compliance.tf
Terraform Modules for AWSNetworking & Edge

Terraform AWS Network Firewall

AWS Network Firewall rule groups, firewall policies, firewalls, logging destinations, stateless and stateful inspection rules, and subnet placement for traffic filtering.

Controls enforced

These compliance controls are checked at terraform plan time.

Quick start

module "network-firewall" {
  source  = "nis2.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "1.0"

  # ... your arguments here
}
module "network-firewall" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "1.0"

  # ... your arguments here
}
module "network-firewall" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "1.0"

  # ... your arguments here
}

See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.

Migration from upstream

Already using terraform-aws-modules? Change only the source URL:

module "network-firewall" {
  source  = "terraform-aws-modules/network-firewall/aws"
  version = "1.0"
}
module "network-firewall" {
  source  = "soc2.compliance.tf/terraform-aws-modules/network-firewall/aws"
  version = "1.0"
}

Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL:

module "network-firewall" {
  source  = "terraform-aws-modules/network-firewall/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

1.3.1: Network access to and from the cardholder data environment is restricted.

1.3.2: Network access to and from the cardholder data environment is restricted.

1.4.2: Network connections between trusted and untrusted networks are controlled.

1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks

1.5.1: Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.

A1.1.2: Multi-tenant service providers protect and separate all customer environments and data.

A1.1.3: Multi-tenant service providers protect and separate all customer environments and data.

Framework coverage

Which controls from this module are active under each framework endpoint.

ControlPCI DSS v4.0
Network Firewall firewalls should have deletion protection enabled
Network Firewall policies should have default stateless action set to drop or forward for fragmented packets
Network Firewall policies should have default stateless action set to drop or forward for full packets
Network Firewall firewalls should have subnet change protection enabled

enforced by default · not activated by this endpoint

ELB

Previous Page

VPC

Next Page

On this page

Controls enforcedQuick startMigration from upstreamReversibilityMapped compliance frameworksFramework coverage

Ask AI about this

Help improve this page