physical Monitoring
AU-6(9) Correletion With From Nontechnical Sources
AU-9(3) Cryptographic Protection
AU-11(1) Long-Term Retrieval Capability
AU-12(1) System-Wide And Time-Correlated Audit Trial
AU-12(2) Standardized Formats
AU-12(3) Changes By Authorized Individuals
AU-14(a)
AU-14(b)
Audit Record Retention (AU-11)
CA-7(b)
Continuous Monitoring Strategy (PM-31)
CP-9(d)
Information Management and Retention (SI-12)
Media Access (MP-2)
Non-Repudiation (AU-10)
PM-14(a)(1)
PM-14(b)
PM-21(b)
SC-7(2) Public Access
SC-7(3) Access Points
SC-7(7) Split Tunneling For Remote Devices
SC-7(9)(a)
SC-7(11) Restrict Incoming communications Traffic
SC-7(12) Host-Based Protection
SC-7(16) Prevent Discovery Of System Components
SC-7(20) Prevent Discovery Of System Components
SC-7(21) Isolation Of System Components
SC-7(24)(b)
SC-7(25) Unclassified National Security System Connections
SC-7(26) Classified National Security System Connections
SC-7(27) Unclassified Non-National Security System Connections
SC-7(28): Connections To Public Networks
SC-7(a)
SC-7(b)
SC-7(c)
SC-8(3) Cryptographic Protection For Message Externals
SC-8(4) Conceal Or Ramdomize Communications
SC-13(a)
SC-28(1): Cryptographic Protection
SC-28(2) Offline Storage
SI-4(17) Integrated Situational Awareness
SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers
Thin Nodes (SC-25)
PR.AC-7
PR.DS-1
PR.DS-5
PR.PS-04
RC.RP-06
500.07 Access Privileges and Management
500.14(a)
500.15(a)
1.2.8: Network security controls (NSCs) are configured and maintained.
1.3.1: Network access to and from the cardholder data environment is restricted.
1.3.2: Network access to and from the cardholder data environment is restricted.
1.4.2: Network connections between trusted and untrusted networks are controlled.
1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks
1.5.1: Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.
3.2.1: Storage of account data is kept to a minimum.
3.3.1.1: Sensitive authentication data (SAD) is not stored after authorization.
3.3.1.3: Sensitive authentication data (SAD) is not stored after authorization.
3.3.2: Sensitive authentication data (SAD) is not stored after authorization.
3.3.3: Sensitive authentication data (SAD) is not stored after authorization.
3.5.1: Primary account number (PAN) is secured wherever it is stored.
5.3.4: Anti-malware mechanisms and processes are active, maintained, and monitored.
6.3.3: All system components are protected from known vulnerabilities by installing applicable security patches/updates
8.3.2: Strong authentication for users and administrators is established and managed.
8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components
10.3.2: Audit logs are protected from destruction and unauthorized modifications.
10.3.3: Audit log files, including those for externalfacing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify
10.3.3: Audit logs are protected from destruction and unauthorized modifications.
10.3.4: Audit logs are protected from destruction and unauthorized modifications.
10.3.4: File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts
10.5.1: Audit log history is retained and available for analysis.
10.5.1: Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis
A1.1.2: Multi-tenant service providers protect and separate all customer environments and data.
A1.1.3: Multi-tenant service providers protect and separate all customer environments and data.
A1.2.1: Multi-tenant service providers facilitate logging and incident response for all customers.
A1.2.3: Processes or mechanisms are implemented for reporting and addressing suspected or confirmed security incidents and vulnerabilities
Annex I (1.3)
- Lambda functions should be in a VPC
- Lambda functions should restrict public URL
- Log groups should have encryption at rest enabled
Annex I (7.4)
3.1.a Identification and Classification of Information Assets
4.4.h Capacity and performance analysis
8.1 IT Systems
8.I Basic Security Aspects
C1.2 The entity disposes of confidential information to meet the entity's objectives related to confidentiality
CC6.6: The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
CC7.2: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
- CloudWatch log groups should have retention period of at least 365 days
- Lambda functions should have concurrent execution limit configured
CC7.3 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures
- CloudWatch log groups should have retention period of at least 365 days
- Log groups should have encryption at rest enabled
CC7.4 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate
PI1.4 System outputs are complete, accurate, distributed only to intended parties, and retained to meet the entity's processing integrity commitments and system requirements
Framework Coverage
Which controls from this module are active under each framework endpoint. ● enforced by default · ○ not activated by this endpoint
| Control | FedRAMP Low Baseline Rev 4 | FedRAMP Moderate Baseline Rev 4 | HIPAA Omnibus Rule 2013 | NIST SP 800-171 Rev 2 | NIST SP 800-53 Rev 5 | FFIEC Cybersecurity Assessment Tool | ISO/IEC 27001:2022 | SOC 2 |
|---|---|---|---|---|---|---|---|---|
| CloudWatch log groups should have retention period of at least 365 days | ● | ● | ● | ● | ● | ● | ● | ● |
| Lambda functions should have concurrent execution limit configured | ● | ● | ● | ● | ● | ● | ○ | ● |
| Lambda functions CORS configuration should not allow all origins | ○ | ○ | ○ | ○ | ○ | ○ | ● | ○ |
| Lambda functions should be configured with a dead-letter queue | ● | ● | ● | ● | ● | ● | ○ | ● |
| Lambda functions should have encryption in transit enabled for environment variables | ○ | ○ | ○ | ○ | ○ | ○ | ○ | ○ |
| Lambda functions should be in a VPC | ● | ● | ● | ● | ● | ● | ● | ● |
| Lambda functions should have logging config enabled | ○ | ○ | ○ | ○ | ○ | ○ | ○ | ○ |
| Lambda functions should restrict public URL | ● | ● | ● | ● | ● | ● | ● | ○ |
| Lambda functions tracing should be enabled | ○ | ○ | ○ | ○ | ○ | ○ | ○ | ○ |
| Lambda functions should use latest runtimes | ○ | ○ | ○ | ○ | ○ | ○ | ○ | ○ |
| Log groups should have encryption at rest enabled | ● | ● | ● | ● | ● | ○ | ● | ● |
Showing top 8 frameworks by coverage. All framework endpoints →