Compliance Controls

Architecture

Enforce compliance requirements through policy-based controls:

• Data Access Policies restricting who can read sensitive data
• Administrative Boundaries limiting infrastructure changes
• Audit Protection Policies preventing log tampering

When to Use

This pattern is ideal when you need:

• To meet regulatory requirements (HIPAA, PCI-DSS, SOC 2, GDPR)
• Documented and auditable access control policies
• Separation of duties between teams
• Evidence of security controls for auditors

Implementation

SOC 2 Controls

module "soc2_controls" {
  source  = "registry.patterneddesigns.ca/governance/access-policy/aws"
  version = "2.1.0"

  policy_name = "soc2-developer-boundary"
  policy_type = "boundary"

  allowed_services = ["ec2", "s3", "lambda", "dynamodb"]

  denied_actions = [
    # Prevent audit log tampering
    "cloudtrail:DeleteTrail",
    "cloudtrail:StopLogging",
    "logs:DeleteLogGroup",
    # Prevent security config changes
    "config:DeleteConfigRule",
    "guardduty:DeleteDetector"
  ]
}

Considerations

• Map compliance requirements to specific denied actions
• Use SCPs for organization-wide compliance enforcement
• Maintain documentation linking policies to control objectives
• Implement regular access reviews