AWS Cloud Operations Blog

Operational Best Practices for FedRAMP Compliance in AWS GovCloud with AWS Config

AWS Config is a fully managed service that provides customers with resource inventory, configuration monitoring, and configuration change notifications to support security, governance, and compliance for workloads in AWS. An AWS Config rule represents desired configurations for a resource and evaluates changes in near real-time and records the compliance history in AWS Config. Using AWS Config rules, you can assess your overall compliance and risk status from a configuration perspective, view compliance trends over time, and pinpoint which configuration change caused a resource to drift out of compliance with a rule. A conformance pack is a collection of AWS Config rules and remediation actions built using a common framework and packaging model on AWS Config.

In August 2024, we introduced new AWS Config conformance packs for Federal Risk and Authorization Management Program (FedRAMP) High. These new conformance packs (Part 1 and Part 2) are tailored for AWS GovCloud and automates the assessment of security controls for stringent FedRAMP High workloads. These conformance packs group managed rule sets within AWS Config to perform continuous evaluation of resources within a customer’s AWS environment that are aligned to the FedRAMP High baseline. In this blog we will demonstrate how to deploy these conformance packs within a customer’s AWS environment for a single account or multi-account AWS Organizations workloads. We will also discuss how customers can integrate with AWS Security Hub to simplify the reporting processes FedRAMP authorization and continuous monitoring activities.

The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is important because it increases:

  • Consistency and confidence in the security of cloud solutions using National Institutes of Standards & Technology (NIST) and FISMA defined standards
  • Transparency between US government and cloud providers
  • Automation and near real time continuous monitoring
  • Adoption of secure cloud solutions through reuse of assessments and authorizations

FedRAMP High is the highest security baseline that is designed for cloud systems that handle the government’s most sensitive unclassified data. FedRAMP High systems must adhere to 421 security controls across 17 different control families. AWS GovCloud Regions meet the FedRAMP High baseline and support workloads up to Department of Defense Security Requirements Guide – Impact Level 5.

Operational Best Practices for FedRAMP High in GovCloud

These new conformance packs aligned to FedRAMP High workloads in AWS GovCloud helps customers get a near real-time view about how resources are configured in their AWS GovCloud environment with AWS Config rule checks that are mapped to FedRAMP High controls. These new conformance packs consist of two parts. The first, Operational Best Practices for FedRAMP (High Part 1) expands on our existing FedRAMP Moderate conformance pack with updated parameters to accommodate additional FedRAMP High requirements. Operational Best Practices for FedRAMP (High Part 2) evaluates your AWS resources against controls that are exclusive to FedRAMP High.

Important note: Conformance packs are a powerful tool that simplify compliance reporting and provide the capability to automate remediations for compliance violations. However, achieving FedRAMP High authorization requires a comprehensive approach beyond conformance packs alone. For more information see the AWS Shared Responsibility Model. Organizations must ensure they meet all FedRAMP High controls and continuously monitor their compliance status.

AWS Security Hub Integration

Security officers are also able to streamline their authorization and continuous monitoring reporting using AWS Security Hub’s integration with AWS Config configuration recorder. AWS Config configuration recorders store configuration history of resources within your AWS account and store this history within your own Amazon S3 bucket. These configuration findings can also be sent to Security Hub for a consolidated view of security findings across all of your AWS accounts. Security Hub also has integrations with third party ticketing, governance, and security tooling. To configure AWS Config for integration with Security Hub customers can follow our AWS Security Hub User Guide for integrating AWS Config with AWS Security Hub.

Deploying AWS Config conformance packs in AWS GovCloud

Prerequisites

For this walkthrough, you should have the following prerequisites:

  • Single AWS GovCloud account
  • (Optional) AWS Organization with multiple AWS GovCloud accounts managed by AWS Organizations for if deploying Organization conformance packs
  • (Optional) Delegated Administrator account configured within the AWS Organization

Deploy to a single AWS Account

This section will demonstrate the steps necessary to deploy the conformance pack in a single account in AWS GovCloud.

Using the AWS Console

      1. Log into a GovCloud account. Be sure to double check the current AWS Region to make sure you are in correct GovCloud Region.
      2. Navigate to the AWS Config console.
      3. Once on the AWS Config page, click on “Conformance packs” on the left side bar. Then click “Deploy conformance pack” that is highlighted in orange.
    Deploy conformance pack

    Figure 1: Deploy conformance pack

      1. Click “Use sample template” and select “Operational Best Practices for FedRAMP HighPart1”.
    Specify template

    Figure 2: Specify template

      1. Chose a name for the template. In this blog post, we used ‘FedRAMP-High-CPack-Part1’ as Conformance pack name.
      2. Review the details and then click “Deploy conformance pack”
    Review and Deploy

    Figure 3: Review and Deploy conformance pack

      1. Now you should see the conformance pack with an “In progress” deployment status. After a few minutes, the deployment status should say “Completed.” Once the conformance pack finishes reviewing the environment, there will be a “Compliance score”. This is shown as a percentage which is based on the amount of compliant Config rules (as shown in Figure 4). This score will vary across environments depending on how many AWS Config rules are initially compliant.
    Conformance pack Deployment completed

    Figure 4: Conformance pack Deployment completed

      1. Repeat steps 3-6 for the “Operational Best Practices for FedRAMP High (Part 2)” conformance pack.
      2. After a few minutes, you should see part 2 of the conformance pack with a “Completed” deployment status. With each part of the conformance pack, you’ll be given a compliance score. In the image below, conformance pack part one has a compliance score of 35% and part two has a score of 17%. When you first deploy the conformance packs, your scores may be different. As best practice, the score should be higher than what is shown here. By clicking “View” next to the compliance score, you’ll be able to review why the Conformance pack was given its compliance score.
    Both conformance packs deployed

    Figure 5: Both conformance packs deployed

      1. This dashboard will show the specific AWS Config rules that are compliant and noncompliant. The compliance score will go up as more AWS Config rules become compliant.
    Compliant and non-compliant resources

    Figure 6: Compliant and non-compliant resources

    1. Congratulations, you have successfully deployed the FedRAMP High conformance packs for a single AWS account.

    Using AWS CLI

    The conformance pack template files are publicly available in the AWS Config Rules repository. To deploy the conformance packs via AWS CLI first download the following files:

    Once the template files are downloaded copy or move the files to your current working directory.

    1. Configure temporary GovCloud credentials in your AWS CLI environment by running aws configure
    2. Deploy the conformance pack by running aws configservice
      put-conformance-pack --conformance-pack-name FedRAMP-CPack-Part1
      --region=us-gov-west-1 --template-body=file://Operational-Best-Practices-for-FedRAMP-HighPart1.yaml
      A successful deployment will display an output similar to what is shown below:
    {
    
    	“OrganizationconformancePack”:
    	“arn:aws-us-gov:config:us-gov-west-1:xxxxxxxxx:conformance-pack/FedRAMP-CPack-Part1/conformance-pack-abcd0123”
    
    }

    Note: When running the command to deploy the conformance pack within your own AWS account you will see your AWS account ID in place of “xxxxxxxxx”.
    Repeat step 2 for the “Operation Best Practices for FedRAMP HighPart2” conformance pack.
    After a few minutes, confirm the successful deployment status of each conformance back by running aws configservice describe-conformance-pack-status
    —-conformance-pack-name FedRAMP-CPack-Part1 —-region=us-gov-west-1

    {
    	“ConformancePackStatusDetails": [
    		{
    			“ConformancePackName”: “FedRAMP-CPack-Part1”,
    			“ConformancePackId”: “conformance-pack-abcd0123”,
    			“ConformancePackArn”: “arn:aws-us-gov:config:us-gov-west-1:xxxxxxxxx:conformance-pack/FedRAMP-CPack-Part1/conformance-pack-abcd0123”,
    			“ConformanceState”: “CREATE_COMPLETE”,
    			...
    		}
    	]
    }

    Deploy across a group of accounts in an AWS Organization

    AWS Organizations on GovCloud, is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. The goal is to deploy the FedRAMP High conformance pack across multiple accounts in an AWS Organization. To do this there will be an AWS account designated as a delegated administrator within the organization that is in charge of receiving the Config findings. In this sample organization there are two accounts and one organizational unit. Each production environment can vary in best practice that are required by each organization.

    Using AWS CLI

    To deploy the conformance packs using the AWS CLI we will use the same template files that were downloaded previously.

      1. Configure temporary GovCloud credentials in your AWS CLI environment by running aws configure
      2. Deploy the conformance pack using the following command:
        aws configservice put-organization-conformance-pack --organization-conformance-pack-name Org-FedRAMP-CPack-Part1 --region=us-gov-west-1 --template-body=file://Operational-Best-Practices-for-FedRAMP-HighPart1.yaml

    A successful deployment will display an output similar to what is shown below:

    {
    
    		“OrganizationConformancePackArn”:
    		“arn:aws-us-gov:config:us-gov-west-1:xxxxxxxxx:organization-conformance-pack/Org-FedRAMP-CPack-Part1-abcd0123
    
    }
    1. Repeat step 2 for the “Operation Best Practices for FedRAMP High Part 2” conformance pack.
    2. After a few minutes, confirm the successful deployment status of each conformance pack using the following AWS CLI command: aws configservice describe-organization-conformance-pack-statuses --region=us-gov-west-1

    Creating a conformance pack aggregator

    Next an AWS Config aggregator will be used to create a consolidated view of AWS Config findings across all accounts and Regions within the AWS Organization. An aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from multiple AWS accounts and Regions into a single account and Region to get a centralized view of your resource inventory and compliance.

      1. Within the AWS GovCloud Organization navigate to the AWS Config console in the root account. Note: If using a delegated administrator account for AWS Config within your AWS Organization then login to the delegated administrator account to complete these steps.
      2. Find and select “Aggregators” on the left panel. Once in the Aggregators console select “Create aggregator”
      3. Configure the aggregator as shown in Figure 7.
    Configuring AWS Config aggregator for AWS Organization.

    Figure 7: Aggregator Organization configuration

      1. Select all Regions to gather resource configuration data from. To include future Regions where AWS Config is enabled select the check-box next to “Include future AWS regions”
    Configuring which Regions to collect AWS Config data

    Figure 8: Aggregator Region selection

    1. Next select “Create aggregator” to create the aggregator.
    2. Authorization refers to the permissions you grant to an aggregator account and Region to collect your AWS Config configuration and compliance data. Setup the authorization for the account where the AWS Config Aggregator will reside by supplying the aggregator account ID and the AWS GovCloud Region where configuration and compliance data will reside. Once added give it a couple moments to populate.
    Aggregator authorization

    Figure 9: Adding AWS Config Authorization

    The completed aggregator provides a Compliance Dashboard view of all resources within your AWS environment. The dashboard shows compliance metrics for any AWS Config conformance packs. With AWS Config configuration recorder, you can review changes to individual rules over time which can provide insight for root cause analysis of configuration or compliance violations. AWS Config configuration recorder can set the frequency that changes are recorded as continuous or periodic.

    Figure 10 and 11 below shows the completed aggregator and aggregator compliance dashboard.

    Completed aggregator.

    Figure 10: Aggregator after successful configuration.

    After setting up an AWS Config Aggregator to collect configuration and compliance data from multiple accounts and Regions, you can view a centralized compliance dashboard to assess the overall compliance posture of your organization. The compliance dashboard provides essential insights such as a summary of compliant vs noncompliant resources, the top resource types and accounts with the most noncompliant resources, and the conformance packs with the highest number of noncompliant rules. By using the compliance dashboard, you can quickly identify areas that need attention and make informed decisions to address compliance issues across your AWS environment.

    Compliance Dashboard.

    Figure 11: Compliance Dashboard

    Congratulations, you have successfully deployed an Aggregator and authorization for the Operational Best Practices for FedRAMP High in GovCloud conformance pack findings.

    Simplifying Compliance Reporting using AWS Security Hub

    AWS Security Hub provides a consolidated view of security findings across customer’s AWS account(s) and helps visualize the security posture of AWS-based workloads. Leveraging the robust integration with AWS Config customers can do the following:

    1. Review findings from Operational Best Practices for FedRAMP High conformance packs

    2. Automate and orchestrate remediations to fix misconfigured resources

    3. Enrich and export findings to help with ATO or continuous monitoring assessments

    When using AWS Config integration with AWS Security Hub it is recommended to follow best practices to reduce costs. Review our AWS Security Blog: Optimize AWS Config for AWS Security Hub to effectively manage your cloud security posture for tips on how to optimize AWS Config for use with Security Hub.

    Using AWS Config conformance packs in AWS Landing Zone Accelerator Environments: Customers can use Landing Zone Accelerator to centrally manage AWS Config throughout their Organization and report findings to AWS Security Hub. Findings identified by the FedRAMP High conformance pack may overlap with controls or frameworks that have already been deployed through AWS Control Tower in an LZA environment.

    Clean Up

    It’s a best practice to clean up any resources that you do not plan to continue using. This would avoid any unexpected charges.

    • Delete any aggregators that were configured within your AWS account(s) (See more in AWS Config Developer Guide).
    • Delete any AWS Config conformance packs deployed within your AWS account. Note: For Conformance packs deployed to AWS Organizations first identify the name of the Organization Conformance pack to be deleted:aws configservice describe-organization-conformance-packs
    • Delete the Conformance packs using the AWS CLI using the following command replacing CONFORMANCE-PACK-NAME with the name identified in the previous step: aws configservice delete-organization-conformance-pack --organization-conformance-pack-name “CONFORMANCE-PACK-NAME”

    Conclusion

    FedRAMP High compliance is a critical requirement for cloud service providers serving the U.S. federal government. By leveraging AWS Config conformance packs tailored specifically for the FedRAMP High baseline in AWS GovCloud, organizations can reduce the operational overhead associated with manual assessments and audits.

    The Operational Best Practices for FedRAMP High conformance packs provide a comprehensive set of managed rules that continuously monitor resource configurations against the stringent FedRAMP High security controls. These conformance packs are able to monitor resources across a single account or across an entire AWS Organization. Additionally, Config rule evaluations can be automatically imported into AWS Security Hub to provide a rollup view of Security Findings across your AWS environment. These findings can be exported and shared with assessors, authorizing officials, or internal audit teams to streamline compliance reporting for FedRAMP.

    While AWS Config conformance packs are a powerful tool, it’s important to note that they are just one component of a comprehensive FedRAMP compliance strategy. Organizations must adopt a holistic approach that encompasses people, processes, and technology. The AWS Shared Responsibility Model and AWS Well Architected: Security Pillar are great resources that outline a set of best practices and considerations when approaching security and compliance in the cloud.

    About the authors:

    Dylan McAllister

    Dylan McAllister is a Partner Solutions Architect in AWS Worldwide Public Sector. Dylan helps design and optimize solutions for organizations supporting US federal government agency missions. Dylan has a background in security and compliance and specializes in Serverless technologies on AWS.

    Snehal Nahar

    Snehal Nahar is a Principal Technical Account Manager (Security Specialist) at AWS. She is passionate about building innovative solutions using AWS services to help customers achieve their business objectives. She enjoys spending time with family and friends, playing board games and watching TV.

    Andrew Istfan

    Adrew Istfan is a Solutions Architect at AWS and supports public sector customers, primarily in aerospace and defense. He holds eight AWS certifications and has a passion for networking and infrastructure as code. Outside of work, Andrew is often found playing video games, watching captivating space videos, or skiing down mountain slopes.

    Andres Mejia

    Andres Mejia is a Federal Civilian Solutions Architect. He specializes in Cloud Operations. Andres has been a Solutions Architect for the last 2 years and enjoys being a trusted advisor for his federal customers. Outside of work, he spends time playing sports, cooking, and spending time with family.

    Darius Thomas

    Darius Thomas is a Solutions Architect at AWS. Darius supports customers in the Worldwide Public Sector, specifically in state and local government. Darius is passionate about security and appreciates the opportunity of helping customers with their business needs. Outside of work, Darius enjoys spending time with friends and family, working out, and watching thought-provoking movies.