How to accelerate CMMC compliance with the new AWS Compliant Framework
In our recent post, Building your Cybersecurity Maturity Model Certification (CMMC) strategy using cloud technologies, we reviewed how the defense industrial base (DIB) community can leverage the AWS Cloud to reduce the time, effort, complexity, and risk for deploying CMMC compliant environments. DIB customers want the ability to quickly deploy secure, scalable, multi-account environments based on AWS best practices, including the AWS Well-Architected Framework. The new Amazon Web Services (AWS) Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US) solution was purpose built to help customers accelerate the deployment of their AWS Cloud-based CMMC compliant architecture.
The AWS Compliant Framework is an automated solution designed to help customers reduce the time to setup an environment for running secure and scalable workloads while implementing an initial security baseline that meets US federal government standards. The solution was designed to address the requirements for deploying DoD CMMC and DoD Cloud Computing Security Requirements Guide (CC SRG) compliant environments. The solution provides a baseline environment which includes a multi-account architecture, tenant account creation and management, identity and access management, governance, data security, network design, and logging, as illustrated in Figure 1.
Figure 1. The AWS Compliant Framework accounts structure.
The AWS Compliant Framework provides the following to help customers address CMMC requirements:
1. Fully automated infrastructure as code including account structure and networking
The AWS Compliant Framework utilizes infrastructure as code solutions such as AWS CloudFormation and the AWS Cloud Development Kit (AWS CDK) to deploy a best practices based environment that will help meet CMMC requirements. This includes the fully automated creation of AWS accounts, configuration of security services, and deployment of networking infrastructure.
The solution deploys an account structure that meets the CMMC requirements by separating mission activities from the overall environment management activities. The CMMC Access Control (AC) domain requires least privilege enforcement and separation of duties enforcement (see CMMC practices AC.2.007, AC.3.017), which includes limiting access to only the transactions a user is authorized for (see CMMC practices AC.1.001, AC.1.002). The mission accounts are created centrally using AWS Organizations, and as a result the users are local to the specific mission account. Service Control Policies (SCP) can be implemented to further restrict activities such as flow of Controlled Unclassified Information (CUI) as required by practice AC.2.016 or restricting direct public access to systems to support compliance with practice AC.1.004. The account structure provides isolation boundaries at each mission account level, thereby requiring explicit permissions and settings to move CUI in accordance with practice AC.2.016
The solution creates a new AWS account, known as the transit account, with a purpose specific Amazon Virtual Private Cloud (VPC) where firewalls can be deployed. This both limits and controls the connection to and use of external information systems as required by practice AC.1.003. This configuration also helps manage remote access as required by practice AC.2.015. Users can also implement SCPs to further limit an account administrators’ ability to change these configurations.
The networking infrastructure and account structure also helps control the communication boundaries as required by practices SC.1.175 and SC.1.176 by limiting the traffic patterns between the accounts and the internet. Specifically, the solution provides a transit account that has no workloads and forms the boundary of the publicly accessible system components as required by practice SC.1.176. The account is also separated from internal networks and communication is only allowed via AWS Transit Gateway route tables, which enforce SC.1.175 practice requirements.
2. Aggregation of AWS environment logs for security information and event management (SIEM) integration
The AWS Compliant Framework includes a logging account that provides a centralized, immutable location for various types of log data generated across the environment. Log data is collected primarily within Amazon Simple Storage Service (Amazon S3) buckets. This includes AWS CloudTrail, AWS Config, Amazon CloudWatch, Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, operating system and application logs, and any other logs that require consolidation, aggregation, and retention. All the logs are placed into a separate logging account with file integrity enabled on all generated log files, and utilizes the principle of least privilege, discrete permissions for accessing data within this account, which helps make sure of log integrity and fidelity and aligns with practices AU.3.048, AU.3.049, AU.3.050. The centralized aggregation of logs into a single Amazon S3 bucket also provides a single source to ingest data for a SIEM tool in support of IR.3.098 practice requirements.
3. Continuous auditing using AWS security services
On top of AWS CloudTrail and AWS Config, additional AWS security services are enabled in all accounts using AWS CloudFormation StackSets. This makes sure all accounts have a baseline set of AWS security services properly configured across the environment. The AWS Compliant Framework utilizes the AWS SecurityHub Foundational Security Best Practices and CIS Foundations Benchmark to provide a comprehensive view of security alerts and the security posture for all accounts (see practices CM.3.067, CM.3.068 requirements). The solution also receives findings from multiple AWS services such as Amazon GuardDuty, Amazon Inspector, AWS Identity and Access Management (IAM), and custom findings through AWS Config and AWS CloudWatch Events.
4. Extensibility plug in architecture
The AWS Compliant Framework enables customers to customize and extend the environment to meet the needs of their organization. All inputs and outputs, such as the physical IDs of generated resources, are stored in the AWS Systems Manager Parameter Store. This allows customers to access information about deployed resources in the environment and to add additional services using any infrastructure as code solution that can read from the parameter store. In most cases, customers will not need to modify the AWS Compliant Framework codebase. However, customers who want additional customization to the deployment steps within the solution can access the codebase that is fully available as an open source project hosted on GitHub.
The AWS Compliant Framework solution helps customers as they plan for their CMMC compliance assessment by reducing the level of effort to define the best architecture for the business. Learn more about the latest on AWS CMMC solutions and compliance information here. If you have CMMC questions, contact your AWS account team or submit your questions using the AWS Compliance Contact Us Form.
Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.