AWS Cloud Operations Blog
Operational Best Practices for FedRAMP Compliance in AWS GovCloud with AWS Config
AWS Config is a fully managed service that provides customers with resource inventory, configuration monitoring, and configuration change notifications to support security, governance, and compliance for workloads in AWS. An AWS Config rule represents desired configurations for a resource and evaluates changes in near real-time and records the compliance history in AWS Config. Using AWS Config rules, you can assess your overall compliance and risk status from a configuration perspective, view compliance trends over time, and pinpoint which configuration change caused a resource to drift out of compliance with a rule. A conformance pack is a collection of AWS Config rules and remediation actions built using a common framework and packaging model on AWS Config.
In August 2024, we introduced new AWS Config conformance packs for Federal Risk and Authorization Management Program (FedRAMP) High. These new conformance packs (Part 1 and Part 2) are tailored for AWS GovCloud and automates the assessment of security controls for stringent FedRAMP High workloads. These conformance packs group managed rule sets within AWS Config to perform continuous evaluation of resources within a customer’s AWS environment that are aligned to the FedRAMP High baseline. In this blog we will demonstrate how to deploy these conformance packs within a customer’s AWS environment for a single account or multi-account AWS Organizations workloads. We will also discuss how customers can integrate with AWS Security Hub to simplify the reporting processes FedRAMP authorization and continuous monitoring activities.
The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is important because it increases:
- Consistency and confidence in the security of cloud solutions using National Institutes of Standards & Technology (NIST) and FISMA defined standards
- Transparency between US government and cloud providers
- Automation and near real time continuous monitoring
- Adoption of secure cloud solutions through reuse of assessments and authorizations
FedRAMP High is the highest security baseline that is designed for cloud systems that handle the government’s most sensitive unclassified data. FedRAMP High systems must adhere to 421 security controls across 17 different control families. AWS GovCloud Regions meet the FedRAMP High baseline and support workloads up to Department of Defense Security Requirements Guide – Impact Level 5.
Operational Best Practices for FedRAMP High in GovCloud
These new conformance packs aligned to FedRAMP High workloads in AWS GovCloud helps customers get a near real-time view about how resources are configured in their AWS GovCloud environment with AWS Config rule checks that are mapped to FedRAMP High controls. These new conformance packs consist of two parts. The first, Operational Best Practices for FedRAMP (High Part 1) expands on our existing FedRAMP Moderate conformance pack with updated parameters to accommodate additional FedRAMP High requirements. Operational Best Practices for FedRAMP (High Part 2) evaluates your AWS resources against controls that are exclusive to FedRAMP High.
Important note: Conformance packs are a powerful tool that simplify compliance reporting and provide the capability to automate remediations for compliance violations. However, achieving FedRAMP High authorization requires a comprehensive approach beyond conformance packs alone. For more information see the AWS Shared Responsibility Model. Organizations must ensure they meet all FedRAMP High controls and continuously monitor their compliance status.
AWS Security Hub Integration
Security officers are also able to streamline their authorization and continuous monitoring reporting using AWS Security Hub’s integration with AWS Config configuration recorder. AWS Config configuration recorders store configuration history of resources within your AWS account and store this history within your own Amazon S3 bucket. These configuration findings can also be sent to Security Hub for a consolidated view of security findings across all of your AWS accounts. Security Hub also has integrations with third party ticketing, governance, and security tooling. To configure AWS Config for integration with Security Hub customers can follow our AWS Security Hub User Guide for integrating AWS Config with AWS Security Hub.
Deploying AWS Config conformance packs in AWS GovCloud
Prerequisites
For this walkthrough, you should have the following prerequisites:
- Single AWS GovCloud account
- (Optional) AWS Organization with multiple AWS GovCloud accounts managed by AWS Organizations for if deploying Organization conformance packs
- (Optional) Delegated Administrator account configured within the AWS Organization
Deploy to a single AWS Account
This section will demonstrate the steps necessary to deploy the conformance pack in a single account in AWS GovCloud.
Using the AWS Console
-
-
- Log into a GovCloud account. Be sure to double check the current AWS Region to make sure you are in correct GovCloud Region.
- Navigate to the AWS Config console.
- Once on the AWS Config page, click on “Conformance packs” on the left side bar. Then click “Deploy conformance pack” that is highlighted in orange.
-
- Click “Use sample template” and select “Operational Best Practices for FedRAMP HighPart1”.
-
- Chose a name for the template. In this blog post, we used ‘FedRAMP-High-CPack-Part1’ as Conformance pack name.
- Review the details and then click “Deploy conformance pack”
-
- Now you should see the conformance pack with an “In progress” deployment status. After a few minutes, the deployment status should say “Completed.” Once the conformance pack finishes reviewing the environment, there will be a “Compliance score”. This is shown as a percentage which is based on the amount of compliant Config rules (as shown in Figure 4). This score will vary across environments depending on how many AWS Config rules are initially compliant.
-
- Repeat steps 3-6 for the “Operational Best Practices for FedRAMP High (Part 2)” conformance pack.
- After a few minutes, you should see part 2 of the conformance pack with a “Completed” deployment status. With each part of the conformance pack, you’ll be given a compliance score. In the image below, conformance pack part one has a compliance score of 35% and part two has a score of 17%. When you first deploy the conformance packs, your scores may be different. As best practice, the score should be higher than what is shown here. By clicking “View” next to the compliance score, you’ll be able to review why the Conformance pack was given its compliance score.
-
- This dashboard will show the specific AWS Config rules that are compliant and noncompliant. The compliance score will go up as more AWS Config rules become compliant.
- Congratulations, you have successfully deployed the FedRAMP High conformance packs for a single AWS account.
Using AWS CLI
The conformance pack template files are publicly available in the AWS Config Rules repository. To deploy the conformance packs via AWS CLI first download the following files:
- Operational-Best-Practices-for-FedRAMP-HighPart1.yaml
- Operational-Best-Practices-for-FedRAMP-HighPart2.yaml
Once the template files are downloaded copy or move the files to your current working directory.
- Configure temporary GovCloud credentials in your AWS CLI environment by running
aws configure
- Deploy the conformance pack by running
aws configservice
put-conformance-pack --conformance-pack-name FedRAMP-CPack-Part1
--region=us-gov-west-1 --template-body=file://Operational-Best-Practices-for-FedRAMP-HighPart1.yaml
A successful deployment will display an output similar to what is shown below:
{ “OrganizationconformancePack”: “arn:aws-us-gov:config:us-gov-west-1:xxxxxxxxx:conformance-pack/FedRAMP-CPack-Part1/conformance-pack-abcd0123” }
Note: When running the command to deploy the conformance pack within your own AWS account you will see your AWS account ID in place of “xxxxxxxxx”.
Repeat step 2 for the “Operation Best Practices for FedRAMP HighPart2” conformance pack.
After a few minutes, confirm the successful deployment status of each conformance back by runningaws configservice describe-conformance-pack-status
—-conformance-pack-name FedRAMP-CPack-Part1 —-region=us-gov-west-1{ “ConformancePackStatusDetails": [ { “ConformancePackName”: “FedRAMP-CPack-Part1”, “ConformancePackId”: “conformance-pack-abcd0123”, “ConformancePackArn”: “arn:aws-us-gov:config:us-gov-west-1:xxxxxxxxx:conformance-pack/FedRAMP-CPack-Part1/conformance-pack-abcd0123”, “ConformanceState”: “CREATE_COMPLETE”, ... } ] }
Deploy across a group of accounts in an AWS Organization
AWS Organizations on GovCloud, is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. The goal is to deploy the FedRAMP High conformance pack across multiple accounts in an AWS Organization. To do this there will be an AWS account designated as a delegated administrator within the organization that is in charge of receiving the Config findings. In this sample organization there are two accounts and one organizational unit. Each production environment can vary in best practice that are required by each organization.
Using AWS CLI
To deploy the conformance packs using the AWS CLI we will use the same template files that were downloaded previously.
-
- Configure temporary GovCloud credentials in your AWS CLI environment by running aws configure
- Deploy the conformance pack using the following command:
aws configservice put-organization-conformance-pack --organization-conformance-pack-name Org-FedRAMP-CPack-Part1 --region=us-gov-west-1 --template-body=file://Operational-Best-Practices-for-FedRAMP-HighPart1.yaml
A successful deployment will display an output similar to what is shown below:
{ “OrganizationConformancePackArn”: “arn:aws-us-gov:config:us-gov-west-1:xxxxxxxxx:organization-conformance-pack/Org-FedRAMP-CPack-Part1-abcd0123 }
- Repeat step 2 for the “Operation Best Practices for FedRAMP High Part 2” conformance pack.
- After a few minutes, confirm the successful deployment status of each conformance pack using the following AWS CLI command:
aws configservice describe-organization-conformance-pack-statuses --region=us-gov-west-1
Creating a conformance pack aggregator
Next an AWS Config aggregator will be used to create a consolidated view of AWS Config findings across all accounts and Regions within the AWS Organization. An aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from multiple AWS accounts and Regions into a single account and Region to get a centralized view of your resource inventory and compliance.
-
- Within the AWS GovCloud Organization navigate to the AWS Config console in the root account. Note: If using a delegated administrator account for AWS Config within your AWS Organization then login to the delegated administrator account to complete these steps.
- Find and select “Aggregators” on the left panel. Once in the Aggregators console select “Create aggregator”
- Configure the aggregator as shown in Figure 7.
-
- Select all Regions to gather resource configuration data from. To include future Regions where AWS Config is enabled select the check-box next to “Include future AWS regions”
- Next select “Create aggregator” to create the aggregator.
- Authorization refers to the permissions you grant to an aggregator account and Region to collect your AWS Config configuration and compliance data. Setup the authorization for the account where the AWS Config Aggregator will reside by supplying the aggregator account ID and the AWS GovCloud Region where configuration and compliance data will reside. Once added give it a couple moments to populate.
The completed aggregator provides a Compliance Dashboard view of all resources within your AWS environment. The dashboard shows compliance metrics for any AWS Config conformance packs. With AWS Config configuration recorder, you can review changes to individual rules over time which can provide insight for root cause analysis of configuration or compliance violations. AWS Config configuration recorder can set the frequency that changes are recorded as continuous or periodic.
Figure 10 and 11 below shows the completed aggregator and aggregator compliance dashboard.
After setting up an AWS Config Aggregator to collect configuration and compliance data from multiple accounts and Regions, you can view a centralized compliance dashboard to assess the overall compliance posture of your organization. The compliance dashboard provides essential insights such as a summary of compliant vs noncompliant resources, the top resource types and accounts with the most noncompliant resources, and the conformance packs with the highest number of noncompliant rules. By using the compliance dashboard, you can quickly identify areas that need attention and make informed decisions to address compliance issues across your AWS environment.
Congratulations, you have successfully deployed an Aggregator and authorization for the Operational Best Practices for FedRAMP High in GovCloud conformance pack findings.
Simplifying Compliance Reporting using AWS Security Hub
AWS Security Hub provides a consolidated view of security findings across customer’s AWS account(s) and helps visualize the security posture of AWS-based workloads. Leveraging the robust integration with AWS Config customers can do the following:
1. Review findings from Operational Best Practices for FedRAMP High conformance packs
2. Automate and orchestrate remediations to fix misconfigured resources
3. Enrich and export findings to help with ATO or continuous monitoring assessments
When using AWS Config integration with AWS Security Hub it is recommended to follow best practices to reduce costs. Review our AWS Security Blog: Optimize AWS Config for AWS Security Hub to effectively manage your cloud security posture for tips on how to optimize AWS Config for use with Security Hub.
Using AWS Config conformance packs in AWS Landing Zone Accelerator Environments: Customers can use Landing Zone Accelerator to centrally manage AWS Config throughout their Organization and report findings to AWS Security Hub. Findings identified by the FedRAMP High conformance pack may overlap with controls or frameworks that have already been deployed through AWS Control Tower in an LZA environment.
Clean Up
It’s a best practice to clean up any resources that you do not plan to continue using. This would avoid any unexpected charges.
- Delete any aggregators that were configured within your AWS account(s) (See more in AWS Config Developer Guide).
- Delete any AWS Config conformance packs deployed within your AWS account. Note: For Conformance packs deployed to AWS Organizations first identify the name of the Organization Conformance pack to be deleted:
aws configservice describe-organization-conformance-packs
- Delete the Conformance packs using the AWS CLI using the following command replacing CONFORMANCE-PACK-NAME with the name identified in the previous step:
aws configservice delete-organization-conformance-pack --organization-conformance-pack-name “CONFORMANCE-PACK-NAME”
Conclusion
FedRAMP High compliance is a critical requirement for cloud service providers serving the U.S. federal government. By leveraging AWS Config conformance packs tailored specifically for the FedRAMP High baseline in AWS GovCloud, organizations can reduce the operational overhead associated with manual assessments and audits.
The Operational Best Practices for FedRAMP High conformance packs provide a comprehensive set of managed rules that continuously monitor resource configurations against the stringent FedRAMP High security controls. These conformance packs are able to monitor resources across a single account or across an entire AWS Organization. Additionally, Config rule evaluations can be automatically imported into AWS Security Hub to provide a rollup view of Security Findings across your AWS environment. These findings can be exported and shared with assessors, authorizing officials, or internal audit teams to streamline compliance reporting for FedRAMP.
While AWS Config conformance packs are a powerful tool, it’s important to note that they are just one component of a comprehensive FedRAMP compliance strategy. Organizations must adopt a holistic approach that encompasses people, processes, and technology. The AWS Shared Responsibility Model and AWS Well Architected: Security Pillar are great resources that outline a set of best practices and considerations when approaching security and compliance in the cloud.
About the authors:
-