- Newest
- Most votes
- Most comments
You're right that the AWS Management Console does not automatically use FIPS endpoints by default. Here are a few options to meet FIPS requirements when using the console:
- Set your browser to use a FIPS-compliant cipher suite. This forces FIPS mode for console connections.
- Use AWS Single Sign-On (SSO) for access. The SSO service can be configured for FIPS-only endpoints.
- Utilize AWS Client VPN from a FIPS-enabled client device. Traffic will stay on AWS's network and only use FIPS endpoints.
- Create an allow list of specific FIPS console endpoints instead of blocking all non-FIPS. The docs list required IPs/domains: https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-endpoints.html
- Use AWS console access via AWS Workspace, which can enforce FIPS-only connectivity.
- Switch management to CLI/SDK only, avoiding the console entirely.
- For thorough FIPS validation, the CLI, SDK, client VPN, SSO, and Workspace options will provide the strongest assurances. The browser and IP allow list approaches have some residual risk of non-compliant access.
And as you mentioned, ensuring EC2 instances, Lambda functions, etc. have the FIPS endpoint enabled is also key. AWS provides many building blocks but customers must properly enable FIPS mode.
A key thing to keep in mind is that the FedRAMP JAB has confirmed that the AWS Management Console does not require a JAB reviewhttps://aws.amazon.com/compliance/services-in-scope/FedRAMP/. While this doesn't necessarily mean that it would be out of scope of an assessment when it comes to CMMC, however the JAB includes the DoD as a governing body. Actual CMMC requirements, as of this time, are still pending the rule making period. In most FedRAMP workloads, the use of the console is generally not considered part of the authorization boundary.
Interesting Rajarshi that is good insight about the FedRAMP workloads. Still curious as to what Dave meant by "The SSO service can be configured for FIPS-only endpoints". Looking for a solution that guarantees the usage of fips endpoints while working in the console. I appreciate the help!
Relevant content
- Accepted Answerasked a year ago
- asked 5 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Hi Dave, thank you for that response. We currently use SSO for all console access. How can the SSO service be configured for FIPS-only endpoints?