Terraform AWS SSM Parameter
Systems Manager Parameter Store parameters with KMS encryption, parameter policies, versioning, tier selection, and controlled access to application configuration and secret values.
Controls enforced
These compliance controls are checked at terraform plan time.
- SSM parameters encryption should be enabled(low effort)
Quick start
module "ssm-parameter" {
source = "nistcsf.compliance.tf/terraform-aws-modules/ssm-parameter/aws"
version = "1.0"
# ... your arguments here
}See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.
Migration from upstream
Already using terraform-aws-modules? Change only the source URL:
module "ssm-parameter" {
source = "terraform-aws-modules/ssm-parameter/aws"
version = "1.0"
}module "ssm-parameter" {
source = "soc2.compliance.tf/terraform-aws-modules/ssm-parameter/aws"
version = "1.0"
}Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.
Reversibility
No lock-in. Switch back by reverting the source URL:
module "ssm-parameter" {
source = "terraform-aws-modules/ssm-parameter/aws"
}Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.
Mapped compliance frameworks
Framework coverage
Which controls from this module are active under each framework endpoint.
| Control | Cybersecurity Framework v2.0 |
|---|---|
| SSM parameters encryption should be enabled | ● |
● enforced by default · ○ not activated by this endpoint