A Terraform module that enforces five NIST 800-53 controls directly into every AWS S3 bucket it provisions. After apply, terraform show -json produces machine-readable compliance evidence an auditor can traverse without a console login.
Every auditor eventually asks: "Show me that your S3 buckets are encrypted, access-controlled, and logging." The typical answer is a console screenshot taken that morning — a point-in-time artifact with no chain of custody and no way to prove the configuration was in place before the audit started.
This primitive inverts that. The Terraform state is the evidence. Because the controls are defined in code and applied through a plan-and-apply cycle, the configuration is version-controlled, repeatable, and machine-readable.
The core insight is that Terraform both enforces the control and generates the audit artifact in a single step. There is no gap between what was deployed and what the evidence says.
| Control ID | Control Name | How It's Enforced |
|---|---|---|
| SC-28 | Protection of Information at Rest | AES-256 encryption via KMS with customer-managed key — fixed resource attribute |
| AC-3 | Access Enforcement | All four S3 public access block settings enforced — not parameterized |
| CM-6 | Configuration Settings | Object versioning enabled, bucket ownership enforced, ACLs disabled |
| AU-3 | Content of Audit Records | Server access logging enabled and directed to a dedicated log bucket |
| AU-6 | Audit Review and Analysis | Log bucket created and managed by the module — consumers cannot disable logging |
Running terraform show -json after apply produces structured, machine-readable output that maps directly to each control. An auditor reading the state can verify SC-28 via the server_side_encryption_configuration block, AC-3 via the public_access_block resource, and AU-3 via the logging block.