This repository has been archived by the owner on Mar 9, 2023. It is now read-only.
forked from opencontrol/aws-compliance
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 1fc2d1e
Showing
8 changed files
with
350 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| documentation_complete: false | ||
| name: Cloud Formation | ||
| references: | ||
| - name: What is AWS CloudFormation? | ||
| path: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html | ||
| type: URL | ||
| satisfies: | ||
| - control_key: CM-2 | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: 'DevOps maintain baseline configurations for VPC, EBS, EC2 instances | ||
| and AMIs. AWS Cloud Formation templates help 18F maintain a strict configuration | ||
| management scheme of the cloud infrastructure. If an error or misconfiguration | ||
| of the infrastructure or associated security mechanism (security groups, NACLs) | ||
| is detected, the administrators can analyze the current infrastructure templates; | ||
| compare with previous versions, and redeploy the configurations to a known and | ||
| approved state. | ||
| AWS Cloud Formation templates are the approved baseline for all changes to the | ||
| infrastructure and simplify provisioning and management on AWS. They provide an | ||
| automated method to assess the status of an operational infrastructure against | ||
| an approved baseline. | ||
| Linux instances are based on the standard AWS AMI images with configuration to | ||
| GSA requirements based on secure configurations documented in CM-6. | ||
| DevOps maintain copies of the latest Production Software Baseline, which includes | ||
| the following elements: Manufacturer, Type, Version number, Software, Databases, | ||
| and Stats. | ||
| ' | ||
| standard_key: NIST-800-53 | ||
| - control_key: CM-3 | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: '- 18F provisions its infrastructure with AWS CloudFormation, the AWS | ||
| CloudFormation template describes exactly what resources are provisioned and their | ||
| settings. Because these templates are text files, 18F can simply track differences | ||
| in these templates to track changes to its infrastructure, similar to the way | ||
| developers control revisions to source code. | ||
| - 18F uses several version control systems(i.e. AWS Config, AWS Service Catalog) | ||
| with its templates to know exactly what changes were made, who made them, and | ||
| when. If at any point 18F needs to reverse changes to infrastructure, you can | ||
| use a previous version of a template. | ||
| ' | ||
| standard_key: NIST-800-53 | ||
| schema_version: 2.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| documentation_complete: false | ||
| name: EC2 | ||
| references: | ||
| - name: EC2 Documentation | ||
| path: https://aws.amazon.com/ec2/ | ||
| type: URL | ||
| satisfies: | ||
| - control_key: SC-7 | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: "#### a \nThe AWS network provides significant protection against traditional\ | ||
| \ network security issues, and 18F can implement further protection. The following\ | ||
| \ are a few examples:\nDistributed Denial Of Service (DDoS) Attacks. AWS API endpoints\ | ||
| \ are hosted on large, Internet-scale, infrastructure. Proprietary DDoS mitigation\ | ||
| \ techniques are used. Additionally, AWS\u2019s networks are multi-homed across\ | ||
| \ a number of providers to achieve Internet access diversity.\nMan in the Middle\ | ||
| \ (MITM) Attacks. All of the AWS APIs are available via SSL-protected endpoints\ | ||
| \ which provide server authentication. Amazon EC2 AMIs automatically generate\ | ||
| \ new SSH host certificates on first boot and log them to the instance\u2019s\ | ||
| \ console. 18F can then use the secure APIs to call the console and access the\ | ||
| \ host certificates before logging into the instance for the first time. 18F uses\ | ||
| \ SSL for all interactions with AWS.\nIP Spoofing. Amazon EC2 instances cannot\ | ||
| \ send spoofed network traffic. The AWS-controlled, host-based firewall infrastructure\ | ||
| \ will not permit an instance to send traffic with a source IP or MAC address\ | ||
| \ other than its own.\n\nAmazon EC2 provides a complete firewall solution; this\ | ||
| \ mandatory inbound firewall is configured in a default deny-all mode and Amazon\ | ||
| \ EC2 customers must explicitly open the ports needed to allow inbound traffic.\ | ||
| \ The traffic may be restricted by protocol, by service port, as well as by source\ | ||
| \ IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).\n\ | ||
| The firewall is configured in groups permitting different groups of instances\ | ||
| \ to have different rules.\n \n" | ||
| standard_key: NIST-800-53 | ||
| schema_version: 2.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,138 @@ | ||
| documentation_complete: false | ||
| name: Identity and Access Management | ||
| references: | ||
| - name: AWS Identity and Access Management (IAM) | ||
| path: https://aws.amazon.com/iam/ | ||
| type: URL | ||
| satisfies: | ||
| - control_key: AC-2 (5) | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: 'Account log out is set to 15 minutes of inactivity within the IAM console | ||
| per accountwithin the 18F virtual infrastructure. | ||
| ' | ||
| standard_key: NIST-800-53 | ||
| - control_key: AC-2 (1) | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: 'AWS infrastructure as a service Management Life Cycle is automated to | ||
| use AWS CLI scripts. 18F AWS Virtual Private Cloud can use the AWS Command Line | ||
| Interface (CLI) to automate the account management LifeCycle within its envoriment. | ||
| 18F uses the AWS IAM console for semi-automated automated account manamgemt | ||
| ' | ||
| standard_key: NIST-800-53 | ||
| - control_key: AC-6 | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: 'IAM policies are attached to the users, enabling centralized control | ||
| of permissions for users under 18F AWS Account to access services, buckets or | ||
| objects. With IAM policies, 18F only grant users within its own AWS account permission | ||
| to access its Amazon resources. | ||
| 18F AWS IAM policies are defined to grant only the required access for 18F staff | ||
| necessary to perform their functions. 18F defines least privilege access to each | ||
| user, group or role. | ||
| Security functions within the AWS infrastructure are explicitly defined within | ||
| IAM to include read-only permissions for any user functions. | ||
| 18F incorporate running the IAM Policy Simulator to test policies for least privilege | ||
| access for users and groups. | ||
| ' | ||
| standard_key: NIST-800-53 | ||
| - control_key: AC-6 (1) | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: '18F explicitly authorizes access to administrative and security functions | ||
| of its virtual infrastructure and Cloud.Gov platform to designated individuals | ||
| within the Devops and SecOps team. No other authrozations to security and administrative | ||
| information is granted to individuals outside these teams. | ||
| ' | ||
| standard_key: NIST-800-53 | ||
| - control_key: AC-2 (2) | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: 'This control is not applicable. All Temporary accounts are handled by | ||
| associating resources with IAM Roles. There are no guest/anonymous, group, or | ||
| temporary user accounts in the 18F AWS environment. | ||
| ' | ||
| standard_key: NIST-800-53 | ||
| - control_key: AC-5 | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: "#### a \n18F implements Identity and Access Management (IAM) Policies\ | ||
| \ roles and individual user accounts for separation of duties. IAM policies\ | ||
| \ are attached to the users, enabling centralized control of permissions for users\ | ||
| \ under 18Fs AWS Account.\n \n#### b \n18F documents separation of duties of\ | ||
| \ AWS and Cloud Foundry users. All AWS IAM users, groups and roles can be viewed\ | ||
| \ wthin the AWS console. IAM users reports are generated to show all separation\ | ||
| \ of duties. Cloud Checkr also generates an a report of all IAM users within 18F\ | ||
| \ AWS environment.\n \n" | ||
| standard_key: NIST-800-53 | ||
| - control_key: AC-14 | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: "#### a \nThere are no user or administrative actions than can be performed\ | ||
| \ within 18F virtual private cloud without multifactor authentication. Per AWS,\ | ||
| \ users can not gain access to the AWS console without identification and authorization\ | ||
| \ to its a vpc.\n \n#### b \nIt is not possible for members of the 18F Devops\ | ||
| \ and SecOps teams to aceess the 18F virtual private cloud infrastructure without\ | ||
| \ muitifactor authetication and identification. All clinet users of Cloud.gov\ | ||
| \ must login using authenticated credentials in order to access the system as\ | ||
| \ stated in Part A above.\n \n" | ||
| standard_key: NIST-800-53 | ||
| - control_key: AC-3 | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: "18F follows best practices by implementing the majority of the following:\n\ | ||
| \ - Create individual accounts for anyone that requires access to the virtual\ | ||
| \ infrastructure or APIs or use IAM federation from enterprise identity management\ | ||
| \ system\n - Use groups or roles to assign permissions to IAM users and Cloud.gov\n\ | ||
| \ - Enable multi factor authentication for all IAM users\n - Use roles for applications\ | ||
| \ that run on EC2 instances\n - Delegate by using roles instead of sharing credentials\n\ | ||
| \ - Rotate credentials regularly\n - Store SSH keys securely to prevent disclosure,\ | ||
| \ and promptly replace lost or compromised keys.\n" | ||
| standard_key: NIST-800-53 | ||
| - control_key: AC-2 | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: "#### a \nAWS accounts are managed through AWS Identity and Access Management\ | ||
| \ (IAM). Only users with a need to operate the AWS management console are provided\ | ||
| \ individual AWS user accounts. The following types are used:\n * User \u2013\ | ||
| \ Individual IAM accounts\n * System \u2013 system and application account not\ | ||
| \ used for interactive access\nThere are no guest/anonymous, groups, or temporary\ | ||
| \ user accounts in the 18F Environment\n \n#### k \n18F does not allow shared/group\ | ||
| \ account credentials within the AWS environment. All users have individual accounts\ | ||
| \ to access the AWS environment. 18F has created specific policies that allow\ | ||
| \ individual users to assume a role within the AWS environment.\n \n" | ||
| standard_key: NIST-800-53 | ||
| - control_key: AC-6 (5) | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: "18F restricts privileged accounts such as administrator and root access\ | ||
| \ accounts to designated members within the18F Devops and SecOps teams. Within\ | ||
| \ the virtual infrastructure the admin account is not used for privileged access.\ | ||
| \ It\u2019s only used for billing and metrics.\n" | ||
| standard_key: NIST-800-53 | ||
| - control_key: IA-2 | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: 'All users have individually unique identifiers to access and authenticate | ||
| to the AWS environment through the AWS management console. 18F AWS IAM users are | ||
| placed into IAM roles based on their assigned roles and permissions | ||
| Additional temporary permission are delegated with the IAM roles usually for applications | ||
| that run on EC2 Instances in order to access AWS resources All user accounts for | ||
| 18F staff are maintained within the 18F AWS Environment. | ||
| Shared or group authenticators are not utilized, Service accounts are implemented | ||
| as Managed Services Accounts within AWS. | ||
| ' | ||
| standard_key: NIST-800-53 | ||
| schema_version: 2.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| documentation_complete: false | ||
| name: Multi-Factor Authentication | ||
| references: | ||
| - name: Multi-Factor Authentication Documentation | ||
| path: https://aws.amazon.com/iam/details/mfa/ | ||
| type: URL | ||
| satisfies: | ||
| - control_key: IA-2 (1) | ||
| covered_by: [] | ||
| narrative: 'AWS multifactor authentication (MFA) for privileged users of the AWS | ||
| console is implemented. This service has been configured for 18F administrative | ||
| accounts in IAM. Multifactor authentication adds an extra layer of security for | ||
| login access to the AWS management console. 18F users are prompted for a username | ||
| and password, as well as the authentication code from their MFA device. | ||
| ' | ||
| standard_key: NIST-800-53 | ||
| - control_key: IA-3 | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: 'The underlying AWS infrastructure does not permit unauthenticated privileged | ||
| user access for console or API access. | ||
| ' | ||
| standard_key: NIST-800-53 | ||
| - control_key: IA-2 (2) | ||
| covered_by: [] | ||
| narrative: 'AWS multi-factor authentication (MFA) for non-privileged users of the | ||
| AWS console is implemented. With MFA enabled, all users are prompted for a username | ||
| and password, as well as the authentication code from their MFA device. | ||
| ' | ||
| standard_key: NIST-800-53 | ||
| schema_version: 2.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| # AWS Compliance -- testing | ||
| Controls for AWS, currently this repos is being used to test dependency imports for compliance-masonry-go |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| documentation_complete: false | ||
| name: S3 | ||
| satisfies: | ||
| - control_key: AU-4 | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: 'Administrators can define the amount of storage dedicated to audit record | ||
| storage on their instances. Using S3 bucket will ensure storage of audit events | ||
| will never be exceeded. | ||
| ' | ||
| standard_key: NIST-800-53 | ||
| schema_version: 2.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| documentation_complete: false | ||
| name: Amazon Virtual Private Cloud | ||
| references: | ||
| - name: Amazon VPC | ||
| path: https://aws.amazon.com/vpc/ | ||
| type: URL | ||
| satisfies: | ||
| - control_key: AC-4 (21) | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: 'The virtual private cloud logically separates the Cloud.Gov PaaS from | ||
| other information systens within its environment. Cloud.gov is hosted within its | ||
| own VPC and has its own dedicated elastic load balancers for incoming traffic. | ||
| ' | ||
| standard_key: NIST-800-53 | ||
| - control_key: SC-7 | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: "#### a \nAWS Boundary Protection - Secure Network Architecture\n18F\ | ||
| \ utilizes the AWS provided virtual network devices, including firewall and other\ | ||
| \ boundary devices, in place to monitor and control communications at the external\ | ||
| \ boundary of the network and at key internal boundaries within the network. These\ | ||
| \ boundary devices employ rule sets, access control lists (ACL), and configurations\ | ||
| \ to enforce the flow of information to specific information system services.\n\ | ||
| ACLs, or traffic flow policies, are established on each managed interface, which\ | ||
| \ manage and enforce the flow of traffic.\n18F connects to an AWS access point\ | ||
| \ via HTTP or HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol\ | ||
| \ that is designed to protect against eavesdropping, tampering, and message forgery.\n\ | ||
| 18F utilizes the AWS Virtual Private Cloud (VPC), which provides a private subnet\ | ||
| \ within the AWS cloud. Each VPC is configured to utilize Routing Rules, Subnet\ | ||
| \ Rules, and Security Group Rules. Each of these controls must have appropriate\ | ||
| \ rules and routes in-place before any external service is able to reach a host\ | ||
| \ within AWS.\n \n#### b \nEach VPC is configured to utilize Routing Tables,\ | ||
| \ and Security Groups. Each of these controls must have appropriate rules and\ | ||
| \ routes in-place before any external service is able to reach a host within Cloud\ | ||
| \ Foundry.\n \n#### c \nThe Cloud.gov system is internal to the 18F Virtual\ | ||
| \ Private Cloud (VPC) and does not connect to external networks or information\ | ||
| \ systems outside the 18F Virtual Private Cloud (VPC).\n \n" | ||
| standard_key: NIST-800-53 | ||
| - control_key: AC-17 (4) | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: "Since the Cloud.Gov platform resides within the 18F virtual infrastructure,\ | ||
| \ 18F Devops must use the SSH remote access method to troubleshoot issues and\ | ||
| \ update services that are only resolved by logging into the Cloud.Gov jumpboxes.\ | ||
| \ The jumpboxes themselves are virtual machine deployed within the 18F\u2019s\ | ||
| \ virtual private cloud. They are the only access points for designated Devops\ | ||
| \ members to run privileged commnds that affect the entire platform. No other\ | ||
| \ privileged remote access is available to the information system.\n" | ||
| standard_key: NIST-800-53 | ||
| - control_key: AC-4 | ||
| covered_by: [] | ||
| implementation_status: none | ||
| narrative: "18F incorporates security features within its vpc such as IAM security\ | ||
| \ groups, network ACLs, routing tables, and external gateways. Each of these items\ | ||
| \ is complementary to providing a secure, isolated network.\nNetwork Access control\ | ||
| \ lists (ACLs) are created to allow or deny traffic entering or exiting these\ | ||
| \ subnets. Each subnet has routing tables attached to them to direct the flow\ | ||
| \ of network traffic to Internet gateways, virtual private gateways, Network Address\ | ||
| \ Translation (NAT) for private subnets.\n18F\u2019s virtual private cloud infrastructure\ | ||
| \ has firewalls enabling filtering on both ingress and egress traffic from its\ | ||
| \ instances. The default group enables inbound communication from other members\ | ||
| \ of the same group and outbound communication to any destination.\nTraffic is\ | ||
| \ restricted by IP protocol, by service port, as well as source/destination IP\ | ||
| \ address (individual IP or Classless Inter-Domain Routing (CIDR) block).\n" | ||
| standard_key: NIST-800-53 | ||
| schema_version: 2.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| schema_version: "1.0.0" | ||
| name: AWS | ||
| metadata: | ||
| description: Amazon Web Services | ||
| maintainers: | ||
| - [email protected] | ||
| components: | ||
| - ./CloudFormation | ||
| - ./IAM | ||
| - ./S3 | ||
| - ./EC2 | ||
| - ./MultiFactor | ||
| - ./VPC |