By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Is my application "FIPS 140-2" compliant?

0

Hello,

I run Tomcat on an Amazon EC2 instance. It is Tomcat 8, and I installed it from the standard yum repository that Amazon provides. The machine is a few years old so it might not be a current Amazon Linux release. The version of Java appears to be "OpenJDK 1.8.0_382" and my SSL certificate is issued by "RapidSSL TLS RSA CA G1".

I'm not a security expert. My boss asked me if our system is FIPS 140-2 compliant. I don't really know what that means or how I would go about making this determination. Is it the certificate that determines this, or is it the encryption libraries in Java, or something else? Does it matter what the client is using to connect?

Thanks, Frank

Topics
ComputeJava Development
Tags
Amazon EC2EncryptionJava Development
Language
English
Frank
asked 4 months ago278 views
1 Answer
0

Hi,

You have here a list of AWS services that are FIPS-compliant: https://aws.amazon.com/compliance/fips/

As you will see EC2 and its close services (Image Builder, etc.) are FIPS compliant. But, be careful: the compliance of your final global system strongly depends on the way the you configure the AWS services that you use and also how you configure your additional software (Tomcat, etc.)

Have a look at this ppt to understand more about a FIPS certification journey: https://d1.awsstatic.com/events/Summits/awsreinforce2023/DAP323_AWS-LC-FIPS-certification-journey-and-how-its-used-on-AWS.pdf

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 4 months ago
profile picture
EXPERT
Sedat Salman
reviewed 4 months ago
profile picture
EXPERT
Gary Mclean
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content