Skip to content

Terraform AWS RDS

RDS instances with subnet groups, security groups, storage encryption, automated backups, maintenance windows, performance insights, IAM authentication, and log exports.

19 controls enforced27 frameworks

Controls Enforced

The following compliance controls are enforced by this module at terraform plan time.

Quick Start

module "rds" {
  source  = "acscessentialeight.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "acscism2023.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "awscontroltower.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "awsgenai.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "cccsmedium.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "cisv140.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "cisv500.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "cis.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "cisv80ig1.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "cisacyberessentials.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "eugmpannex11.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "fedramplow.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "ffiec.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "gdpr.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "iso27001.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "nis2.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "nist800171.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "nist80053.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "nydfs23.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "rbicybersecurity.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "rbiitfnbfc.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

module "rds" {
  source  = "soc2.compliance.tf/terraform-aws-modules/rds/aws"
  version = "<version>"

  # ... your arguments here
}

See the Get Started guide to get started and read the Features section for more details on how to customize the module for your requirements.

Migration from Upstream

Already using terraform-aws-modules? Change only the source URL:

module "rds" {
  source  = "terraform-aws-modules/rds/aws"
  version = "1.0"
}

module "rds" {
  source  = "soc2.compliance.tf/terraform-aws-modules/rds/aws"
  version = "1.0"
}

Same arguments. Same outputs. Compliance controls are enforced automatically at terraform plan. If a required value is missing, you get a clear validation error telling you what to set.

See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL to the upstream path:

module "rds" {
  source  = "terraform-aws-modules/rds/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

ACSC-EE-ML2-7.7: Multi-factor authentication ML2

ACSC-EE-ML3-5.3: Restrict administrative privileges ML3

ACSC-EE-ML3-6.8: Patch operating systems ML3

ACSC-EE-ML3-8.3: Regular backups ML3

ACSC-EE-ML3-8.8: Regular backups ML3

ISM-0955: Application control

ISM-1580: Availability planning and monitoring for online services

ISM-1751: When to patch security vulnerabilities

4.0.1 - Disallow public access to RDS database instances

4.1.1 - Disallow public read access to S3 buckets

5.0.1 - Disallow RDS database instances that are not storage encrypted

Data protection

Detection

Identity and access management

Infrastructure protection

CP-6(1): Separation from Primary Site

11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records

11.10(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period

11.10(d) Limiting system access to authorized individuals

11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records

11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand

11.10(k) Use of appropriate controls over systems documentation that includes adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance

11.30 Controls for open systems

2 Storage

2.3.1: Ensure that encryption is enabled for RDS Instances

2 Storage

2.2 Relational Database Service (RDS)

3 Storage

3.2 Relational Database Service (RDS)

3.3 Configure Data Access Control Lists

8.2 Collect Audit Logs

11.3 Protect Recovery Data

11.4 Establish and Maintain an Isolated Instance of Recovery Data

Booting Up: Things to Do First-1

Booting Up: Things to Do First-3

Your Data-1

Your Data-2

Your Data-4

Your Systems-2

Your Systems-3

4.8 Validation - Data Transfer

5 Data

7.1 Data Storage - Damage Protection

7.2 Data Storage - Backups

16 Business Continuity

17 Archiving

Account Management (AC-2)

Account Management (AC-3)

Audit Events (AU-2)

Baseline Configuration (CM-2)

Boundary Protection (SC-7)

Continuous Monitoring (CA-7)

Denial Of Service Protection (SC-5)

Information System Backup (CP-9)

Information System Recovery And Reconstitution (CP-10)

Remote Access (AC-17)

AC-2(4) Automated Audit Actions

AC-2(g)

AC-17(1) Automated Monitoring/Control

AC-21(b)

Access Enforcement (AC-3)

AU-2(a)(d)

AU-6(1)(3)

AU-12(a)(c)

Baseline Configuration (CM-2)

Boundary Protection (SC-7)

CA-7(a)(b)

Content of Audit Records (AU-3)

CP-9(b))

Denial Of Service Protection (SC-5)

Information Flow Enforcement (AC-4)

Information Handling and Retention (SI-12)

Information In Shared Resources (SC-4)

Information System Recovery And Reconstitution (CP-10)

Least Privilege (AC-6)

Protection of Information at Rest (SC-28)

SC-7(3) Access Points

D1.RM.Rm.B.1

D2.MA.Ma.B.1

D3.CC.PM.B.1

D3.CC.PM.B.3

D3.DC.An.B.3

D3.DC.An.B.4

D3.PC.Am.B.12

D3.PC.Im.B.1

D5.DR.De.B.3

D5.IR.Pl.B.6

Article 32 Security of processing

164.308(a)(1)(ii)(B) Risk Management

164.308(a)(3)(i) Workforce security

164.308(a)(4)(i) Information access management

164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions

164.308(a)(7)(i) Contingency plan

164.308(a)(7)(ii)(A) Data backup plan

164.308(a)(7)(ii)(B) Disaster recovery plan

164.308(a)(7)(ii)(C) Emergency mode operation plan

164.312(a)(1) Access control

164.312(a)(2)(ii) Emergency access procedure

164.312(a)(2)(iv) Encryption and decryption

164.312(b) Audit controls

164.312(e)(1) Transmission security

164.312(e)(2)(ii) Encryption

164.314(b)(2)(iv): Organizational Requirements

A.8.1 User endpoint devices

A.8.11 Data masking

A.8.14 Redundancy of information processing facilities

A.8.15 Logging

A.8.20 Network security

A.8.21 Security of network services

A.8.22 Segregation of networks

A.8.24 Use of cryptography

3 Incident handling

4 Business continuity and crisis management

11 Access control

12 Asset management

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)

3.1.2: Limit system access to the types of transactions and functions that authorized users are permitted to execute.

3.1.3 Control the flow of CUI in accordance with approved authorizations

3.1.12: Monitor and control remote access sessions.

3.1.14 Route remote access via managed access control points

3.3.1: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity

3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions

3.3.3 Review and update logged events

3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities

3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization

3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems

3.13.1: Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems

3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI

3.13.16: Protect the confidentiality of CUI at rest.

3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks

3.14.7: Identify unauthorized use of organizational systems.

AC-2(4) Automated Audit Actions

AC-2(6) Dynamic Privilege Management

AC-3(1) Restricted Access To Privileged Functions

AC-3(7): Role-Based Access Control

AC-3(10) Audited Override Of Access Control Mechanisms

AC-4(21) Physical Or Logical Separation Of Infomation Flows

AC-4(26) Audit Filtering Actions

AC-6: Least Privilege

AC-6(9)

AC-17(1) Monitoring And Control

AC-17(4)(a)

AC-17(9) Disconnect Or Disable Access

AC-17(10) Authenticate Remote Commands

AC-17(b)

Access Enforcement (AC-3)

Architecture And Provisioning For Name/Address Resolution Service (SC-22)

AU-2(b)

AU-3(a)

AU-3(b)

AU-3(c)

AU-3(d)

AU-3(e)

AU-3(f)

AU-6(3) Correlate Audit Record Repositories

AU-6(4) Central Review And Analysis

AU-6(6) Correletion With Physical Monitoring

AU-6(9) Correletion With From Nontechnical Sources

AU-8(b)

AU-9(3) Cryptographic Protection

AU-12(1) System-Wide And Time-Correlated Audit Trial

AU-12(2) Standardized Formats

AU-12(3) Changes By Authorized Individuals

AU-12(4) Query Parameter Audits Of Personally Identifiable Information

AU-12(a)

AU-12(c)

AU-14(3) Remote Viewing And Listening

AU-14(a)

AU-14(b)

CA-2(2) Specialized Assessments

CA-7(4)(c)

CA-7(b)

CM-3(a)

CM-5(1)(b)

Continuous Monitoring (CA-7)

Continuous Monitoring Strategy (PM-31)

CP-1(2)

CP-1(a)(1)(b)

CP-2(5) Continue Mission And Business Functions

CP-2(6) Alternate Processing And Storage Sites

CP-2(a)

CP-2(d)

CP-2(e)

CP-6(1) Separation From Primary Site

CP-6(2) Recovery Time And Recovery Point Objectives

CP-6(a)

CP-9(8): Cryptographic Protection

CP-9(a)

CP-9(b)

CP-9(c)

CP-9(d)

CP-10(2): Transaction Recovery

Distributed Processing And Storage (SC-36)

IA-3(3)(b)

MA-2(2): Automated Maintenance Activities

MA-4(1)(a)

Media Access (MP-2)

Non-Repudiation (AU-10)

PM-14(a)(1)

PM-14(b)

Resource Availability (SC-6)

SA-15(a)(4)

SC-5(2) Capacity, Bandwidth, And Redundancy

SC-7(2) Public Access

SC-7(3) Access Points

SC-7(7) Split Tunneling For Remote Devices

SC-7(9)(a)

SC-7(9)(b)

SC-7(11) Restrict Incoming communications Traffic

SC-7(12) Host-Based Protection

SC-7(16) Prevent Discovery Of System Components

SC-7(20) Prevent Discovery Of System Components

SC-7(21) Isolation Of System Components

SC-7(24)(b)

SC-7(25) Unclassified National Security System Connections

SC-7(26) Classified National Security System Connections

SC-7(27) Unclassified Non-National Security System Connections

SC-7(28): Connections To Public Networks

SC-7(a)

SC-7(b)

SC-7(c)

SC-8(3) Cryptographic Protection For Message Externals

SC-8(4) Conceal Or Ramdomize Communications

SC-13(a)

SC-28(1): Cryptographic Protection

SC-36(1)(a)

SI-1(1)(c)

SI-2(a)

SI-3(8)(b)

SI-4(2) Automated Tools For Real-Time Analysis

SI-4(17) Integrated Situational Awareness

SI-4(20) Privileged Users

SI-7(8) Auditing Capability For Significant Events

SI-10(1)(c)

SI-13(5) Failover Capability

SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers

System Recovery And Reconstitution (CP-10)

Thin Nodes (SC-25)

DE.CM-09

ID.BE-5

PR.AC-3

PR.DS-01

PR.DS-1

PR.DS-3

PR.DS-4

PR.IP-4

PR.PT-5

RC.RP-1

RC.RP-04

RC.RP-05

500.02(a)

500.02(b)(3)

500.02(b)(5)

500.07 Access Privileges and Management

500.14(a)

500.15(a)

1.2.8: Network security controls (NSCs) are configured and maintained.

1.3.1: Network access to and from the cardholder data environment is restricted.

1.3.2: Network access to and from the cardholder data environment is restricted.

1.4.2: Network connections between trusted and untrusted networks are controlled.

1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks

1.5.1: Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.

3.5.1: Primary account number (PAN) is secured wherever it is stored.

3.5.1.3: Primary account number (PAN) is secured wherever it is stored.

5.3.4: Anti-malware mechanisms and processes are active, maintained, and monitored.

6.3.3: All system components are protected from known vulnerabilities by installing applicable security patches/updates

6.3.3: Security vulnerabilities are identified and addressed.

7.2.1: Access to system components and data is appropriately defined and assigned.

7.2.2: Access to system components and data is appropriately defined and assigned.

7.2.5: Access to system components and data is appropriately defined and assigned.

7.3.1: Access to system components and data is managed via an access control system(s).

7.3.2: Access to system components and data is managed via an access control system(s).

7.3.3: Access to system components and data is managed via an access control system(s).

8.2.7: User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle.

8.2.8: If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session

8.2.8: User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle.

8.3.2: Strong authentication for users and administrators is established and managed.

8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components

8.3.4: Strong authentication for users and administrators is established and managed.

10.2.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.3: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.4: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.5: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.6: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.7: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.3.1: Audit logs are protected from destruction and unauthorized modifications.

10.3.2: Audit logs are protected from destruction and unauthorized modifications.

10.3.3: Audit log files, including those for externalfacing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify

10.3.3: Audit logs are protected from destruction and unauthorized modifications.

10.6.3: Time-synchronization mechanisms support consistent time settings across all systems.

A1.1.2: Multi-tenant service providers protect and separate all customer environments and data.

A1.1.3: Multi-tenant service providers protect and separate all customer environments and data.

A1.2.1: Multi-tenant service providers facilitate logging and incident response for all customers.

A1.2.3: Processes or mechanisms are implemented for reporting and addressing suspected or confirmed security incidents and vulnerabilities

A3.4.1: Logical access to the cardholder data environment is controlled and managed.

Annex I (1.3)

Annex I (12)

Annex I (6)

Annex I (7.4)

3.1.a Identification and Classification of Information Assets

3.3 Vulnerability Management

8.1 IT Systems

8.I Basic Security Aspects

8.IX Backup and Recovery

A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives

C1.1 The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality

CC1.3 COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives

CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity

CC6.6: The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

CC7.2: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

CC7.3 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures

CC7.4 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate

CC7.5 The entity identifies, develops, and implements activities to recover from identified security incidents

PI1.3 Data is processed completely, accurately, and timely as authorized to meet the entity's processing integrity commitments and system requirements

PI1.5 Stored data is maintained complete, accurate, and protected from unauthorized modification to meet the entity's processing integrity commitments and system requirements

Framework Coverage

Which controls from this module are active under each framework endpoint. ● enforced by default · ○ not activated by this endpoint

ControlCISA Cyber EssentialsFFIEC Cybersecurity Assessment ToolHIPAA Omnibus Rule 2013NIST SP 800-171 Rev 2NIST SP 800-53 Rev 5FedRAMP Moderate Baseline Rev 4SOC 2Title 21 CFR Part 11
RDS DB instances and clusters should have enhanced monitoring enabled
RDS databases and clusters should not use a database engine default port
RDS DB instance automatic minor version upgrade should be enabled
RDS DB instance backup should be enabled
RDS DB instances backup retention period should be greater than or equal to 7
RDS DB instances should be integrated with CloudWatch logs
RDS DB instances should be configured to copy tags to snapshots
RDS DB instances should have deletion protection enabled
RDS DB instance encryption at rest should be enabled
RDS DB instances should have iam authentication enabled
RDS instances should be deployed in a VPC
RDS DB instances should have logging enabled
RDS for MariaDB DB instances should publish logs to CloudWatch Logs
RDS DB instances should have multiple AZ enabled
RDS database instances should use a custom administrator username
RDS DB instances should not use public subnet
RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs
RDS DB instances should prohibit public access
RDS for SQL Server DB instances should publish logs to CloudWatch Logs

Showing top 8 frameworks by coverage. All framework endpoints →