AWS Management & Governance Blog

Automate FedRAMP controls in your AWS environment using AWS Config conformance packs

AWS Config has released a new sample conformance pack template to help customers meet the operational best practices for Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is a U.S. government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. Conformance packs are a collection of AWS Config rules and remediations that can be deployed across an AWS account or an organization in AWS Organizations in a single pack.

The FedRAMP conformance pack provides mapping between some of the FedRAMP Moderate controls and AWS Config managed rules. Each rule applies to a specific AWS resource and relates to one or more FedRAMP controls. Customers now can deploy the FedRAMP conformance pack in their environment, view the controls that are covered by the conformance pack, monitor the FedRAMP compliance status of their resources, and remediate any noncompliant resources.

In this blog post, I will show you how to deploy the FedRAMP conformance pack in an AWS account and set up AWS Config rules that map to FedRAMP controls. The rules will evaluate resources in your environment to check their compliance status against FedRAMP controls. I will then add a remediation action to an existing rule in the conformance pack to show how you can customize the sample pack to meet your security requirements.

Prerequisites

To complete the steps in this post, you must have permissions to use AWS Config in the account you will use to deploy the conformance pack. For information, see Getting Started with AWS Config in the AWS Config Developer Guide.

Deploy the FedRAMP conformance pack

  1. Sign in to the AWS Config console.
  2. In the left navigation pane, choose Conformance Packs, and then choose Deploy conformance pack.Conformance packs page includes a search field, Actions menu, and Deploy conformance pack button.Figure 1: Conformance packs page in the AWS Config console
  1. On Specify template, choose Operational Best Practices for FedRAMP from the list, and then choose Next.Specify template page provides a way to search and choose conformance packs.Figure 2: Specify template page in the AWS Config console
  1. On the Specify conformance pack details page, enter a name for your conformance pack, choose Next, and then choose Deploy conformance pack.
    You have now successfully deployed the FedRAMP conformance pack. On the Conformance packs page, you should see the FedRAMP pack.Conformance packs page has columns for the pack name, its deployment status (in this case, completed), and its compliance status (in this case, noncompliant).
    Figure 3: FedRAMP conformance pack
  1. To view the rules deployed in the conformance pack, choose the name of the conformance pack. You should now be able to view the compliance status of each rule in the pack.Rules tab displays the rules in the conformance pack, only one of which is compliant.Figure 4: Rules tab in the AWS Config console

The rules on the Rules tab map to FedRAMP controls described in Operational Best Practices for FedRAMP (Moderate). The rules are triggered based on configuration changes or on a periodic schedule. AWS Config will now continuously check the compliance status of these resources to ensure they align with the FedRAMP controls.

Customize the conformance pack by adding a remediation action

Next, add a remediation action to the S3BucketServerSideEncryptionRemediation rule. This rule checks if an S3 bucket has encryption enabled. The remediation action you add will turn on encryption on any noncompliant bucket. For the purpose of the demo, set up manual remediation using the AWS-EnableS3BucketEncryption managed remediation.

AWS Config rule remediations are backed by AWS Systems Manager Automation documents that define a set of actions Systems Manager will take on your resources. Automation documents require an IAM service role (also called an assumed role) with permissions to execute the remediation actions.

  1. Follow the steps in Use IAM to configure roles for Automation.
  2. Create an IAM policy that grants permission to encrypt an S3 bucket. In the IAM console, from the left navigation pane, choose Policies, and then choose Create policy.
  3. On the Visual editor tab, choose Choose a service, and then choose S3.
  4. For Actions, type and choose PutEncryptionConfiguration.
  5. For Resources, choose All resources.
  6. On the Review policy page, enter encrypt-s3, and then choose Create policy.
  7. Go back to the role you created for Automation, choose Attach policies, find the encrypt-s3policy, and then attach it to the role.

Next, download the code for the FedRAMP conformance pack and save it locally. In the following code snippet, replace {Your-Automation-Role-ARN} with the ARN of the role you created in the previous step.

S3BucketServerSideEncryptionRemediation:
    DependsOn: S3BucketServerSideEncryptionEnabled
    Type: 'AWS::Config::RemediationConfiguration'
    Properties:
      ConfigRuleName: s3-bucket-server-side-encryption-enabled
      ResourceType: "AWS::S3::Bucket"
      TargetId: "AWS-EnableS3BucketEncryption"
      TargetType: "SSM_DOCUMENT"
      TargetVersion: "1"
      Parameters:
        AutomationAssumeRole:
          StaticValue:
            Values:
              - {Your-Automation-Role-ARN}
        BucketName:
          ResourceValue:
            Value: "RESOURCE_ID"

Open the FedRAMP conformance pack file and paste this snippet into the Resources section of the template. To ensure the remediation was added correctly, take a look at this final template that includes the remediation action. (The automation role ARN must still be added to it.)

Next, update the FedRAMP conformance pack you deployed previously to the pack that includes the remediation action.

  1. Open the AWS Config console, and from the left navigation pane, choose Conformance Packs.
  2. Choose the FedRAMP conformance pack you created earlier.
  3. From Actions, choose Edit.
  4. On the Edit conformance pack page, under Template details, choose Template is ready.
  5. Under Specify template, choose Upload a template file, and then choose Choose file to upload the conformance pack file you saved in the previous step.The Edit conformance pack page includes options for using a sample template, specifying a template source like an S3 bucket, and uploading a template file (in this case, fedramp.yaml).Figure 5: Edit conformance pack page in the AWS Config console
  6. Scroll down and choose Save Changes to update the conformance pack.
  7. After the update is complete, go to the Rules page, search for s3-bucket-server-side-encryption-enabled, and then choose the rule.
  8. In Remediation action, you should now see the remediation you added to the rule.AWS-EnableS3BucketEncryption remediation action enables encryption on an S3 bucket. The Remediation section displays parameters (key, value, and description).Figure 6: Remediation action section of the AWS Config console

To test the remediation, choose a noncompliant S3 bucket. If you don’t have one, you  must first create a nonencrypted S3 bucket.

  1. Choose the S3 bucket, and then choose Remediate to start the remediation action.On Resources in scope, S3 buckets are filtered to show noncompliant buckets. The awsconfigconforms-shaked bucket is selected.Figure 7: Noncompliant S3 buckets
  1. After you chose Remediate, you should see the status of the resource change to Action executed successfully.On Resources in scope, Action executed successfully is displayed in the Status column for the awsconfigconforms-shaked bucket.Figure 8: Status shows Action executed successfully

    Go to the S3 bucket that was previously unencrypted to see if the remediation worked.
  1. Choose the Properties tab of the awsconfigconforms-shaked bucket to check the encryption settings.The Properties tab for the S3 bucket shows versioning, server access logging, static website hosting, object-level logging, and default encryption are turned on.Figure 9: Properties tab of awsconfigconforms-shaked bucket

As you see, you have now enabled encryption on the S3 bucket using the remediation action from the conformance pack. Now, when you go back to the AWS Config console and view the rule, you will see that the S3 bucket is compliant:

AWS Connfig resource page shows a compliant S3 bucketFigure 10: Compliant awsconfigconforms-shaked bucket

Cleanup

To delete the resources created in this blog post, delete the conformance pack.

  1. Open the AWS Config console.
  2. From the left navigation pane, choose Conformance packs, and then choose the conformance pack you created.
  3. From Actions, choose Delete, and then enter Delete.

Conclusion

In this blog post, I showed how you can deploy the FedRAMP sample conformance pack to automate FedRAMP controls in your AWS environment. I also showed how you can customize a sample conformance pack to meet the unique security and compliance requirements of your organization by adding remediations or AWS Config rules.

In addition to the FedRAMP conformance pack, there are 30 other sample conformance packs, including some for NIST 800-53, HIPAA, FFIEC, and PCI-DSS. The sample conformance packs are just a starting point. You have the flexibility to add managed and custom AWS Config rules to meet your unique requirements.

For information about how to manage conformance packs across all AWS accounts in an organization, see Managing Conformance Packs Across all Accounts in Your Organization. To get started, see Conformance Packs in the AWS Config Developer Guide.

 

About the author

 

Shaked Rotlevi is a Solutions Architect based in San Diego, CA who works with federal government customers. Shaked enjoys helping her customers implement AWS best practices with a focus on governance and compliance. In her spare time, she likes to travel and surf.