Terraform AWS RDS Aurora
Aurora clusters and instances with private subnet placement, storage encryption, automated backups, reader endpoints, IAM authentication, log exports, and multi AZ high availability.
Controls Enforced
The following compliance controls are enforced by this module at terraform plan time.
- RDS Aurora clusters should have backtracking enabled low effort
- Aurora MySQL DB clusters should have audit logging enabled low effort
- Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs low effort
- RDS DB clusters should be configured to copy tags to snapshots low effort
- RDS clusters should have deletion protection enabled low effort
- RDS DB clusters should be encrypted with CMK low effort
- RDS DB clusters should be encrypted at rest low effort
- RDS DB clusters should have IAM authentication configured low effort
- RDS DB clusters should be configured for multiple Availability Zones low effort
- RDS database clusters should use a custom administrator username low effort
Quick Start
module "rds_aurora" {
source = "acscessentialeight.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "acscism2023.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "awscontroltower.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "awsgenai.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "awswellarchitected.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "cccsmedium.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "cfrpart11.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "cisv140.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "cisv500.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "cis.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "cisv80ig1.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "cisacyberessentials.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "eugmpannex11.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "fedramplow.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "fedrampmoderate.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "ffiec.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "gdpr.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "hipaa.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "iso27001.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "nis2.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "nist800171.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "nist80053.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "nistcsf.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "nydfs23.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "pcidss.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "rbicybersecurity.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "rbiitfnbfc.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
module "rds_aurora" {
source = "soc2.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "<version>"
# ... your arguments here
}
See the Get Started guide to get started and read the Features section for more details on how to customize the module for your requirements.
Migration from Upstream
Already using terraform-aws-modules? Change only the source URL:
module "rds_aurora" {
source = "terraform-aws-modules/rds-aurora/aws"
version = "1.0"
}
module "rds_aurora" {
source = "soc2.compliance.tf/terraform-aws-modules/rds-aurora/aws"
version = "1.0"
}
Same arguments. Same outputs. Compliance controls are enforced automatically at terraform plan. If a required value is missing, you get a clear validation error telling you what to set.
See the Migration Guide for step-by-step instructions.
Reversibility
No lock-in. Switch back by reverting the source URL to the upstream path:
module "rds_aurora" {
source = "terraform-aws-modules/rds-aurora/aws"
}
Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.
Mapped compliance frameworks
ACSC-EE-ML2-7.7: Multi-factor authentication ML2
ACSC-EE-ML3-5.3: Restrict administrative privileges ML3
ACSC-EE-ML3-8.3: Regular backups ML3
11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records
Your Data-4
Your Systems-3
Denial Of Service Protection (SC-5)
Denial Of Service Protection (SC-5)
A.5.13 Labelling of information
A.8.11 Data masking
A.8.14 Redundancy of information processing facilities
A.8.15 Logging
A.8.24 Use of cryptography
3 Incident handling
4 Business continuity and crisis management
11 Access control
Architecture And Provisioning For Name/Address Resolution Service (SC-22)
CA-7(4)(c)
CM-3(a)
CP-1(a)(1)(b)
CP-2(5) Continue Mission And Business Functions
CP-2(a)
CP-2(d)
CP-2(e)
SA-15(a)(4)
SC-5(2) Capacity, Bandwidth, And Redundancy
SI-13(5) Failover Capability
PR.DS-01
PR.DS-3
PR.DS-4
PR.PT-5
RC.RP-04
3.5.1: Primary account number (PAN) is secured wherever it is stored.
5.3.4: Anti-malware mechanisms and processes are active, maintained, and monitored.
7.2.1: Access to system components and data is appropriately defined and assigned.
7.2.2: Access to system components and data is appropriately defined and assigned.
7.2.5: Access to system components and data is appropriately defined and assigned.
7.3.1: Access to system components and data is managed via an access control system(s).
7.3.2: Access to system components and data is managed via an access control system(s).
7.3.3: Access to system components and data is managed via an access control system(s).
8.2.7: User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle.
8.2.8: If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session
8.2.8: User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle.
8.3.2: Strong authentication for users and administrators is established and managed.
8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components
8.3.4: Strong authentication for users and administrators is established and managed.
10.2.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.3: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.4: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.5: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.6: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.7: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.3.1: Audit logs are protected from destruction and unauthorized modifications.
10.6.3: Time-synchronization mechanisms support consistent time settings across all systems.
- Aurora MySQL DB clusters should have audit logging enabled
- Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs
A1.2.1: Multi-tenant service providers facilitate logging and incident response for all customers.
A1.2.3: Processes or mechanisms are implemented for reporting and addressing suspected or confirmed security incidents and vulnerabilities
C1.1 The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality
PI1.3 Data is processed completely, accurately, and timely as authorized to meet the entity's processing integrity commitments and system requirements
PI1.5 Stored data is maintained complete, accurate, and protected from unauthorized modification to meet the entity's processing integrity commitments and system requirements
Framework Coverage
Which controls from this module are active under each framework endpoint. ● enforced by default · ○ not activated by this endpoint
| Control | ISO/IEC 27001:2022 | PCI DSS v4.0 | NIS2 Directive (EU 2022/2555) | SOC 2 | ACSC Essential Eight | NIST Cybersecurity Framework v2.0 | Title 21 CFR Part 11 | CIS AWS Benchmark v5.0.0 |
|---|---|---|---|---|---|---|---|---|
| RDS Aurora clusters should have backtracking enabled | ○ | ○ | ● | ○ | ● | ○ | ○ | ○ |
| Aurora MySQL DB clusters should have audit logging enabled | ○ | ● | ○ | ○ | ● | ○ | ○ | ○ |
| Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs | ● | ● | ● | ● | ○ | ○ | ○ | ○ |
| RDS DB clusters should be configured to copy tags to snapshots | ● | ○ | ● | ○ | ○ | ○ | ○ | ○ |
| RDS clusters should have deletion protection enabled | ○ | ○ | ○ | ● | ○ | ● | ● | ○ |
| RDS DB clusters should be encrypted with CMK | ● | ● | ○ | ● | ○ | ○ | ○ | ○ |
| RDS DB clusters should be encrypted at rest | ● | ● | ○ | ● | ○ | ● | ○ | ○ |
| RDS DB clusters should have IAM authentication configured | ○ | ● | ● | ○ | ● | ○ | ○ | ○ |
| RDS DB clusters should be configured for multiple Availability Zones | ● | ○ | ○ | ○ | ○ | ● | ○ | ● |
| RDS database clusters should use a custom administrator username | ○ | ○ | ○ | ○ | ○ | ○ | ○ | ○ |
Showing top 8 frameworks by coverage. All framework endpoints →