compliance.tf
Terraform Modules for AWSDatabases, Caching & Analytics

Terraform AWS OpenSearch

OpenSearch domains with VPC placement, encryption at rest, node to node encryption, fine grained access control, audit logs, TLS enforcement, and snapshot configuration.

Controls enforced

These compliance controls are checked at terraform plan time.

Quick start

module "opensearch" {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "1.0"

  # ... your arguments here
}
module "opensearch" {
  source  = "iso27001.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "1.0"

  # ... your arguments here
}
module "opensearch" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "1.0"

  # ... your arguments here
}
module "opensearch" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "1.0"

  # ... your arguments here
}
module "opensearch" {
  source  = "nydfs23.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "1.0"

  # ... your arguments here
}
module "opensearch" {
  source  = "rbicybersecurity.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "1.0"

  # ... your arguments here
}
module "opensearch" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "1.0"

  # ... your arguments here
}
module "opensearch" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "1.0"

  # ... your arguments here
}

See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.

Migration from upstream

Already using terraform-aws-modules? Change only the source URL:

module "opensearch" {
  source  = "terraform-aws-modules/opensearch/aws"
  version = "1.0"
}
module "opensearch" {
  source  = "soc2.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "1.0"
}

Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL:

module "opensearch" {
  source  = "terraform-aws-modules/opensearch/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

Infrastructure protection

A.8.1 User endpoint devices

A.8.14 Redundancy of information processing facilities

1.2.5: Network security controls (NSCs) are configured and maintained.

1.2.8: Network security controls (NSCs) are configured and maintained.

1.3.1: Network access to and from the cardholder data environment is restricted.

1.3.2: Network access to and from the cardholder data environment is restricted.

1.4.2: Network connections between trusted and untrusted networks are controlled.

1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks

1.5.1: Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.

10.5.1: Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis

10.6.3: Time-synchronization mechanisms support consistent time settings across all systems.

2.2.5: System components cannot be compromised by exploiting insecure services, protocols, or daemons

3.5.1: Primary account number (PAN) is secured wherever it is stored.

4.2.1.1: An inventory of the entity's trusted keys and certificates used to protect PAN during transmission is maintained

4.2.1.1: PAN is protected with strong cryptography during transmission.

4.2.1: PAN is protected with strong cryptography during transmission.

5.3.4: Anti-malware mechanisms and processes are active, maintained, and monitored.

7.2.1: Access to system components and data is appropriately defined and assigned.

7.2.2: Access to system components and data is appropriately defined and assigned.

7.2.5: Access to system components and data is appropriately defined and assigned.

7.2.6: Access to system components and data is appropriately defined and assigned.

7.3.1: Access to system components and data is managed via an access control system(s).

7.3.2: Access to system components and data is managed via an access control system(s).

7.3.3: Access to system components and data is managed via an access control system(s).

8.2.7: User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle.

8.2.8: If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session

8.2.8: User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle.

8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components

8.3.4: Strong authentication for users and administrators is established and managed.

A1.1.2: Multi-tenant service providers protect and separate all customer environments and data.

A1.1.3: Multi-tenant service providers protect and separate all customer environments and data.

11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records

11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand

500.07 Access Privileges and Management

164.312(a)(1) Access control

164.312(a)(2)(iv) Encryption and decryption

Framework coverage

Which controls from this module are active under each framework endpoint.

ControlPCI DSS v4.0HIPAA Omnibus Rule 2013
Elasticsearch domain error logging to CloudWatch Logs should be enabled
OpenSearch domains should have audit logging enabled
OpenSearch domains should have Cognito authentication enabled for Kibana
OpenSearch domains should have at least three data nodes
OpenSearch domains should have encryption at rest enabled
OpenSearch domains should have fine-grained access control enabled
OpenSearch domains should use HTTPS
OpenSearch domains should be in a VPC
OpenSearch domains internal user database should be disabled
OpenSearch domains should have logging to CloudWatch Logs enabled
OpenSearch domains node-to-node encryption should be enabled

enforced by default · not activated by this endpoint

Elasticache

Previous Page

RDS

Next Page

On this page

Controls enforcedQuick startMigration from upstreamReversibilityMapped compliance frameworksFramework coverage

Ask AI about this

Help improve this page