compliance.tf
Terraform Modules for AWSMessaging & Streaming

Terraform AWS MSK Kafka Cluster

MSK clusters with broker configuration, encryption in transit and at rest, client authentication, logging, VPC networking, and cluster policies for streaming workloads.

Controls enforced

These compliance controls are checked at terraform plan time.

Quick start

module "msk-kafka-cluster" {
  source  = "iso27001.compliance.tf/terraform-aws-modules/msk-kafka-cluster/aws"
  version = "1.0"

  # ... your arguments here
}
module "msk-kafka-cluster" {
  source  = "nis2.compliance.tf/terraform-aws-modules/msk-kafka-cluster/aws"
  version = "1.0"

  # ... your arguments here
}
module "msk-kafka-cluster" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/msk-kafka-cluster/aws"
  version = "1.0"

  # ... your arguments here
}
module "msk-kafka-cluster" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/msk-kafka-cluster/aws"
  version = "1.0"

  # ... your arguments here
}
module "msk-kafka-cluster" {
  source  = "soc2.compliance.tf/terraform-aws-modules/msk-kafka-cluster/aws"
  version = "1.0"

  # ... your arguments here
}

View this module on the compliance.tf registry — versions, inputs, and outputs →

See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.

Migration from upstream

Already using terraform-aws-modules? Change only the source URL:

module "msk-kafka-cluster" {
  source  = "terraform-aws-modules/msk-kafka-cluster/aws"
  version = "1.0"
}
module "msk-kafka-cluster" {
  source  = "soc2.compliance.tf/terraform-aws-modules/msk-kafka-cluster/aws"
  version = "1.0"
}

Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL:

module "msk-kafka-cluster" {
  source  = "terraform-aws-modules/msk-kafka-cluster/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

6 Security in network and information systems acquisition, development and maintenance

2.2.7: System components are configured and managed securely.

4.2.1.1: An inventory of the entity's trusted keys and certificates used to protect PAN during transmission is maintained

4.2.1.1: PAN is protected with strong cryptography during transmission.

4.2.1: PAN is protected with strong cryptography during transmission.

8.3.2: Strong authentication for users and administrators is established and managed.

8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components

CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives

Framework coverage

Which controls from this module are active under each framework endpoint.

ControlPCI DSS v4.0SOC 2
MSK clusters should be encrypted in transit among broker nodes
MSK clusters should have public access disabled
MSK clusters should disable unauthenticated access

enforced by default · not activated by this endpoint

SSM Parameter

Previous Page

SNS

Next Page

On this page

Controls enforcedQuick startMigration from upstreamReversibilityMapped compliance frameworksFramework coverage

Ask AI about this

Help improve this page