Terraform AWS Lambda Lambda functions with IAM execution roles, VPC configuration, log groups, reserved concurrency, dead letter handling, environment variables, code signing support, and optional KMS encryption.
Controls enforced These compliance controls are checked at terraform plan time.
Quick start FedRAMP Low Baseline Rev 4 FedRAMP Moderate Baseline Rev 4 HIPAA Omnibus Rule 2013 NIST SP 800-171 Rev 2 NIST SP 800-53 Rev 5 FFIEC Cybersecurity Assessment Tool ISO/IEC 27001:2022 SOC 2
module "lambda" { source = "fedramplow.compliance.tf/terraform-aws-modules/lambda/aws" version = "1.0" # ... your arguments here } module "lambda" { source = "fedrampmoderate.compliance.tf/terraform-aws-modules/lambda/aws" version = "1.0" # ... your arguments here } module "lambda" { source = "hipaa.compliance.tf/terraform-aws-modules/lambda/aws" version = "1.0" # ... your arguments here } module "lambda" { source = "nist800171.compliance.tf/terraform-aws-modules/lambda/aws" version = "1.0" # ... your arguments here } module "lambda" { source = "nist80053.compliance.tf/terraform-aws-modules/lambda/aws" version = "1.0" # ... your arguments here } module "lambda" { source = "ffiec.compliance.tf/terraform-aws-modules/lambda/aws" version = "1.0" # ... your arguments here } module "lambda" { source = "iso27001.compliance.tf/terraform-aws-modules/lambda/aws" version = "1.0" # ... your arguments here } module "lambda" { source = "soc2.compliance.tf/terraform-aws-modules/lambda/aws" version = "1.0" # ... your arguments here } See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.
Migration from upstream Already using terraform-aws-modules? Change only the source URL:
Before After
module "lambda" { source = "terraform-aws-modules/lambda/aws" version = "1.0" } module "lambda" { source = "soc2.compliance.tf/terraform-aws-modules/lambda/aws" version = "1.0" } Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.
Reversibility No lock-in. Switch back by reverting the source URL:
module "lambda" { source = "terraform-aws-modules/lambda/aws" } Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.
Mapped compliance frameworks FedRAMP Low Baseline Rev 4 FedRAMP Moderate Baseline Rev 4 HIPAA Omnibus Rule 2013 NIST SP 800-171 Rev 2 NIST SP 800-53 Rev 5 FFIEC Cybersecurity Assessment Tool ISO/IEC 27001:2022 SOC 2
Account Management (AC-3)
Audit Record Retention (AU-11)
Baseline Configuration (CM-2)
Boundary Protection (SC-7)
Continuous Monitoring (CA-7)
Protection of Audit Information (AU-9)
AC-17(1) Automated Monitoring/Control
Access Enforcement (AC-3)
Audit Record Retention (AU-11)
Baseline Configuration (CM-2)
Boundary Protection (SC-7)
Information Flow Enforcement (AC-4)
Information Handling and Retention (SI-12)
Information In Shared Resources (SC-4)
Protection of Audit Information (AU-9)
Protection of Information at Rest (SC-28)
164.308(a)(1)(ii)(B) Risk Management
164.308(a)(3)(i) Workforce security
164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions
164.312(a)(1) Access control
164.312(a)(2)(iv) Encryption and decryption
164.312(b) Audit controls
164.312(e)(1) Transmission security
164.312(e)(2)(ii) Encryption
3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)
3.1.14 Route remote access via managed access control points
3.1.2: Limit system access to the types of transactions and functions that authorized users are permitted to execute.
3.1.3 Control the flow of CUI in accordance with approved authorizations
3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI
3.13.16: Protect the confidentiality of CUI at rest.
3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems
3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
3.3.1: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity
3.3.8: Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities
3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities
3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization
AC-17(1) Monitoring And Control
AC-17(10) Authenticate Remote Commands
AC-17(9) Disconnect Or Disable Access
AC-2(6) Dynamic Privilege Management
AC-3(7): Role-Based Access Control
AC-4(21) Physical Or Logical Separation Of Infomation Flows
AU-11(1) Long-Term Retrieval Capability
AU-12(1) System-Wide And Time-Correlated Audit Trial
AU-12(2) Standardized Formats
AU-12(3) Changes By Authorized Individuals
AU-6(3) Correlate Audit Record Repositories
AU-6(4) Central Review And Analysis
AU-6(6) Correletion With Physical Monitoring
AU-6(9) Correletion With From Nontechnical Sources
AU-9(3) Cryptographic Protection
Access Enforcement (AC-3)
Audit Record Retention (AU-11)
Continuous Monitoring Strategy (PM-31)
Information Management and Retention (SI-12)
SC-28(1): Cryptographic Protection
SC-7(11) Restrict Incoming communications Traffic
SC-7(12) Host-Based Protection
SC-7(16) Prevent Discovery Of System Components
SC-7(20) Prevent Discovery Of System Components
SC-7(21) Isolation Of System Components
SC-7(25) Unclassified National Security System Connections
SC-7(26) Classified National Security System Connections
SC-7(27) Unclassified Non-National Security System Connections
SC-7(28): Connections To Public Networks
SC-7(7) Split Tunneling For Remote Devices
SC-8(3) Cryptographic Protection For Message Externals
SC-8(4) Conceal Or Ramdomize Communications
SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers
SI-4(17) Integrated Situational Awareness
A.8.1 User endpoint devices
A.8.16 Monitoring activities
A.8.21 Security of network services
A.8.22 Segregation of networks
A.8.24 Use of cryptography
C1.2 The entity disposes of confidential information to meet the entity's objectives related to confidentiality
CC6.6: The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
CC7.2: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.
CC7.3 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures
CC7.4 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate
PI1.4 System outputs are complete, accurate, distributed only to intended parties, and retained to meet the entity's processing integrity commitments and system requirements
Framework coverage Which controls from this module are active under each framework endpoint.
● enforced by default · ○ not activated by this endpoint
