AWS Public Sector Blog
How Booz Allen obtains C-ATO to accelerate service delivery in federal organizations using AWS
To improve operational efficiencies, government agencies are moving to speed up service delivery. Software used in the US federal sector needs to comply with the Federal Information Security Modernization Act (FISMA) security guidelines and mandates. Agencies need to obtain an Authority to Operate (ATO) that demonstrates compliance prior to implementation. This effort can take a significant amount of time and can prove to be a challenge in meeting tight deadlines. Continuous Authority to Operate (C-ATO) enables federal organizations to overcome this challenge by reusing already-certified infrastructure and recertifying only the differentiating components added to accelerate timelines.
AWS Partner Booz Allen Hamilton (Booz Allen) uses a platform as a service model on Amazon Web Services (AWS) to enable their customers to rapidly build, test, scan, and deploy their applications. The platform accelerates the process of establishing and maintaining ATOs by providing platform users with inherited controls, enabling C-ATO and accelerating releases in the federal government from months to days.
Platform as a service model
The platform as a service model leverages Booz Allen’s Solutions Delivery Platform(SDP), a tool-agnostic, templated continuous integration and continuous delivery (CI/CD) platform built using Kubernetes, an open-source container platform, and Jenkins, an open-source automation server. SDP helps users move quickly by enabling governance and consistency without requiring individual teams to develop their own processes or container deployment workflows. Booz Allen has open-sourced SDP for community input and use, and it has been downloaded in over 100 countries.
SDP’s two main components are the Jenkins Templating Engine (JTE) and the SDP Pipeline libraries. The JTE is a custom plugin pioneered, developed, and open sourced by Booz Allen that enables governance through templating and hierarchical configuration files. SDP Pipeline Libraries are reusable tool integrations that contain the technical implementations of pipeline actions such as static code analysis, container image scanning, and deployments. Users can execute and change the default pipeline, as well as add new tool configurations. This provides flexibility while still enabling the organizational governance required by federal organizations. See the overall process in Figure 1.
Figure 1: Booz Allen’s Software-Delivery-Platform (SDP) process flow.
Implementation
To enable the platform as a service model for federal customers, Booz Allen implements the SDP using Federal Risk and Authorization Management Program (FedRAMP) authorized managed services from AWS. The central component of the platform is Amazon Elastic Kubernetes Service (Amazon EKS), a FedRAMP-authorized managed Kubernetes service. Amazon EKS simplifies the complexity of Kubernetes administrative tasks while providing the ability to control the underlying infrastructure through custom Amazon Machine Images (AMIs). It also automates Kubernetes cluster upgrade actions thanks to the robust integrations offered by the eksctl tool, a simple command-line interface (CLI) tool.
Amazon EKS integrates with AWS Secrets Manager to support password protection. User developers can add an external secret custom resource to their Flux configuration repository. The external secrets controller accesses Secrets Manager and translates into native Kubernetes Secret resources that can be used by pods, as seen in Figure 2 below.
Figure 2: Using AWS Secrets Manager with external secret custom resources.
Another critical component is Amazon Elastic Container Registry (Amazon ECR), a FedRAMP-authorized, fully managed container registry that makes it simple to store, manage, share, and deploy container images and artifacts developed on the SDP. Other components include tools such as AWS CloudFormation, Terraform, and Ansible that help efficiently provision, patch, and upgrade infrastructure in the platform.
How the platform works
When developers commit code to an application code repository, the CI/CD pipeline is triggered. A Jenkins job builds docker images, runs various tests, performs security and code scans, and pushes the application image to Amazon ECR. When developers are ready to deploy these images to the cluster, they commit a Kubernetes resource definition file to a Flux configuration code repository. Flux deploys the resources along with images from Amazon ECR to the Kubernetes cluster, seen in Figure 3 below.
Figure 3: The continuous integration and continuous delivery (CI/CD) platform code deployment workflow.
Throughout the infrastructure, GitOps helps with provisioning as well as the application deployment process. Coined by Weaveworks CEO, Alexis Richardson, GitOps is an operating model for Kubernetes and other cloud-native technologies. It provides a set of best practices that unifies deployment, management, and monitoring for clusters and applications.
How the implementation enables C-ATO
Teams deploying their applications using the SDP platform on AWS are able to obtain C-ATO, significantly reducing ATO on deployments from months to days due to the following key features:
- Multiple teams can deploy applications by simply modifying the CI/CD configuration through code and read-only access to the Jenkins console.
- Flux pulls Docker images into the cluster with Read Only access to Amazon ECR. Thus, Jenkins is not granted cluster privileges, reducing attack surface and eliminating significant security risks to the pipeline (known as common attack vectors).
- The SDP provides the same mechanism for making changes to infrastructure as well as applications. This reduces manual/ad-hoc changes in environments post deployment, reducing time spent on infrastructure changes by up to 85% while also reducing risk associated with manual intervention.
- All changes to production environment are automatically recorded providing improved transparency and traceability.
Conclusion
Government organizations operate within heightened security environments, but they need to provide cutting-edge platforms that are accessible and provide value for constituents quickly. Booz Allen’s platform as a service approach built on FedRAMP-authorized AWS services provides the accelerated service delivery agencies need to meet these requirements with a continuous authority to operate (C-ATO).
Dig deeper by visiting the Amazon EKS learning lab as an introduction to managed container platforms. Then, continue your GitOps journey with the GitOps with Weave Flux learning lab.
To take the next step with the Booz Allen Hamilton SDP, see the learning labs and discover ways to get involved with SDP.
Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.