compliance.tf
Terraform Modules for AWSDatabases, Caching & Analytics

Terraform AWS RDS

RDS instances with subnet groups, security groups, storage encryption, automated backups, maintenance windows, performance insights, IAM authentication, and log exports.

Controls enforced

These compliance controls are checked at terraform plan time.

Quick start

module "rds" {
  source  = "cisacyberessentials.compliance.tf/terraform-aws-modules/rds/aws"
  version = "1.0"

  # ... your arguments here
}
module "rds" {
  source  = "ffiec.compliance.tf/terraform-aws-modules/rds/aws"
  version = "1.0"

  # ... your arguments here
}
module "rds" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/rds/aws"
  version = "1.0"

  # ... your arguments here
}
module "rds" {
  source  = "nist800171.compliance.tf/terraform-aws-modules/rds/aws"
  version = "1.0"

  # ... your arguments here
}
module "rds" {
  source  = "nist80053.compliance.tf/terraform-aws-modules/rds/aws"
  version = "1.0"

  # ... your arguments here
}
module "rds" {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/rds/aws"
  version = "1.0"

  # ... your arguments here
}
module "rds" {
  source  = "soc2.compliance.tf/terraform-aws-modules/rds/aws"
  version = "1.0"

  # ... your arguments here
}
module "rds" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/rds/aws"
  version = "1.0"

  # ... your arguments here
}

See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.

Migration from upstream

Already using terraform-aws-modules? Change only the source URL:

module "rds" {
  source  = "terraform-aws-modules/rds/aws"
  version = "1.0"
}
module "rds" {
  source  = "soc2.compliance.tf/terraform-aws-modules/rds/aws"
  version = "1.0"
}

Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL:

module "rds" {
  source  = "terraform-aws-modules/rds/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

164.308(a)(4)(i) Information access management

164.312(a)(2)(iv) Encryption and decryption

164.312(e)(1) Transmission security

164.314(b)(2)(iv): Organizational Requirements

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)

3.1.2: Limit system access to the types of transactions and functions that authorized users are permitted to execute.

3.1.3 Control the flow of CUI in accordance with approved authorizations

3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems

3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI

3.13.16: Protect the confidentiality of CUI at rest.

3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

Architecture And Provisioning For Name/Address Resolution Service (SC-22)

CP-2(6) Alternate Processing And Storage Sites

Distributed Processing And Storage (SC-36)

SC-7(27) Unclassified Non-National Security System Connections

SC-8(3) Cryptographic Protection For Message Externals

SC-8(4) Conceal Or Ramdomize Communications

SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers

Protection of Information at Rest (SC-28)

C1.1 The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality

CC1.3 COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives

CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity

CC6.6: The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

CC7.2: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

CC7.3 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures

CC7.4 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate

CC7.5 The entity identifies, develops, and implements activities to recover from identified security incidents

PI1.5 Stored data is maintained complete, accurate, and protected from unauthorized modification to meet the entity's processing integrity commitments and system requirements

11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records

11.10(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period

11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand

Framework coverage

Which controls from this module are active under each framework endpoint.

ControlHIPAA Omnibus Rule 2013SOC 2
RDS DB instances and clusters should have enhanced monitoring enabled
RDS databases and clusters should not use a database engine default port
RDS DB instance automatic minor version upgrade should be enabled
RDS DB instance backup should be enabled
RDS DB instances backup retention period should be greater than or equal to 7
RDS DB instances should be integrated with CloudWatch logs
RDS DB instances should be configured to copy tags to snapshots
RDS DB instances should have deletion protection enabled
RDS DB instance encryption at rest should be enabled
RDS DB instances should have iam authentication enabled
RDS instances should be deployed in a VPC
RDS DB instances should have logging enabled
RDS for MariaDB DB instances should publish logs to CloudWatch Logs
RDS DB instances should have multiple AZ enabled
RDS database instances should use a custom administrator username
RDS DB instances should not use public subnet
RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs
RDS DB instances should prohibit public access
RDS for SQL Server DB instances should publish logs to CloudWatch Logs

enforced by default · not activated by this endpoint

OpenSearch

Previous Page

RDS Aurora

Next Page

On this page

Controls enforcedQuick startMigration from upstreamReversibilityMapped compliance frameworksFramework coverage

Ask AI about this

Help improve this page