AWS Compliance Mod

Run individual configuration, compliance and security controls or full compliance benchmarks for Audit Manager Control Tower, AWS Foundational Security Best Practices, CIS, CISA Cyber Essentials, FedRAMP, FFIEC, GDPR, GxP 21 CFR Part 11, GxP EU Annex 11, HIPAA Final Omnibus Security Rule 2013, HIPAA Security Rule 2003, NIST 800-53, NIST CSF, PCI DSS, RBI Cyber Security Framework and SOC 2 across all your AWS accounts.


AWS provides on-demand cloud computing platforms and APIs to authenticated customers on a metered pay-as-you-go basis.

AWS Foundational Security Best Practices is a set of controls that detect when your deployed accounts and resources deviate from security best practices.

CIS AWS Benchmarks provide a predefined set of compliance and security best-practice checks for AWS accounts.

CISA Cyber Essentials provide an actionable understanding of where to start implementing organizational cybersecurity practices.

Audit Manager Control Tower provide the easiest way to set up and govern a secure, multi-account AWS environment.

FedRAMP is a US government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services.

FFIEC provides a set of security standards for the Federal Financial Institutions Examination Council (FFIEC) Cyber Security Assessment Tool domains.

GDPR provides a set of robust requirements that raise and harmonize standards for data protection, security, and compliance throughout the European Union (EU).

GxP 21 CFR Part 11 includes details for the criteria under which electronic records and signatures are considered trustworthy and equivalent to paper records and ensures the integrity of data used to make product-related safety decisions.

GxP EU Annex 11 includes a prebuilt collection of controls with descriptions and testing procedures where controls are grouped into control sets according to GxP requirements.

HIPAA Final Omnibus Security Rule 2013 implements a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HIPAA Security Rule 2003 establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity.

NIST 800-53 provides minimum baselines of security controls for U.S. federal information systems except those related to national security.

NIST CSF provides security standards for managing and reducing cybersecurity risk.

NIST 800-171 provides minimum baselines of security controls for protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations, and recommends specific security requirements to achieve that objective.

PCI DSS provides security standards for the payment card industry.

RBI Cyber Security Framework provides a cyber security framework for Urban Cooperative Banks (UCB) in India.

SOC 2 provides an auditing procedure that ensures a company's data is securely managed.

Steampipe is an open source CLI to instantly query cloud APIs using SQL.

Steampipe Mods are collections of named queries, and codified controls that can be used to test current configuration of your cloud resources against a desired configuration.


Getting started


Download and install Steampipe (https://steampipe.io/downloads). Or use Brew:

brew tap turbot/tap
brew install steampipe

Install the AWS plugin with Steampipe:

steampipe plugin install aws


git clone https://github.com/turbot/steampipe-mod-aws-compliance.git
cd steampipe-mod-aws-compliance


Before running any benchmarks, it's recommended to generate your AWS credential report:

aws iam generate-credential-report

Start your dashboard server to get started:

steampipe dashboard

By default, the dashboard interface will then be launched in a new browser window at http://localhost:9194. From here, you can run benchmarks by selecting one or searching for a specific one.

Instead of running benchmarks in a dashboard, you can also run them within your terminal with the steampipe check command:

Run all controls:

steampipe check benchmark.all_controls

Run a single benchmark:

steampipe check benchmark.cis_v150

Run a specific control:

steampipe check control.cis_v150_2_1_1

Different output formats are also available, for more information please see Output Formats.


This mod uses the credentials configured in the Steampipe AWS plugin.


No extra configuration is required.

Common and Tag Dimensions

The benchmark queries use common properties (like account_id, connection_name and region) and tags that are defined in the form of a default list of strings in the mod.sp file. These properties can be overwritten in several ways:

  • Copy and rename the steampipe.spvars.example file to steampipe.spvars, and then modify the variable values inside that file

  • Pass in a value on the command line:

    steampipe check benchmark.cis_v150 --var 'common_dimensions=["account_id", "connection_name", "region"]'
    steampipe check benchmark.cis_v150 --var 'tag_dimensions=["Environment", "Owner"]'
  • Set an environment variable:

    SP_VAR_common_dimensions='["account_id", "connection_name", "region"]' steampipe check control.cis_v150_5_1
    SP_VAR_tag_dimensions='["Environment", "Owner"]' steampipe check control.cis_v150_5_1


If you have an idea for additional controls or just want to help maintain and extend this mod (or others) we would love you to join the community and start contributing.

Please see the contribution guidelines and our code of conduct. All contributions are subject to the Apache 2.0 open source license.

Want to help but not sure where to start? Pick up one of the help wanted issues: