Skip to content
CrowdStrike Developer Center

cloud_compliance_framework_controls

This data source retrieves all or a subset of controls within compliance benchmarks. All non-FQL fields can accept wildcards * and query Falcon using logical AND. For advanced queries to further narrow your search, please use a Falcon Query Language (FQL) filter. For additional information on FQL filtering and usage, refer to the official CrowdStrike documentation: Falcon Query Language (FQL) Note that broader searches may result in longer response times due to the larger volume of controls being retrieved and set in the state.

API Scopes

Section titled “API Scopes”

The following API scopes are required:

  • Cloud Security Policies: READ

Example Usage

Section titled “Example Usage”
terraform {
  required_providers {
    crowdstrike = {
      source = "registry.terraform.io/crowdstrike/crowdstrike"
    }
  }
}


provider "crowdstrike" {
  cloud = "us-2"
}


# retrieve all controls under a named benchmark
data "crowdstrike_cloud_compliance_framework_controls" "all" {
  benchmark = "CIS 1.0.0 AWS Web Architecture"
}


# retrieve a single control within a benchmark by name
data "crowdstrike_cloud_compliance_framework_controls" "by_name" {
  name      = "Ensure subnets for the Web tier are created"
  benchmark = "CIS 1.0.0 AWS Web Architecture"
}


# retrieve a single control within a benchmark by requirement
data "crowdstrike_cloud_compliance_framework_controls" "by_requirement" {
  requirement = "2.1"
  benchmark   = "CIS 1.0.0 AWS Web Architecture"
}


# query by FQL filter
data "crowdstrike_cloud_compliance_framework_controls" "fql" {
  fql = "compliance_control_name:'Ensure subnets for the Web tier are created'"
}

Schema

Section titled “Schema”

Optional

Section titled “Optional”
  • benchmark (String) Name of the compliance benchmark in the framework. Examples: AWS Foundational Security Best Practices v1.*, CIS 1.2.0 GCP, CIS 1.8.0 GKE
  • control_name (String) Name of the control. Examples: Ensure security contact phone is set, Ensure that Azure Defender*
  • fql (String) Falcon Query Language (FQL) filter for advanced control searches. FQL filter, allowed props: compliance_control_name, compliance_control_authority, compliance_control_type, compliance_control_section, compliance_control_requirement, compliance_control_benchmark_name, compliance_control_benchmark_version
  • requirement (String) Requirement of the control(s) within the framework. Examples: 2.*, 1.1
  • section (String) Section of the benchmark where the control(s) reside. Examples: Data Protection, Data*

Read-Only

Section titled “Read-Only”

Nested Schema for controls

Section titled “Nested Schema for controls”

Read-Only:

  • authority (String) The compliance authority for the framework
  • benchmark (Set of String) The compliance benchmarks within the framework.
  • code (String) The unique compliance framework rule code.
  • id (String) The id of the compliance control.
  • name (String) The name of the control.
  • requirement (String) The compliance framework requirement.
  • section (String) The section within the compliance benchmark.
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use