Compliance Enforcement

Architecture

Enforce compliance requirements through tagging policies:

• DataClassification tag for data sensitivity levels
• Compliance tag for regulatory framework mapping
• AWS Organizations tag policies for enforcement
• AWS Config rules for compliance monitoring

When to Use

This pattern is ideal when you need:

• SOC2, HIPAA, PCI-DSS, or GDPR compliance
• Data classification enforcement
• Audit trail requirements
• Security control documentation
• Regulatory reporting

Implementation

module "compliance_tags" {
  source  = "registry.patterneddesigns.ca/standardnat/tagging-policy/aws"
  version = "1.1.0"

  required_tags = [
    "DataClassification",
    "Compliance",
    "Owner",
    "Environment"
  ]

  tag_values = {
    DataClassification = [
      "public",
      "internal",
      "confidential",
      "restricted"
    ]
    Compliance = [
      "soc2",
      "hipaa",
      "pci-dss",
      "gdpr",
      "none"
    ]
  }

  default_tags = {
    ManagedBy  = "terraform"
    Auditable  = "true"
  }

  enforce_lowercase = true
}

# Export validation rules for AWS Organizations
output "tag_policy_rules" {
  value = module.compliance_tags.validation_rules
}

Considerations

• Coordinate with compliance and security teams
• Document tag value definitions
• Implement AWS Config rules for monitoring
• Regular compliance audits using tag-based queries
• Consider automation for tag remediation