Rocky Linux 9 FIPS AMI by Ironsmith

Rocky Linux 9 FIPS AMI is a production-ready Amazon Machine Image with FIPS mode enabled at the kernel level for organizations requiring cryptographic compliance.

FIPS Mode Configuration

FIPS mode is enabled at the kernel level. All system cryptography - including SSH, TLS, and disk encryption - uses only FIPS-approved algorithms. The Rocky Linux 9 kernel crypto module was validated under NIST CMVP #5113 for Rocky 9.2. This AMI runs the latest Rocky 9.x with FIPS mode enabled using the same algorithmic configuration. This AMI is not itself CMVP validated.

• Kernel FIPS mode active at boot (fips=1)
• System-wide FIPS crypto policy enforced
• OpenSSL, NSS, GnuTLS configured for FIPS
• Non-approved algorithms disabled: MD5, SHA-1, DES, RC4, Blowfish, Ed25519
• Approved algorithms work: AES-256, SHA-256/512, ECDSA, RSA (2048+), TLS 1.2+

Tested Workloads

Every release is tested against real-world workloads under FIPS:

• PostgreSQL with SCRAM-SHA-256 auth and SSL
• Nginx with TLS 1.2+ and FIPS-approved cipher suites
• Python 3 with hashlib, ssl, and cryptography package
• Java 17 with keytool, AES-GCM, and HMAC
• Node.js with crypto module, TLS, and FIPS detection
• Go applications with crypto/tls and FIPS-approved ciphers
• Podman containers inheriting FIPS mode from host

Terraform Module

An official Terraform module is available for automated deployment: ironsmith-io/ec2-rocky9-fips/aws on the Terraform Registry (https://registry.terraform.io/modules/ironsmith-io/ec2-rocky9-fips/aws ).

Quick Start

Launch the AMI and verify FIPS:

• Verify FIPS: fips-mode-setup --check
• Check kernel flag: cat /proc/sys/crypto/fips_enabled (returns 1)
• Check crypto policy: update-crypto-policies --show (returns FIPS)
• Confirm MD5 blocked: echo test | openssl dgst -md5 (fails)

What's Included

• Rocky Linux 9.x x86_64 (Intel/AMD, latest at build time)
• FIPS mode enabled system-wide
• cloud-init configured for AWS
• Customer-facing documentation at /usr/share/doc/ironsmith/rocky9-fips/
• Built-in FIPS verification tool: run 'sudo ironsmith' to generate compliance evidence

What's Not Included

• CIS hardening (see Rocky Linux 9 FIPS + CIS Hardened AMI)
• SSM Agent (see Known Limitations for install instructions)
• Custom applications

Security Group Recommendations

• Allow inbound TCP 22 (SSH) from your IP range or CIDR block
• Open additional ports as needed for your application (e.g., 443 for HTTPS, 5432 for PostgreSQL)
• Restrict SSH access to known IP ranges; avoid 0.0.0.0/0
• FIPS mode enforces TLS 1.2+ for all encrypted connections

Known Limitations

• Ed25519 SSH keys are not FIPS-approved and will not work. Use ECDSA or RSA keys. AWS-generated key pairs (RSA) work by default.
• SSM Agent is not pre-installed. Rocky Linux 9 does not include SSM Agent in its default repositories. See the AWS documentation for installation: https://docs.aws.amazon.com/systems-manager/latest/userguide/agent-install-rocky.html 
• MD5, SHA-1, DES, RC4, and Blowfish are disabled system-wide. Applications that depend on these algorithms will not work without reconfiguration.

Target Use Cases

• FedRAMP and FISMA environments
• HIPAA-regulated workloads
• PCI-DSS compliant systems
• NIST 800-171 compliance
• Any workload requiring FIPS-approved cryptography

Free to Use

No software charges. Pay only for AWS infrastructure (EC2, EBS, data transfer).

Rocky Linux is a registered trademark of The Rocky Enterprise Software Foundation. This product is not affiliated with or endorsed by The Rocky Enterprise Software Foundation.