# compliance.tf > Preventive infrastructure-as-code compliance controls for Terraform modules. > Enforces SOC 2, HIPAA, PCI DSS, NIST 800-53, CIS, FedRAMP, ISO 27001, GDPR, NIS2, and 35+ frameworks at the module level - before terraform apply. - 34 AWS modules based on terraform-aws-modules (same variables, same outputs) - 35+ compliance frameworks enforced by default - no scanning, no policy authoring - Works with Terraform, OpenTofu, Terragrunt, and Terramate - Private registry with API token authentication - Control exceptions with audit trail - Operational Rules: lifecycle blocks, tagging standards, instance restrictions applied at download time - Evidence generation via AWS Config and Audit Manager Pricing: Free ($0 forever — CIS v6.0 framework with 27 controls, all 34 modules, 5 team members, 100 downloads/month, includes 30-day trial of all frameworks), Full Access ($1,000/year — all 35+ frameworks, 25 team members, unlimited downloads, email support), Enterprise (custom pricing — everything in Full Access plus BYOM, custom frameworks, unlimited team members, SSO/SAML, priority support). How it works: (1) Change one line — replace your module source from registry.terraform.io to soc2.compliance.tf, (2) Run terraform init and terraform apply, (3) Every compliance control for your chosen framework is enforced automatically. Product by [Betajob](https://www.betajob.com), created by Anton Babenko (AWS Hero, Terraform influencer). ## Links - [Website](https://compliance.tf) - [Documentation](https://compliance.tf/docs/) - [Blog](https://compliance.tf/blog/) - [Twitter/X](https://x.com/compliancetf) - [LinkedIn](https://www.linkedin.com/company/compliance-tf/) - [Trust Center](https://trustcenter.compliance.tf/) ## Website Pages - [Home](https://compliance.tf/) - [Operational Rules](https://compliance.tf/rules/) - [Free Trial](https://compliance.tf/free-trial/) - [Contact](https://compliance.tf/contact/) - [Security](https://compliance.tf/security/) - [Privacy Policy](https://compliance.tf/privacy/) - [Terms and Conditions](https://compliance.tf/terms-and-conditions/) - [Service Level Agreement](https://compliance.tf/sla/) - [Data Processing Agreement](https://compliance.tf/dpa/) - [Acceptable Use Policy](https://compliance.tf/acceptable-use/) - [Cookie Policy](https://compliance.tf/cookie-policy/) - [License](https://compliance.tf/license/) - [Compare: vs Checkov/Trivy/Prowler](https://compliance.tf/docs/guides/compare/vs-checkov-trivy/) - [Compare: vs OPA/Sentinel](https://compliance.tf/docs/guides/compare/vs-opa-sentinel/) ## Framework Landing Pages - [SOC 2](https://compliance.tf/soc2/) - [PCI DSS](https://compliance.tf/pci-dss/) - [HIPAA](https://compliance.tf/hipaa/) - [NIST 800-53](https://compliance.tf/nist/) - [FedRAMP](https://compliance.tf/fedramp/) - [CIS AWS](https://compliance.tf/cis/) - [GDPR](https://compliance.tf/gdpr/) - [ISO 27001](https://compliance.tf/iso27001/) - [NIS2](https://compliance.tf/nis2/) ## Operational Rules Operational Rules apply your organization's standards to Terraform modules at download time. No forks, no wrapper modules. - [Operational Rules Overview](https://compliance.tf/rules/) - [Prevent Destroy Data](https://compliance.tf/docs/rules/prevent_destroy_data/): Adds lifecycle { prevent_destroy = true } to S3, RDS, DynamoDB, EFS - [Ignore Tag Changes](https://compliance.tf/docs/rules/ignore_tag_changes/): Adds lifecycle { ignore_changes = [tags, tags_all] } to AWS resources - [Ignore Autoscaling Changes](https://compliance.tf/docs/rules/ignore_autoscaling_changes/): Adds lifecycle { ignore_changes = [read_capacity, write_capacity] } to DynamoDB - [Ignore AMI Changes](https://compliance.tf/docs/rules/ignore_ami_changes/): Adds lifecycle { ignore_changes = [ami] } to EC2 - [Prevent Destroy Encryption](https://compliance.tf/docs/rules/prevent_destroy_encryption/): Adds lifecycle { prevent_destroy = true } to KMS, Secrets Manager - [No Provisioners](https://compliance.tf/docs/rules/no_provisioners/): Removes provisioner blocks from modules - [Restrict Instance Types](https://compliance.tf/docs/rules/restrict_instance_types/): Denies GPU and specialty EC2 types ## Blog - [The compliance.tf Registry Is Now Public](https://compliance.tf/blog/compliance-tf-registry-is-now-public/): 2026-06-09 - [Debugging terraform init: 401, 403, 502, and What Your Headers Are Telling You](https://compliance.tf/blog/debugging-terraform-init-failures/): 2026-03-30 - [Stop Paying the Terraform Fork Tax](https://compliance.tf/blog/stop-paying-the-terraform-fork-tax/): 2026-03-25 - [Why Enterprises Choose Compliance.tf Over terraform-aws-modules](https://compliance.tf/blog/why-enterprises-choose-compliance-tf/): 2026-03-06 - [Verifying Compliance.tf Modules: From Guardrails to Audit Evidence](https://compliance.tf/blog/verifying-compliance-tf-modules/): 2025-11-27 - [Make Non-Compliant Terraform Impossible With Compliance.tf](https://compliance.tf/blog/make-non-compliant-terraform-impossible/): 2025-11-26 ## Documentation - [Docs](https://compliance.tf/docs/) - [Features - Overview](https://compliance.tf/docs/features/) - [Features - Terraform Registry Endpoints](https://compliance.tf/docs/features/endpoints/) - [Features - Customize Modules](https://compliance.tf/docs/features/controls/) - [Features - Compatibility with terraform-aws-modules](https://compliance.tf/docs/features/compatibility/) - [Guides - Overview](https://compliance.tf/docs/guides/) - [Guides - Get Started](https://compliance.tf/docs/guides/get-started/) - [Guides - Migration Guide](https://compliance.tf/docs/guides/migration/) - [Guides - Migration - Assessment Checklist](https://compliance.tf/docs/guides/migration/assessment-checklist/) - [Guides - Migration - Version Compatibility](https://compliance.tf/docs/guides/migration/version-compatibility/) - [Guides - Migration - EC2 Instance](https://compliance.tf/docs/guides/migration/ec2-instance/) - [Guides - Migration - RDS](https://compliance.tf/docs/guides/migration/rds/) - [Guides - Migration - S3 Bucket](https://compliance.tf/docs/guides/migration/s3-bucket/) - [Guides - Migration - VPC](https://compliance.tf/docs/guides/migration/vpc/) - [Guides - Compliance Starter Kits - Overview](https://compliance.tf/docs/guides/starter-kits/) - [Guides - Compliance Starter Kits - B2B SaaS (SOC 2)](https://compliance.tf/docs/guides/starter-kits/b2b-saas/) - [Guides - Compliance Starter Kits - Fintech (PCI DSS v4.0 + SOC 2)](https://compliance.tf/docs/guides/starter-kits/fintech/) - [Guides - Compliance Starter Kits - HealthTech (HIPAA + SOC 2)](https://compliance.tf/docs/guides/starter-kits/healthtech/) - [Guides - Audit Evidence](https://compliance.tf/docs/guides/audit-evidence/) - [Guides - Make the Case](https://compliance.tf/docs/guides/make-the-case/) - [Guides - CI/CD Integration - Overview](https://compliance.tf/docs/guides/ci-cd/) - [Guides - CI/CD Integration - GitHub Actions](https://compliance.tf/docs/guides/ci-cd/github-actions/) - [Guides - CI/CD Integration - GitLab CI](https://compliance.tf/docs/guides/ci-cd/gitlab-ci/) - [Guides - CI/CD Integration - Terraform Cloud](https://compliance.tf/docs/guides/ci-cd/terraform-cloud/) - [Guides - CI/CD Integration - Other Platforms](https://compliance.tf/docs/guides/ci-cd/other-platforms/) - [Guides - Compare Approaches - Overview](https://compliance.tf/docs/guides/compare/) - [Guides - Compare - vs Checkov / Trivy](https://compliance.tf/docs/guides/compare/vs-checkov-trivy/) - [Guides - Compare - vs OPA / Sentinel](https://compliance.tf/docs/guides/compare/vs-opa-sentinel/) - [Guides - Compare - vs Custom Wrappers](https://compliance.tf/docs/guides/compare/vs-custom-wrappers/) - [Guides - Compare - vs AWS Control Tower](https://compliance.tf/docs/guides/compare/vs-control-tower/) - [Guides - Getting Started with Rules](https://compliance.tf/docs/guides/operational-rules/) - [Guides - Rules Preview](https://compliance.tf/docs/guides/rules-preview/) - [Operational Rules - Overview](https://compliance.tf/docs/rules/) - [Operational Rules - Rule Catalog](https://compliance.tf/docs/rules/catalog/) - [Operational Rules - Prevent Destroy Data](https://compliance.tf/docs/rules/prevent_destroy_data/) - [Operational Rules - Ignore Tag Changes](https://compliance.tf/docs/rules/ignore_tag_changes/) - [Operational Rules - Ignore Autoscaling Changes](https://compliance.tf/docs/rules/ignore_autoscaling_changes/) - [Operational Rules - Ignore AMI Changes](https://compliance.tf/docs/rules/ignore_ami_changes/) - [Operational Rules - Prevent Destroy Encryption](https://compliance.tf/docs/rules/prevent_destroy_encryption/) - [Operational Rules - No Provisioners](https://compliance.tf/docs/rules/no_provisioners/) - [Operational Rules - Restrict Instance Types](https://compliance.tf/docs/rules/restrict_instance_types/) ## Supported Frameworks - [CIS AWS Benchmark v6.0.0](https://compliance.tf/docs/frameworks/aws/cis_v600/): 97 controls - [FFIEC Cybersecurity Assessment Tool](https://compliance.tf/docs/frameworks/aws/ffiec/): 175 controls - [SOC 2](https://compliance.tf/docs/frameworks/aws/soc_2/): 235 controls - [CCCS Medium Cloud Control Profile](https://compliance.tf/docs/frameworks/aws/cccs_medium/): 47 controls - [CIS Controls v8.0 IG1](https://compliance.tf/docs/frameworks/aws/cis_v80_ig1/): 99 controls - [PCI DSS v4.0](https://compliance.tf/docs/frameworks/aws/pci_dss_v40/): 331 controls - [ACSC Essential Eight](https://compliance.tf/docs/frameworks/aws/acsc_essential_eight/): 150 controls - [HIPAA Omnibus Rule 2013](https://compliance.tf/docs/frameworks/aws/hipaa_final_omnibus_2013/): 203 controls - [NIST SP 800-171 Rev 2](https://compliance.tf/docs/frameworks/aws/nist_800_171_rev_2/): 136 controls - [ACSC ISM March 2023](https://compliance.tf/docs/frameworks/aws/acsc_ism_2023/): 66 controls - [AWS Control Tower Guardrails](https://compliance.tf/docs/frameworks/aws/aws_control_tower/): 34 controls - [ISO/IEC 27001:2022](https://compliance.tf/docs/frameworks/aws/iso_27001_2022/): 340 controls - [AWS Well-Architected Framework v10](https://compliance.tf/docs/frameworks/aws/aws_well_architected_v10/): 288 controls - [EU GMP Annex 11](https://compliance.tf/docs/frameworks/aws/eu_gmp_annex_11/): 80 controls - [GDPR](https://compliance.tf/docs/frameworks/aws/gdpr/): 104 controls - [Title 21 CFR Part 11](https://compliance.tf/docs/frameworks/aws/cfr_part_11/): 188 controls - [CISA Cyber Essentials](https://compliance.tf/docs/frameworks/aws/cisa_cyber_essentials/): 176 controls - [NIS2 Directive (EU 2022/2555)](https://compliance.tf/docs/frameworks/aws/nis2/): 251 controls - [NIST SP 800-53 Rev 5](https://compliance.tf/docs/frameworks/aws/nist_800_53_rev_5/): 161 controls - [NYDFS Cybersecurity Regulation](https://compliance.tf/docs/frameworks/aws/nydfs_23/): 125 controls - [RBI Cyber Security Framework for UCBs](https://compliance.tf/docs/frameworks/aws/rbi_cyber_security/): 138 controls - [NIST Cybersecurity Framework v2.0](https://compliance.tf/docs/frameworks/aws/nist_csf_v2/): 366 controls - [RBI IT Framework for NBFCs](https://compliance.tf/docs/frameworks/aws/rbi_itf_nbfc/): 118 controls - [AWS Generative AI Best Practices v2](https://compliance.tf/docs/frameworks/aws/aws_genai_v2/): 9 controls - [FedRAMP Moderate Baseline Rev 4](https://compliance.tf/docs/frameworks/aws/fedramp_moderate_rev_4/): 139 controls - [FedRAMP Low Baseline Rev 4](https://compliance.tf/docs/frameworks/aws/fedramp_low_rev_4/): 161 controls - [CIS AWS Benchmark v1.4.0](https://compliance.tf/docs/frameworks/aws/cis_v140/): 98 controls - [CIS AWS Benchmark v5.0.0](https://compliance.tf/docs/frameworks/aws/cis_v500/): 97 controls ## Modules - [Terraform AWS ACM](https://compliance.tf/docs/modules/terraform-aws-acm/) - [Terraform AWS ALB](https://compliance.tf/docs/modules/terraform-aws-alb/) - [Terraform AWS API Gateway v2](https://compliance.tf/docs/modules/terraform-aws-apigateway-v2/) - [Terraform AWS AppSync](https://compliance.tf/docs/modules/terraform-aws-appsync/) - [Terraform AWS Autoscaling](https://compliance.tf/docs/modules/terraform-aws-autoscaling/) - [Terraform AWS CloudFront](https://compliance.tf/docs/modules/terraform-aws-cloudfront/) - [Terraform AWS CloudWatch](https://compliance.tf/docs/modules/terraform-aws-cloudwatch/) - [Terraform AWS DMS](https://compliance.tf/docs/modules/terraform-aws-dms/) - [Terraform AWS DynamoDB Table](https://compliance.tf/docs/modules/terraform-aws-dynamodb-table/) - [Terraform AWS EC2 Instance](https://compliance.tf/docs/modules/terraform-aws-ec2-instance/) - [Terraform AWS ECR](https://compliance.tf/docs/modules/terraform-aws-ecr/) - [Terraform AWS ECS](https://compliance.tf/docs/modules/terraform-aws-ecs/) - [Terraform AWS EFS](https://compliance.tf/docs/modules/terraform-aws-efs/) - [Terraform AWS EKS](https://compliance.tf/docs/modules/terraform-aws-eks/) - [Terraform AWS Elasticache](https://compliance.tf/docs/modules/terraform-aws-elasticache/) - [Terraform AWS ELB](https://compliance.tf/docs/modules/terraform-aws-elb/) - [Terraform AWS EMR](https://compliance.tf/docs/modules/terraform-aws-emr/) - [Terraform AWS FSx](https://compliance.tf/docs/modules/terraform-aws-fsx/) - [Terraform AWS KMS](https://compliance.tf/docs/modules/terraform-aws-kms/) - [Terraform AWS Lambda](https://compliance.tf/docs/modules/terraform-aws-lambda/) - [Terraform AWS MSK Kafka Cluster](https://compliance.tf/docs/modules/terraform-aws-msk-kafka-cluster/) - [Terraform AWS Network Firewall](https://compliance.tf/docs/modules/terraform-aws-network-firewall/) - [Terraform AWS OpenSearch](https://compliance.tf/docs/modules/terraform-aws-opensearch/) - [Terraform AWS RDS](https://compliance.tf/docs/modules/terraform-aws-rds/) - [Terraform AWS RDS Aurora](https://compliance.tf/docs/modules/terraform-aws-rds-aurora/) - [Terraform AWS Redshift](https://compliance.tf/docs/modules/terraform-aws-redshift/) - [Terraform AWS S3 Bucket](https://compliance.tf/docs/modules/terraform-aws-s3-bucket/) - [Terraform AWS Secrets Manager](https://compliance.tf/docs/modules/terraform-aws-secrets-manager/) - [Terraform AWS SNS](https://compliance.tf/docs/modules/terraform-aws-sns/) - [Terraform AWS SQS](https://compliance.tf/docs/modules/terraform-aws-sqs/) - [Terraform AWS SSM Parameter](https://compliance.tf/docs/modules/terraform-aws-ssm-parameter/) - [Terraform AWS Step Functions](https://compliance.tf/docs/modules/terraform-aws-step-functions/) - [Terraform AWS VPC](https://compliance.tf/docs/modules/terraform-aws-vpc/) - [Terraform AWS VPN Gateway](https://compliance.tf/docs/modules/terraform-aws-vpn-gateway/) ## Controls - [ACM certificates should not use wildcard certificates](https://compliance.tf/docs/controls/aws/acm_certificate_no_wildcard_domain_name/) - [ACM RSA certificates should use a key length of at least 2,048 bits](https://compliance.tf/docs/controls/aws/acm_certificate_rsa_key_length_2048_bits_or_greater/) - [ACM certificates should have transparency logging enabled](https://compliance.tf/docs/controls/aws/acm_certificate_transparency_logging_enabled/) - [API Gateway methods should require an authorizer](https://compliance.tf/docs/controls/aws/api_gateway_method_authorization_type_configured/) - [API Gateway methods should validate request parameters](https://compliance.tf/docs/controls/aws/api_gateway_method_request_parameter_validated/) - [API Gateway routes should require an authorization type](https://compliance.tf/docs/controls/aws/api_gatewayv2_route_authorization_type_configured/) - [API Gateway V2 routes should require an authorizer](https://compliance.tf/docs/controls/aws/api_gatewayv2_route_authorizer_configured/) - [API Gateway stages should not use client SSL certificates](https://compliance.tf/docs/controls/aws/apigateway_rest_api_stage_use_ssl_certificate/) - [API Gateway REST API stages should have AWS X-Ray tracing enabled](https://compliance.tf/docs/controls/aws/apigateway_rest_api_stage_xray_tracing_enabled/) - [API Gateway stages should have cache encryption at rest enabled](https://compliance.tf/docs/controls/aws/apigateway_stage_cache_encryption_at_rest_enabled/) - [API Gateway stages should have logging enabled](https://compliance.tf/docs/controls/aws/apigateway_stage_logging_enabled/) - [AppStream fleets should have default internet access disabled](https://compliance.tf/docs/controls/aws/appstream_fleet_default_internet_access_disabled/) - [AppStream fleets should have idle disconnect timeout set to 10 minutes or less](https://compliance.tf/docs/controls/aws/appstream_fleet_idle_disconnect_timeout_600_seconds/) - [AppStream fleets should limit maximum user duration to 10 hours or less](https://compliance.tf/docs/controls/aws/appstream_fleet_max_user_duration_36000_seconds/) - [AppStream fleets should have session disconnect timeout set to 5 minutes or less](https://compliance.tf/docs/controls/aws/appstream_fleet_session_disconnect_timeout_300_seconds/) - [AppSync GraphQL APIs should not use API key authentication](https://compliance.tf/docs/controls/aws/appsync_graphql_api_authentication_without_api_key/) - [AppSync API caches should have encryption at rest enabled](https://compliance.tf/docs/controls/aws/appsync_graphql_api_cache_encryption_at_rest_enabled/) - [AppSync API caches should have encryption in transit enabled](https://compliance.tf/docs/controls/aws/appsync_graphql_api_cache_encryption_in_transit_enabled/) - [AppSync GraphQL APIs should have field-level logging enabled](https://compliance.tf/docs/controls/aws/appsync_graphql_api_field_level_logging_enabled/) - [Athena workgroups should be encrypted at rest](https://compliance.tf/docs/controls/aws/athena_workgroup_encryption_at_rest_enabled/) - [Athena workgroups should enforce configuration](https://compliance.tf/docs/controls/aws/athena_workgroup_enforce_configuration_enabled/) - [Athena workgroups should have logging enabled](https://compliance.tf/docs/controls/aws/athena_workgroup_logging_enabled/) - [Backup plans should have minimum frequency and minimum retention configured](https://compliance.tf/docs/controls/aws/backup_plan_min_retention_35_days/) - [CloudFormation stacks should have notifications enabled](https://compliance.tf/docs/controls/aws/cloudformation_stack_notifications_enabled/) - [CloudFormation stacks should have rollback enabled](https://compliance.tf/docs/controls/aws/cloudformation_stack_rollback_enabled/) - [CloudFront distributions should have a default root object configured](https://compliance.tf/docs/controls/aws/cloudfront_distribution_default_root_object_configured/) - [CloudFront distributions should require encryption in transit](https://compliance.tf/docs/controls/aws/cloudfront_distribution_encryption_in_transit_enabled/) - [CloudFront distributions should have field level encryption enabled](https://compliance.tf/docs/controls/aws/cloudfront_distribution_field_level_encryption_enabled/) - [CloudFront distributions should have geo restriction enabled](https://compliance.tf/docs/controls/aws/cloudfront_distribution_geo_restrictions_enabled/) - [CloudFront distributions should have latest TLS version](https://compliance.tf/docs/controls/aws/cloudfront_distribution_latest_tls_version/) - [CloudFront distributions access logs should be enabled](https://compliance.tf/docs/controls/aws/cloudfront_distribution_logging_enabled/) - [CloudFront distributions should use SNI to serve HTTPS requests](https://compliance.tf/docs/controls/aws/cloudfront_distribution_sni_enabled/) - [CloudFront distributions should use custom SSL/TLS certificates](https://compliance.tf/docs/controls/aws/cloudfront_distribution_use_custom_ssl_certificate/) - [CloudFront distributions should use the recommended TLS security policy](https://compliance.tf/docs/controls/aws/cloudfront_distribution_uses_recommended_tls_security_policy/) - [CloudFront distributions should have AWS WAF enabled](https://compliance.tf/docs/controls/aws/cloudfront_distribution_waf_enabled/) - [CloudTrail trails should have at least one enabled trail present in a region](https://compliance.tf/docs/controls/aws/cloudtrail_trail_enabled/) - [CloudTrail trails should be integrated with CloudWatch logs](https://compliance.tf/docs/controls/aws/cloudtrail_trail_integrated_with_logs/) - [CloudTrail trails should have logs encrypted using a customer managed KMS key](https://compliance.tf/docs/controls/aws/cloudtrail_trail_logs_encrypted_with_kms_cmk/) - [CloudTrail trails should have log file validation enabled](https://compliance.tf/docs/controls/aws/cloudtrail_trail_validation_enabled/) - [CloudWatch alarms should have an action configured](https://compliance.tf/docs/controls/aws/cloudwatch_alarm_action_enabled/) - [CloudWatch alarms should have action enabled](https://compliance.tf/docs/controls/aws/cloudwatch_alarm_action_enabled_check/) - [CloudWatch log groups should have retention period of at least 365 days](https://compliance.tf/docs/controls/aws/cloudwatch_log_group_retention_period_365/) - [CodeBuild projects should have artifact encryption enabled](https://compliance.tf/docs/controls/aws/codebuild_project_artifact_encryption_enabled/) - [codebuild project encryption at rest enabled](https://compliance.tf/docs/controls/aws/codebuild_project_encryption_at_rest_enabled/) - [CodeBuild projects should not have privileged mode enabled](https://compliance.tf/docs/controls/aws/codebuild_project_environment_privileged_mode_disabled/) - [CodeBuild projects should have logging enabled](https://compliance.tf/docs/controls/aws/codebuild_project_logging_enabled/) - [CodeBuild projects should have S3 logs encrypted](https://compliance.tf/docs/controls/aws/codebuild_project_s3_logs_encryption_enabled/) - [CodeBuild report group exports should be encrypted at rest](https://compliance.tf/docs/controls/aws/codebuild_report_group_export_encryption_at_rest_enabled/) - [Cognito identity pools should not allow unauthenticated identities](https://compliance.tf/docs/controls/aws/cognito_identity_pools_restrict_unauthenticated_identities/) - [DataSync tasks should have logging enabled](https://compliance.tf/docs/controls/aws/datasync_task_logging_enabled/) - [DynamoDB Accelerator (DAX) clusters should be encrypted at rest](https://compliance.tf/docs/controls/aws/dax_cluster_encryption_at_rest_enabled/) - [DynamoDB Accelerator clusters should be encrypted in transit](https://compliance.tf/docs/controls/aws/dax_cluster_encryption_in_transit_enabled/) - [DMS endpoints for MongoDB should have an authentication mechanism enabled](https://compliance.tf/docs/controls/aws/dms_endpoint_mongo_db_authentication_enabled/) - [DMS endpoints for Redis OSS should have TLS enabled](https://compliance.tf/docs/controls/aws/dms_endpoint_redis_tls_enabled/) - [DMS endpoints should use SSL](https://compliance.tf/docs/controls/aws/dms_endpoint_ssl_configured/) - [DMS replication instances should have automatic minor version upgrade enabled](https://compliance.tf/docs/controls/aws/dms_replication_instance_automatic_minor_version_upgrade_enabled/) - [dms replication instance encryption enabled](https://compliance.tf/docs/controls/aws/dms_replication_instance_encryption_enabled/) - [DMS replication instances should not be publicly accessible](https://compliance.tf/docs/controls/aws/dms_replication_instance_not_publicly_accessible/) - [DocumentDB clusters should have an adequate backup retention period](https://compliance.tf/docs/controls/aws/docdb_cluster_backup_retention_period_7_days/) - [DocumentDB clusters should have deletion protection enabled](https://compliance.tf/docs/controls/aws/docdb_cluster_deletion_protection_enabled/) - [DocumentDB clusters should have encryption at rest enabled](https://compliance.tf/docs/controls/aws/docdb_cluster_encryption_at_rest_enabled/) - [DocumentDB instance logging should be enabled](https://compliance.tf/docs/controls/aws/docdb_cluster_instance_logging_enabled/) - [DynamoDB tables should have deletion protection enabled](https://compliance.tf/docs/controls/aws/dynamodb_table_deletion_protection_enabled/) - [DynamoDB tables should have AWS KMS encryption enabled](https://compliance.tf/docs/controls/aws/dynamodb_table_encrypted_with_kms/) - [DynamoDB tables should have encryption enabled](https://compliance.tf/docs/controls/aws/dynamodb_table_encryption_enabled/) - [DynamoDB tables should have point-in-time recovery enabled](https://compliance.tf/docs/controls/aws/dynamodb_table_point_in_time_recovery_enabled/) - [Attached EBS volumes should have encryption enabled](https://compliance.tf/docs/controls/aws/ebs_attached_volume_encryption_enabled/) - [EBS snapshots should be encrypted](https://compliance.tf/docs/controls/aws/ebs_snapshot_encryption_enabled/) - [EBS volumes should have encryption at rest enabled](https://compliance.tf/docs/controls/aws/ebs_volume_encryption_at_rest_enabled/) - [Classic Load Balancers should have connection draining enabled](https://compliance.tf/docs/controls/aws/ec2_classic_lb_connection_draining_enabled/) - [EC2 Client VPN endpoints should have client connection logging enabled](https://compliance.tf/docs/controls/aws/ec2_client_vpn_endpoint_client_connection_logging_enabled/) - [EC2 instances should have attached EBS volumes marked for deletion on termination](https://compliance.tf/docs/controls/aws/ec2_instance_attached_ebs_volume_delete_on_termination_enabled/) - [EC2 instances should have detailed monitoring enabled](https://compliance.tf/docs/controls/aws/ec2_instance_detailed_monitoring_enabled/) - [EC2 instances should have EBS optimization enabled](https://compliance.tf/docs/controls/aws/ec2_instance_ebs_optimized/) - [EC2 instances should have IAM profile attached](https://compliance.tf/docs/controls/aws/ec2_instance_iam_profile_attached/) - [EC2 instances should be in a VPC](https://compliance.tf/docs/controls/aws/ec2_instance_in_vpc/) - [EC2 instances should not use key pairs in running state](https://compliance.tf/docs/controls/aws/ec2_instance_no_amazon_key_pair/) - [EC2 instances should not have a public IP address](https://compliance.tf/docs/controls/aws/ec2_instance_not_publicly_accessible/) - [EC2 instances should not use multiple ENIs](https://compliance.tf/docs/controls/aws/ec2_instance_not_use_multiple_enis/) - [EC2 instances should have termination protection enabled](https://compliance.tf/docs/controls/aws/ec2_instance_termination_protection_enabled/) - [EC2 instances should use IMDSv2](https://compliance.tf/docs/controls/aws/ec2_instance_uses_imdsv2/) - [EC2 instances should use IAM instance roles for AWS resource access](https://compliance.tf/docs/controls/aws/ec2_instance_using_iam_instance_role/) - [EC2 instances should not use paravirtual instance types](https://compliance.tf/docs/controls/aws/ec2_instance_virtualization_type_no_paravirtual/) - [EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](https://compliance.tf/docs/controls/aws/ec2_launch_template_default_version_uses_imdsv2/) - [EC2 launch templates should not assign public IPs to network interfaces](https://compliance.tf/docs/controls/aws/ec2_launch_template_not_publicly_accessible/) - [EC2 network interfaces should have source/destination checking enabled](https://compliance.tf/docs/controls/aws/ec2_network_inteface_source_destination_check_enabled/) - [EC2 transit gateways should have auto accept shared attachments disabled](https://compliance.tf/docs/controls/aws/ec2_transit_gateway_auto_cross_account_attachment_disabled/) - [ECR repositories should have image scan on push enabled](https://compliance.tf/docs/controls/aws/ecr_repository_image_scan_on_push_enabled/) - [ECR private repositories should have tag immutability configured](https://compliance.tf/docs/controls/aws/ecr_repository_tag_immutability_enabled/) - [ECS clusters should have container insights enabled](https://compliance.tf/docs/controls/aws/ecs_cluster_container_insights_enabled/) - [ECS fargate services should run on the latest fargate platform version](https://compliance.tf/docs/controls/aws/ecs_service_fargate_using_latest_platform_version/) - [ECS services should not have public IP addresses assigned automatically](https://compliance.tf/docs/controls/aws/ecs_service_not_publicly_accessible/) - [ECS task definitions should not share the host's process namespace](https://compliance.tf/docs/controls/aws/ecs_task_definition_no_host_pid_mode/) - [EFS access points should enforce a root directory](https://compliance.tf/docs/controls/aws/efs_access_point_enforce_root_directory/) - [EFS access points should enforce a user identity](https://compliance.tf/docs/controls/aws/efs_access_point_enforce_user_identity/) - [EFS file systems should have encryption at rest enabled](https://compliance.tf/docs/controls/aws/efs_file_system_encrypt_data_at_rest/) - [EFS file systems should be encrypted with CMK](https://compliance.tf/docs/controls/aws/efs_file_system_encrypted_with_cmk/) - [EKS clusters should have control plane audit logging enabled](https://compliance.tf/docs/controls/aws/eks_cluster_control_plane_audit_logging_enabled/) - [EKS clusters endpoint public access should be restricted](https://compliance.tf/docs/controls/aws/eks_cluster_endpoint_public_access_restricted/) - [EKS clusters endpoint should restrict public access](https://compliance.tf/docs/controls/aws/eks_cluster_endpoint_restrict_public_access/) - [EKS clusters should be configured to have kubernetes secrets encrypted using KMS](https://compliance.tf/docs/controls/aws/eks_cluster_secrets_encrypted/) - [ElastiCache clusters should not use the default subnet group](https://compliance.tf/docs/controls/aws/elasticache_cluster_no_default_subnet_group/) - [ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greater](https://compliance.tf/docs/controls/aws/elasticache_redis_cluster_automatic_backup_retention_15_days/) - [ElastiCache for Redis replication groups should have automatic failover enabled](https://compliance.tf/docs/controls/aws/elasticache_replication_group_auto_failover_enabled/) - [ElastiCache for Redis replication groups should be encrypted at rest](https://compliance.tf/docs/controls/aws/elasticache_replication_group_encryption_at_rest_enabled/) - [ElastiCache for Redis replication groups should be encrypted with CMK](https://compliance.tf/docs/controls/aws/elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk/) - [ElastiCache for Redis replication groups should be encrypted in transit](https://compliance.tf/docs/controls/aws/elasticache_replication_group_encryption_in_transit_enabled/) - [ElastiCache for Redis replication groups before version 6.0 should use Redis Auth](https://compliance.tf/docs/controls/aws/elasticache_replication_group_redis_auth_enabled/) - [ELB application and classic load balancer logging should be enabled](https://compliance.tf/docs/controls/aws/elb_application_classic_lb_logging_enabled/) - [ELB load balancers should prohibit public access](https://compliance.tf/docs/controls/aws/elb_application_classic_network_lb_prohibit_public_access/) - [ELB application load balancer deletion protection should be enabled](https://compliance.tf/docs/controls/aws/elb_application_lb_deletion_protection_enabled/) - [ELB application load balancers should be configured with defensive or strictest desync mitigation mode](https://compliance.tf/docs/controls/aws/elb_application_lb_desync_mitigation_mode/) - [ELB application load balancers should be configured to drop HTTP headers](https://compliance.tf/docs/controls/aws/elb_application_lb_drop_http_headers/) - [ELB application load balancers should drop invalid HTTP headers](https://compliance.tf/docs/controls/aws/elb_application_lb_http_drop_invalid_header_enabled/) - [ELB application and network load balancers should use recommended security policies](https://compliance.tf/docs/controls/aws/elb_application_network_lb_https_tls_listener_recommended_security_policy/) - [ELB application and network load balancers should only use SSL or HTTPS listeners](https://compliance.tf/docs/controls/aws/elb_application_network_lb_use_ssl_certificate/) - [ELB application and network load balancer listeners should use secure protocols](https://compliance.tf/docs/controls/aws/elb_application_network_listener_uses_secure_protocol/) - [ELB classic load balancers should have cross-zone load balancing enabled](https://compliance.tf/docs/controls/aws/elb_classic_lb_cross_zone_load_balancing_enabled/) - [ELB classic load balancers should be configured with defensive or strictest desync mitigation mode](https://compliance.tf/docs/controls/aws/elb_classic_lb_desync_mitigation_mode/) - [ELB classic load balancers should span multiple availability zones](https://compliance.tf/docs/controls/aws/elb_classic_lb_multiple_az_configured/) - [ELB network load balancers should have TLS listener security policy configured](https://compliance.tf/docs/controls/aws/elb_network_lb_tls_listener_security_policy_configured/) - [ELB listeners should use approved SSL/TLS protocol versions](https://compliance.tf/docs/controls/aws/elb_tls_listener_protocol_version/) - [EMR cluster Kerberos should be enabled](https://compliance.tf/docs/controls/aws/emr_cluster_kerberos_enabled/) - [EMR clusters should have security configuration enabled](https://compliance.tf/docs/controls/aws/emr_cluster_security_configuration_enabled/) - [Elasticsearch domains should have audit logging enabled](https://compliance.tf/docs/controls/aws/es_domain_audit_logging_enabled/) - [Elasticsearch domains should have cognito authentication enabled](https://compliance.tf/docs/controls/aws/es_domain_cognito_authentication_enabled/) - [Elasticsearch domains should have at least three data nodes](https://compliance.tf/docs/controls/aws/es_domain_data_nodes_min_3/) - [Elasticsearch domains should be configured with at least three dedicated master nodes](https://compliance.tf/docs/controls/aws/es_domain_dedicated_master_nodes_min_3/) - [Elasticsearch domains should require TLS 1.2 for connections](https://compliance.tf/docs/controls/aws/es_domain_encrypted_using_tls_1_2/) - [ES domain encryption at rest should be enabled](https://compliance.tf/docs/controls/aws/es_domain_encryption_at_rest_enabled/) - [Elasticsearch domain error logging to CloudWatch Logs should be enabled](https://compliance.tf/docs/controls/aws/es_domain_error_logging_enabled/) - [ES domains should be in a VPC](https://compliance.tf/docs/controls/aws/es_domain_in_vpc/) - [Elasticsearch domains should have internal user database enabled](https://compliance.tf/docs/controls/aws/es_domain_internal_user_database_enabled/) - [Elasticsearch domain should send logs to CloudWatch](https://compliance.tf/docs/controls/aws/es_domain_logs_to_cloudwatch/) - [Elasticsearch domain node-to-node encryption should be enabled](https://compliance.tf/docs/controls/aws/es_domain_node_to_node_encryption_enabled/) - [FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](https://compliance.tf/docs/controls/aws/fsx_file_system_copy_tags_to_backup_and_volume_enabled/) - [FSx for Lustre file systems should be configured to copy tags to backups](https://compliance.tf/docs/controls/aws/fsx_lustre_file_system_copy_tags_to_backup_enabled/) - [FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment](https://compliance.tf/docs/controls/aws/fsx_netapp_ontap_file_system_multi_az_deployment_enabled/) - [FSx for OpenZFS file systems should be configured for Multi-AZ deployment](https://compliance.tf/docs/controls/aws/fsx_openzfs_file_system_multi_az_deployment_enabled/) - [FSx for Windows File Server file systems should be configured for Multi-AZ deployment](https://compliance.tf/docs/controls/aws/fsx_windows_file_system_multi_az_deployment_enabled/) - [API Gateway V2 stages should have access logging configured](https://compliance.tf/docs/controls/aws/gatewayv2_stage_access_logging_enabled/) - [Glue data catalog metadata encryption should be enabled](https://compliance.tf/docs/controls/aws/glue_data_catalog_encryption_settings_metadata_encryption_enabled/) - [Glue data catalog connection password encryption should be enabled](https://compliance.tf/docs/controls/aws/glue_data_catalog_encryption_settings_password_encryption_enabled/) - [Glue jobs bookmarks encryption should be enabled](https://compliance.tf/docs/controls/aws/glue_job_bookmarks_encryption_enabled/) - [Glue jobs CloudWatch logs encryption should be enabled](https://compliance.tf/docs/controls/aws/glue_job_cloudwatch_logs_encryption_enabled/) - [Glue jobs S3 encryption should be enabled](https://compliance.tf/docs/controls/aws/glue_job_s3_encryption_enabled/) - [Glue Spark jobs should run on supported versions of AWS Glue](https://compliance.tf/docs/controls/aws/glue_spark_job_runs_on_version_3_or_higher/) - [IAM password policies should have minimum length set to 14 or greater](https://compliance.tf/docs/controls/aws/iam_account_password_policy_min_length_14/) - [IAM password policies should require at least one lowercase letter](https://compliance.tf/docs/controls/aws/iam_account_password_policy_one_lowercase_letter/) - [IAM password policies should require at least one number](https://compliance.tf/docs/controls/aws/iam_account_password_policy_one_number/) - [IAM password policies should require at least one symbol](https://compliance.tf/docs/controls/aws/iam_account_password_policy_one_symbol/) - [IAM password policies should require at least one uppercase letter](https://compliance.tf/docs/controls/aws/iam_account_password_policy_one_uppercase_letter/) - [IAM password policies should prevent password reuse](https://compliance.tf/docs/controls/aws/iam_account_password_policy_reuse_24/) - [IAM password policies should have strong configurations with minimum length of 8 or greater](https://compliance.tf/docs/controls/aws/iam_account_password_policy_strong_min_length_8/) - [IAM password policies should have strong configurations](https://compliance.tf/docs/controls/aws/iam_account_password_policy_strong_min_reuse_24/) - [IAM password policies should expire passwords within 90 days or less](https://compliance.tf/docs/controls/aws/iam_password_policy_expire_90/) - [Kinesis firehose delivery streams should have server side encryption enabled](https://compliance.tf/docs/controls/aws/kinesis_firehose_delivery_stream_server_side_encryption_enabled/) - [Kinesis streams should be encrypted with CMK](https://compliance.tf/docs/controls/aws/kinesis_stream_encrypted_with_kms_cmk/) - [Kinesis streams should have an adequate data retention period](https://compliance.tf/docs/controls/aws/kinesis_stream_retention_period_168_hours/) - [Kinesis streams should have server side encryption enabled](https://compliance.tf/docs/controls/aws/kinesis_stream_server_side_encryption_enabled/) - [KMS CMK rotation should be enabled](https://compliance.tf/docs/controls/aws/kms_cmk_rotation_enabled/) - [Lambda functions should have concurrent execution limit configured](https://compliance.tf/docs/controls/aws/lambda_function_concurrent_execution_limit_configured/) - [Lambda functions CORS configuration should not allow all origins](https://compliance.tf/docs/controls/aws/lambda_function_cors_configuration/) - [Lambda functions should be configured with a dead-letter queue](https://compliance.tf/docs/controls/aws/lambda_function_dead_letter_queue_configured/) - [Lambda functions should have encryption in transit enabled for environment variables](https://compliance.tf/docs/controls/aws/lambda_function_encryption_enabled/) - [Lambda functions should be in a VPC](https://compliance.tf/docs/controls/aws/lambda_function_in_vpc/) - [Lambda functions should have logging config enabled](https://compliance.tf/docs/controls/aws/lambda_function_logging_config_enabled/) - [Lambda functions should restrict public URL](https://compliance.tf/docs/controls/aws/lambda_function_restrict_public_url/) - [Lambda functions tracing should be enabled](https://compliance.tf/docs/controls/aws/lambda_function_tracing_enabled/) - [Lambda functions should use latest runtimes](https://compliance.tf/docs/controls/aws/lambda_function_use_latest_runtime/) - [Lightsail instances should have IPv6 networking disabled if not in use](https://compliance.tf/docs/controls/aws/lightsail_instance_ipv6_networking_disabled/) - [Log groups should have encryption at rest enabled](https://compliance.tf/docs/controls/aws/log_group_encryption_at_rest_enabled/) - [MQ brokers should have audit log streaming to CloudWatch enabled](https://compliance.tf/docs/controls/aws/mq_broker_audit_log_enabled/) - [MQ brokers should have automatic minor version upgrade enabled](https://compliance.tf/docs/controls/aws/mq_broker_auto_minor_version_upgrade_enabled/) - [MQ brokers should restrict public access](https://compliance.tf/docs/controls/aws/mq_broker_restrict_public_access/) - [MSK clusters should be encrypted in transit among broker nodes](https://compliance.tf/docs/controls/aws/msk_cluster_encryption_in_transit_with_tls_enabled/) - [MSK clusters should have public access disabled](https://compliance.tf/docs/controls/aws/msk_cluster_not_publicly_accessible/) - [MSK clusters should disable unauthenticated access](https://compliance.tf/docs/controls/aws/msk_cluster_unauthenticated_access_disabled/) - [MSK Connect connectors should be encrypted in transit](https://compliance.tf/docs/controls/aws/mskconnect_connector_encryption_in_transit_with_tls_enabled/) - [MSK connectors should have logging enabled](https://compliance.tf/docs/controls/aws/mskconnect_connector_logging_enabled/) - [Neptune DB clusters should publish audit logs to CloudWatch Logs](https://compliance.tf/docs/controls/aws/neptune_db_cluster_audit_logging_enabled/) - [Neptune DB clusters should have automated backups enabled](https://compliance.tf/docs/controls/aws/neptune_db_cluster_automated_backup_enabled/) - [Neptune DB clusters should be configured to copy tags to snapshots](https://compliance.tf/docs/controls/aws/neptune_db_cluster_copy_tags_to_snapshot_enabled/) - [Neptune DB clusters should have deletion protection enabled](https://compliance.tf/docs/controls/aws/neptune_db_cluster_deletion_protection_enabled/) - [Neptune DB clusters should be encrypted at rest](https://compliance.tf/docs/controls/aws/neptune_db_cluster_encryption_at_rest_enabled/) - [Neptune DB clusters should have IAM database authentication enabled](https://compliance.tf/docs/controls/aws/neptune_db_cluster_iam_authentication_enabled/) - [Network Firewall firewalls should have deletion protection enabled](https://compliance.tf/docs/controls/aws/networkfirewall_firewall_deletion_protection_enabled/) - [Network Firewall policies should have default stateless action set to drop or forward for fragmented packets](https://compliance.tf/docs/controls/aws/networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets/) - [Network Firewall policies should have default stateless action set to drop or forward for full packets](https://compliance.tf/docs/controls/aws/networkfirewall_firewall_policy_default_stateless_action_check_full_packets/) - [Network Firewall firewalls should have subnet change protection enabled](https://compliance.tf/docs/controls/aws/networkfirewall_firewall_subnet_change_protection_enabled/) - [OpenSearch domains should have audit logging enabled](https://compliance.tf/docs/controls/aws/opensearch_domain_audit_logging_enabled/) - [OpenSearch domains should have Cognito authentication enabled for Kibana](https://compliance.tf/docs/controls/aws/opensearch_domain_cognito_authentication_enabled_for_kibana/) - [OpenSearch domains should have at least three data nodes](https://compliance.tf/docs/controls/aws/opensearch_domain_data_node_fault_tolerance/) - [OpenSearch domains should have encryption at rest enabled](https://compliance.tf/docs/controls/aws/opensearch_domain_encryption_at_rest_enabled/) - [OpenSearch domains should have fine-grained access control enabled](https://compliance.tf/docs/controls/aws/opensearch_domain_fine_grained_access_enabled/) - [OpenSearch domains should use HTTPS](https://compliance.tf/docs/controls/aws/opensearch_domain_https_required/) - [OpenSearch domains should be in a VPC](https://compliance.tf/docs/controls/aws/opensearch_domain_in_vpc/) - [OpenSearch domains internal user database should be disabled](https://compliance.tf/docs/controls/aws/opensearch_domain_internal_user_database_disabled/) - [OpenSearch domains should have logging to CloudWatch Logs enabled](https://compliance.tf/docs/controls/aws/opensearch_domain_logs_to_cloudwatch/) - [OpenSearch domains node-to-node encryption should be enabled](https://compliance.tf/docs/controls/aws/opensearch_domain_node_to_node_encryption_enabled/) - [RDS Aurora clusters should have backtracking enabled](https://compliance.tf/docs/controls/aws/rds_db_cluster_aurora_backtracking_enabled/) - [Aurora MySQL DB clusters should have audit logging enabled](https://compliance.tf/docs/controls/aws/rds_db_cluster_aurora_mysql_audit_logging_enabled/) - [Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](https://compliance.tf/docs/controls/aws/rds_db_cluster_aurora_postgres_logging_enabled/) - [RDS DB clusters should have automatic minor version upgrade enabled](https://compliance.tf/docs/controls/aws/rds_db_cluster_automatic_minor_version_upgrade_enabled/) - [RDS DB clusters should be configured to copy tags to snapshots](https://compliance.tf/docs/controls/aws/rds_db_cluster_copy_tags_to_snapshot_enabled/) - [RDS clusters should have deletion protection enabled](https://compliance.tf/docs/controls/aws/rds_db_cluster_deletion_protection_enabled/) - [RDS DB clusters should be encrypted with CMK](https://compliance.tf/docs/controls/aws/rds_db_cluster_encrypted_with_cmk/) - [RDS DB clusters should be encrypted at rest](https://compliance.tf/docs/controls/aws/rds_db_cluster_encryption_at_rest_enabled/) - [RDS DB clusters should have IAM authentication configured](https://compliance.tf/docs/controls/aws/rds_db_cluster_iam_authentication_enabled/) - [RDS DB clusters should be configured for multiple Availability Zones](https://compliance.tf/docs/controls/aws/rds_db_cluster_multiple_az_enabled/) - [RDS database clusters should use a custom administrator username](https://compliance.tf/docs/controls/aws/rds_db_cluster_no_default_admin_name/) - [RDS DB instances and clusters should have enhanced monitoring enabled](https://compliance.tf/docs/controls/aws/rds_db_instance_and_cluster_enhanced_monitoring_enabled/) - [RDS databases and clusters should not use a database engine default port](https://compliance.tf/docs/controls/aws/rds_db_instance_and_cluster_no_default_port/) - [RDS DB instance automatic minor version upgrade should be enabled](https://compliance.tf/docs/controls/aws/rds_db_instance_automatic_minor_version_upgrade_enabled/) - [RDS DB instance backup should be enabled](https://compliance.tf/docs/controls/aws/rds_db_instance_backup_enabled/) - [RDS DB instances backup retention period should be greater than or equal to 7](https://compliance.tf/docs/controls/aws/rds_db_instance_backup_retention_period_less_than_7/) - [RDS DB instances should be integrated with CloudWatch logs](https://compliance.tf/docs/controls/aws/rds_db_instance_cloudwatch_logs_enabled/) - [RDS DB instances should be configured to copy tags to snapshots](https://compliance.tf/docs/controls/aws/rds_db_instance_copy_tags_to_snapshot_enabled/) - [RDS DB instances should have deletion protection enabled](https://compliance.tf/docs/controls/aws/rds_db_instance_deletion_protection_enabled/) - [RDS DB instance encryption at rest should be enabled](https://compliance.tf/docs/controls/aws/rds_db_instance_encryption_at_rest_enabled/) - [RDS DB instances should have iam authentication enabled](https://compliance.tf/docs/controls/aws/rds_db_instance_iam_authentication_enabled/) - [RDS instances should be deployed in a VPC](https://compliance.tf/docs/controls/aws/rds_db_instance_in_vpc/) - [RDS DB instances should have logging enabled](https://compliance.tf/docs/controls/aws/rds_db_instance_logging_enabled/) - [RDS for MariaDB DB instances should publish logs to CloudWatch Logs](https://compliance.tf/docs/controls/aws/rds_db_instance_mariadb_logging_enabled/) - [RDS DB instances should have multiple AZ enabled](https://compliance.tf/docs/controls/aws/rds_db_instance_multiple_az_enabled/) - [RDS database instances should use a custom administrator username](https://compliance.tf/docs/controls/aws/rds_db_instance_no_default_admin_name/) - [RDS DB instances should not use public subnet](https://compliance.tf/docs/controls/aws/rds_db_instance_no_public_subnet/) - [RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs](https://compliance.tf/docs/controls/aws/rds_db_instance_postgres_logging_enabled/) - [RDS DB instances should prohibit public access](https://compliance.tf/docs/controls/aws/rds_db_instance_prohibit_public_access/) - [RDS for SQL Server DB instances should publish logs to CloudWatch Logs](https://compliance.tf/docs/controls/aws/rds_db_instance_sql_server_logging_enabled/) - [Redshift clusters should have audit logging enabled](https://compliance.tf/docs/controls/aws/redshift_cluster_audit_logging_enabled/) - [Redshift clusters should have automatic snapshots enabled](https://compliance.tf/docs/controls/aws/redshift_cluster_automatic_snapshots_min_7_days/) - [Redshift clusters should have automatic upgrades to major versions enabled](https://compliance.tf/docs/controls/aws/redshift_cluster_automatic_upgrade_major_versions_enabled/) - [Redshift clusters should be encrypted with CMK](https://compliance.tf/docs/controls/aws/redshift_cluster_encrypted_with_cmk/) - [Redshift cluster encryption in transit should be enabled](https://compliance.tf/docs/controls/aws/redshift_cluster_encryption_in_transit_enabled/) - [Redshift clusters should have audit logging and encryption enabled](https://compliance.tf/docs/controls/aws/redshift_cluster_encryption_logging_enabled/) - [Redshift clusters should have enhanced VPC routing enabled](https://compliance.tf/docs/controls/aws/redshift_cluster_enhanced_vpc_routing_enabled/) - [Redshift clusters should have KMS encryption enabled](https://compliance.tf/docs/controls/aws/redshift_cluster_kms_enabled/) - [Redshift clusters should have required maintenance settings](https://compliance.tf/docs/controls/aws/redshift_cluster_maintenance_settings_check/) - [Redshift clusters should have Multi-AZ deployments enabled](https://compliance.tf/docs/controls/aws/redshift_cluster_multiple_az_enabled/) - [Redshift clusters should not use the default admin username](https://compliance.tf/docs/controls/aws/redshift_cluster_no_default_admin_name/) - [Redshift clusters should not use the default database name](https://compliance.tf/docs/controls/aws/redshift_cluster_no_default_database_name/) - [Redshift clusters should prohibit public access](https://compliance.tf/docs/controls/aws/redshift_cluster_prohibit_public_access/) - [Redshift Serverless namespaces should export logs to CloudWatch Logs](https://compliance.tf/docs/controls/aws/redshiftserverless_namespace_export_connection_and_user_log_to_cloudwatch/) - [Redshift Serverless namespaces should not use the default admin username](https://compliance.tf/docs/controls/aws/redshiftserverless_namespace_no_default_admin_username/) - [Redshift Serverless namespaces should not use the default database name](https://compliance.tf/docs/controls/aws/redshiftserverless_namespace_no_default_database_username/) - [Redshift Serverless workgroups should have enhanced VPC routing enabled](https://compliance.tf/docs/controls/aws/redshiftserverless_workgroup_enhanced_vpc_routing_enabled/) - [Redshift Serverless workgroups should prohibit public access](https://compliance.tf/docs/controls/aws/redshiftserverless_workgroup_restrict_public_access/) - [Route 53 domains auto renew should be enabled](https://compliance.tf/docs/controls/aws/route53_domain_auto_renew_enabled/) - [Route 53 domains should have privacy protection enabled](https://compliance.tf/docs/controls/aws/route53_domain_privacy_protection_enabled/) - [Route 53 domains should have transfer lock enabled](https://compliance.tf/docs/controls/aws/route53_domain_transfer_lock_enabled/) - [S3 access points should have block public access settings enabled](https://compliance.tf/docs/controls/aws/s3_access_point_restrict_public_access/) - [S3 buckets should not use ACLs for user access control](https://compliance.tf/docs/controls/aws/s3_bucket_acls_should_prohibit_user_access/) - [S3 buckets should have cross-region replication enabled](https://compliance.tf/docs/controls/aws/s3_bucket_cross_region_replication_enabled/) - [S3 buckets should have default encryption enabled](https://compliance.tf/docs/controls/aws/s3_bucket_default_encryption_enabled/) - [S3 buckets should have default encryption enabled using KMS](https://compliance.tf/docs/controls/aws/s3_bucket_default_encryption_enabled_kms/) - [S3 buckets should have event notifications enabled](https://compliance.tf/docs/controls/aws/s3_bucket_event_notifications_enabled/) - [S3 buckets should have lifecycle policies configured](https://compliance.tf/docs/controls/aws/s3_bucket_lifecycle_policy_enabled/) - [S3 buckets should have logging enabled](https://compliance.tf/docs/controls/aws/s3_bucket_logging_enabled/) - [S3 buckets should have MFA delete enabled](https://compliance.tf/docs/controls/aws/s3_bucket_mfa_delete_enabled/) - [S3 buckets should not be accessible to all authenticated users](https://compliance.tf/docs/controls/aws/s3_bucket_not_accessible_to_all_authenticated_user/) - [S3 buckets should have object lock enabled](https://compliance.tf/docs/controls/aws/s3_bucket_object_lock_enabled/) - [S3 buckets should have object logging enabled](https://compliance.tf/docs/controls/aws/s3_bucket_object_logging_enabled/) - [S3 buckets should have policies that prohibit public access](https://compliance.tf/docs/controls/aws/s3_bucket_policy_restrict_public_access/) - [S3 buckets should restrict cross-account permissions](https://compliance.tf/docs/controls/aws/s3_bucket_policy_restricts_cross_account_permission_changes/) - [S3 buckets should prohibit public read access](https://compliance.tf/docs/controls/aws/s3_bucket_restrict_public_read_access/) - [S3 buckets should prohibit public write access](https://compliance.tf/docs/controls/aws/s3_bucket_restrict_public_write_access/) - [S3 buckets should have static website hosting disabled](https://compliance.tf/docs/controls/aws/s3_bucket_static_website_hosting_disabled/) - [S3 buckets with versioning enabled should have lifecycle policies configured](https://compliance.tf/docs/controls/aws/s3_bucket_versioning_and_lifecycle_policy_enabled/) - [S3 buckets should have versioning enabled](https://compliance.tf/docs/controls/aws/s3_bucket_versioning_enabled/) - [S3 Multi-Region Access Points should have block public access settings enabled](https://compliance.tf/docs/controls/aws/s3_multi_region_access_point_public_access_blocked/) - [S3 public access should be blocked at account level](https://compliance.tf/docs/controls/aws/s3_public_access_block_account/) - [S3 public access should be blocked at bucket level](https://compliance.tf/docs/controls/aws/s3_public_access_block_bucket/) - [SageMaker endpoint configuration encryption should be enabled](https://compliance.tf/docs/controls/aws/sagemaker_endpoint_configuration_encryption_at_rest_enabled/) - [SageMaker endpoint production variants should have an initial instance count greater than 1](https://compliance.tf/docs/controls/aws/sagemaker_endpoint_configuration_prod_instance_count_greater_than_one/) - [SageMaker models should be in a VPC](https://compliance.tf/docs/controls/aws/sagemaker_model_in_vpc/) - [SageMaker models should have network isolation enabled](https://compliance.tf/docs/controls/aws/sagemaker_model_network_isolation_enabled/) - [SageMaker notebook instances should not have direct internet access](https://compliance.tf/docs/controls/aws/sagemaker_notebook_instance_direct_internet_access_disabled/) - [SageMaker notebook instances should be encrypted using CMK](https://compliance.tf/docs/controls/aws/sagemaker_notebook_instance_encrypted_with_kms_cmk/) - [SageMaker notebook instance encryption should be enabled](https://compliance.tf/docs/controls/aws/sagemaker_notebook_instance_encryption_at_rest_enabled/) - [SageMaker notebook instances should be in a VPC](https://compliance.tf/docs/controls/aws/sagemaker_notebook_instance_in_vpc/) - [SageMaker notebook instances root access should be disabled](https://compliance.tf/docs/controls/aws/sagemaker_notebook_instance_root_access_disabled/) - [Secrets Manager secrets should be encrypted using CMK](https://compliance.tf/docs/controls/aws/secretsmanager_secret_encrypted_with_kms_cmk/) - [Step Functions state machines should have logging enabled](https://compliance.tf/docs/controls/aws/sfn_state_machine_logging_enabled/) - [SNS topics should be encrypted at rest](https://compliance.tf/docs/controls/aws/sns_topic_encrypted_at_rest/) - [SQS queues should have a dead-letter queue configured](https://compliance.tf/docs/controls/aws/sqs_queue_dead_letter_queue_configured/) - [SQS queues should have encryption at rest enabled](https://compliance.tf/docs/controls/aws/sqs_queue_encrypted_at_rest/) - [SQS queues should be encrypted with KMS CMK](https://compliance.tf/docs/controls/aws/sqs_queue_encrypted_with_kms_cmk/) - [SSM parameters encryption should be enabled](https://compliance.tf/docs/controls/aws/ssm_parameter_encryption_enabled/) - [EC2 VPC Block Public Access settings should block internet gateway traffic](https://compliance.tf/docs/controls/aws/vpc_block_public_access_restrict_internet_gateway_traffic/) - [VPC endpoint services should have acceptance required enabled](https://compliance.tf/docs/controls/aws/vpc_endpoint_service_acceptance_required_enabled/) - [VPC Security groups should only allow unrestricted incoming traffic for authorized ports](https://compliance.tf/docs/controls/aws/vpc_security_group_allows_ingress_authorized_ports/) - [VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888](https://compliance.tf/docs/controls/aws/vpc_security_group_allows_ingress_to_cassandra_ports/) - [VPC subnet auto assign public IP should be disabled](https://compliance.tf/docs/controls/aws/vpc_subnet_auto_assign_public_ip_disabled/) - [EC2 VPN connections should have logging enabled](https://compliance.tf/docs/controls/aws/vpc_vpn_connection_logging_enabled/) - [WAFv2 rules should have CloudWatch metrics enabled](https://compliance.tf/docs/controls/aws/wafv2_rule_group_logging_enabled/)