Using AWS for Criminal Justice Information Solutions
The CJIS Security Policy outlines the “appropriate controls to protect the full lifecycle of CJI (Criminal Justice Information), whether at rest or in transit,” irrespective of the underlying information technology model. By using solutions built on AWS, agencies can manage and secure their applications and data in the AWS cloud.
AWS provides building blocks that public safety agencies and their application partners can utilize to build highly available, resilient, and secure applications in alignment with the CJIS Security Policy. AWS customers maintain complete ownership and control over their data, which is enabled through access to simple, powerful, cloud native tools that allow them to manage the full life cycle of sensitive customer data. Customers exercise exclusive control over where data is stored and the methods used to secure data in transit and at rest, and manage access to their information systems built on AWS.
Properly securing Criminal Justice Information (CJI) and maintaining compliance with the CJIS Security Policy requires a number of security controls aimed at ensuring only authorized individuals have access to the CJI. The principal of least privilege is one of the most fundamental underpinnings of the CJIS Security Policy based on a "need-to-know, right-to-know" standard. AWS customers can enforce least privilege by securely encrypting their CJI and limiting all access to the CJI to only those with access to the encryption keys. Customers are provided AWS services and tools to enable their agencies and trusted partners to retain complete control and ownership over their own criminal justice data, such as AWS Key Management Service (KMS) and AWS Nitro System.
AWS KMS uses hardware security modules (HSMs) that have been validated under FIPS 140-2 and allow customers to create, own, and manage their own customer master keys for all encryption. These customer master keys never leave the AWS KMS FIPS validated hardware security modules unencrypted and are never known to AWS personnel.
The AWS Nitro System uses purpose-built hardware and servers designed specifically to run a virtual compute hypervisor—nothing more – removing all extra and unnecessary ports, components and capabilities found on traditional servers. The AWS Nitro System’s security model is locked down and prohibits administrative access, eliminating the possibility of human error and tampering. Customers can also choose AWS Nitro Enclaves which feature no persistent storage, no interactive access, and no external networking to create isolated compute environments to further protect and securely process highly sensitive data.
The technological advancements of the AWS Nitro System and the AWS Key Management Service using FIPS 140-2 validated hardware security modules for symmetric encryption keys have removed the need to engage in the traditional method of relying on physical security and background checks as a way to qualify an individual’s “access” to unencrypted CJI. While the traditional approach can help achieve minimum compliance under the CJIS Security Policy, it doesn’t compare to the security that can be achieved using strong encryption practices and the deployment of “least privilege” principles to restrict CJI access to those with a need-to-know, right-to-know, and your explicit authorization. This allows customers and application providers to build solutions that eliminate all AWS employees from having physical and logical access to CJI and devices that store, process, and transmit CJI.
Is AWS CJIS compliant?
There is no central CJIS authorization body, no accredited pool of independent assessors, nor a standardized assessment approach to determining whether a particular solution is considered CJIS compliant. AWS is committed to helping customers meet CJIS requirements.
How does a CJIS customer satisfy the Encryption at Rest Requirements?
All AWS services with at-rest data support FIPS 197 AES 256 symmetric encryption in accordance the CJIS Security Policy and customers can manage their own encryption keys with customer managed master encryption keys using AWS Key Management Service (KMS), which uses FIPS 140-2 validated hardware security modules (HSM) and supports FIPS 140-2 validated endpoints.
How does a CJIS customer satisfy the Encryption in Transit Requirements?
To support customers with FIPS cryptographic requirements, FIPS validated APIs are available in both AWS East/West (commercial) and AWS GovCloud (US). AWS enables customers to open a secure, encrypted session to AWS servers using HTTPS (Transport Layer Security [TLS]).
Do both AWS East/West (commercial) and GovCloud (US) FIPS endpoints meet CJIS FIPS 140-2/3 requirements?
Some AWS services offer endpoints that support Federal Information Processing Standard (FIPS) validation in some Regions. Unlike standard AWS endpoints, FIPS endpoints use a TLS software library that complies with FIPS 140-2 or FIP 140-3. Use of FIPS endpoints would be required to meet CJIS compliance for CJI in Transit. For a list of FIPS endpoints, see FIPS endpoints by Service.
For services that have components that are deployed within the customer environment (Storage Gateway, Snowball), what is the customer responsibility for ensuring CJIS Compliance?
Under the AWS Shared Responsibility model, customers must ensure locally deployed resources such as Storage Gateway disk volumes and Snowball data transfer workstations are managed in accordance with CJIS controls including data isolation and access controls.
Customers should ensure S3 storage buckets for Snowball and Storage Gateway in AWS are configured in accordance with CJIS requirements, including encryption at rest.