compliance.tf
Terraform Modules for AWSStorage

Terraform AWS S3 Bucket

S3 buckets with versioning, default encryption, public access blocks, bucket policies, access logging, lifecycle rules, replication, event notifications, and optional object lock controls.

Controls enforced

These compliance controls are checked at terraform plan time.

Quick start

module "s3-bucket" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "1.0"

  # ... your arguments here
}
module "s3-bucket" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "1.0"

  # ... your arguments here
}
module "s3-bucket" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "1.0"

  # ... your arguments here
}
module "s3-bucket" {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "1.0"

  # ... your arguments here
}
module "s3-bucket" {
  source  = "soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "1.0"

  # ... your arguments here
}
module "s3-bucket" {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "1.0"

  # ... your arguments here
}
module "s3-bucket" {
  source  = "nist800171.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "1.0"

  # ... your arguments here
}
module "s3-bucket" {
  source  = "nist80053.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "1.0"

  # ... your arguments here
}

See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.

Migration from upstream

Already using terraform-aws-modules? Change only the source URL:

module "s3-bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "1.0"
}
module "s3-bucket" {
  source  = "soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "1.0"
}

Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL:

module "s3-bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

10.2.1.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.3: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.4: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.5: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.6: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.7: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.3.1: Audit logs are protected from destruction and unauthorized modifications.

10.3.3: Audit log files, including those for externalfacing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify

10.5.1: Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis

10.6.3: Time-synchronization mechanisms support consistent time settings across all systems.

11.5.2: A change-detection mechanism (for example, file integrity monitoring tools) is deployed

11.5.2: Network intrusions and unexpected file changes are detected and responded to.

11.6.1: Unauthorized changes on payment pages are detected and responded to.

12.10.5: Suspected and confirmed security incidents that could impact the CDE are responded to immediately.

12.10.5: The security incident response plan includes monitoring and responding to alerts from security monitoring systems

5.3.4: Anti-malware mechanisms and processes are active, maintained, and monitored.

7.2.1: Access to system components and data is appropriately defined and assigned.

7.2.2: Access to system components and data is appropriately defined and assigned.

7.2.5: Access to system components and data is appropriately defined and assigned.

7.2.6: Access to system components and data is appropriately defined and assigned.

7.3.1: Access to system components and data is managed via an access control system(s).

7.3.2: Access to system components and data is managed via an access control system(s).

7.3.3: Access to system components and data is managed via an access control system(s).

8.2.7: User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle.

8.2.8: If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session

8.2.8: User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle.

8.3.2: Strong authentication for users and administrators is established and managed.

8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components

8.4.1: Multi-factor authentication (MFA) is implemented to secure access into the CDE.

8.4.2: Multi-factor authentication (MFA) is implemented to secure access into the CDE.

8.4.3 MFA is implemented for all remote access originating from outside the entity's network that could access or impact the CDE

8.4.3: Multi-factor authentication (MFA) is implemented to secure access into the CDE.

A3.3.1: PCI DSS is incorporated into business-as-usual (BAU) activities.

A3.5.1: Suspicious events are identified and responded to.

11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records

11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records

11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand

AC-2(4) Automated Audit Actions

AU-9(2) Audit Backup On Separate Physical Systems / Components

Content of Audit Records (AU-3)

Denial Of Service Protection (SC-5)

Information Handling and Retention (SI-12)

Information System Recovery And Reconstitution (CP-10)

Protection of Information at Rest (SC-28)

A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives

C1.1 The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality

C1.2 The entity disposes of confidential information to meet the entity's objectives related to confidentiality

CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives

CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity

CC7.2: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

CC7.3 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures

CC7.4 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate

PI1.4 System outputs are complete, accurate, distributed only to intended parties, and retained to meet the entity's processing integrity commitments and system requirements

PI1.5 Stored data is maintained complete, accurate, and protected from unauthorized modification to meet the entity's processing integrity commitments and system requirements

SEC08-BP03: Automate data at rest protection

3.1.12: Monitor and control remote access sessions.

3.1.14 Route remote access via managed access control points

3.1.20: Verify and control/limit connections to and use of external systems.

3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI

3.13.16: Protect the confidentiality of CUI at rest.

3.13.1: Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems

3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks

3.14.7: Identify unauthorized use of organizational systems.

3.3.1: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity

3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions

3.3.3 Review and update logged events

3.5.10 Store and transmit only cryptographically-protected passwords

3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities

3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization

AC-2(4) Automated Audit Actions

AC-3(1) Restricted Access To Privileged Functions

AC-3(10) Audited Override Of Access Control Mechanisms

AC-3(4): Discretionary Access Control

AC-4(26) Audit Filtering Actions

AU-12(1) System-Wide And Time-Correlated Audit Trial

AU-12(2) Standardized Formats

AU-12(3) Changes By Authorized Individuals

AU-12(4) Query Parameter Audits Of Personally Identifiable Information

AU-14(3) Remote Viewing And Listening

AU-6(3) Correlate Audit Record Repositories

AU-6(4) Central Review And Analysis

AU-6(6) Correletion With Physical Monitoring

AU-6(9) Correletion With From Nontechnical Sources

CP-10(2): Transaction Recovery

CP-2(5) Continue Mission And Business Functions

CP-6(1) Separation From Primary Site

CP-6(2) Recovery Time And Recovery Point Objectives

CP-9(8): Cryptographic Protection

Continuous Monitoring Strategy (PM-31)

SC-5(2) Capacity, Bandwidth, And Redundancy

SC-8(3) Cryptographic Protection For Message Externals

SC-8(4) Conceal Or Ramdomize Communications

SI-13(5) Failover Capability

SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers

SI-4(17) Integrated Situational Awareness

SI-4(2) Automated Tools For Real-Time Analysis

SI-7(8) Auditing Capability For Significant Events

System Recovery And Reconstitution (CP-10)

Framework coverage

Which controls from this module are active under each framework endpoint.

ControlPCI DSS v4.0SOC 2
S3 buckets should not use ACLs for user access control
S3 buckets should have cross-region replication enabled
S3 buckets should have default encryption enabled
S3 buckets should have default encryption enabled using KMS
S3 buckets should have event notifications enabled
S3 buckets should have lifecycle policies configured
S3 buckets should have logging enabled
S3 buckets should have MFA delete enabled
S3 buckets should not be accessible to all authenticated users
S3 buckets should have object lock enabled
S3 buckets should have policies that prohibit public access
S3 buckets should restrict cross-account permissions
S3 buckets should prohibit public read access
S3 buckets should prohibit public write access
S3 buckets should have static website hosting disabled
S3 buckets with versioning enabled should have lifecycle policies configured
S3 buckets should have versioning enabled
S3 public access should be blocked at account level
S3 public access should be blocked at bucket level

enforced by default · not activated by this endpoint

FSx

Previous Page

Autoscaling

Next Page

On this page

Controls enforcedQuick startMigration from upstreamReversibilityMapped compliance frameworksFramework coverage

Ask AI about this

Help improve this page