By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

FIPS compliance in AWS console

0

FIPS compliance in AWS Console

Hello, I am trying to better understand how to meet CMMC requirements in AWS GovCloud.

One of the biggest concerns is being FIPS compliant. I've read through this page (https://aws.amazon.com/compliance/fips/) and understand that you can set fips endpoints using the CLI and SDK for developers. This makes sense to me. However, I'm concerned that when accessing the management console fips endpoints are not being used.

When blocking non-fips endpoints on our firewall, we found that several console pages broke due to network errors which told us that the console by default does not use all fips endpoints.

Is there a way to force the usage of fips endpoints in the console?

I assume many government regulated entities have had similar concerns with fips not being used by default, are there any other resources/tips for how to meet cmmc fips requirements in the cloud?

Thank you for the help.

Topics
Security, Identity, & ComplianceAWS Well-Architected FrameworkGovernment
Tags
Security, Identity, & ComplianceSecurityGovernmentEncryption
Language
English
Matt
asked 8 months ago658 views
2 Answers
1

You're right that the AWS Management Console does not automatically use FIPS endpoints by default. Here are a few options to meet FIPS requirements when using the console:

  • Set your browser to use a FIPS-compliant cipher suite. This forces FIPS mode for console connections.
  • Use AWS Single Sign-On (SSO) for access. The SSO service can be configured for FIPS-only endpoints.
  • Utilize AWS Client VPN from a FIPS-enabled client device. Traffic will stay on AWS's network and only use FIPS endpoints.
  • Create an allow list of specific FIPS console endpoints instead of blocking all non-FIPS. The docs list required IPs/domains: https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-endpoints.html
  • Use AWS console access via AWS Workspace, which can enforce FIPS-only connectivity.
  • Switch management to CLI/SDK only, avoiding the console entirely.
  • For thorough FIPS validation, the CLI, SDK, client VPN, SSO, and Workspace options will provide the strongest assurances. The browser and IP allow list approaches have some residual risk of non-compliant access.

And as you mentioned, ensuring EC2 instances, Lambda functions, etc. have the FIPS endpoint enabled is also key. AWS provides many building blocks but customers must properly enable FIPS mode.

profile pictureAWS
Dave Connelly AWS
answered 8 months ago
  • Matt
    8 months ago

    Hi Dave, thank you for that response. We currently use SSO for all console access. How can the SSO service be configured for FIPS-only endpoints?

0

A key thing to keep in mind is that the FedRAMP JAB has confirmed that the AWS Management Console does not require a JAB reviewhttps://aws.amazon.com/compliance/services-in-scope/FedRAMP/. While this doesn't necessarily mean that it would be out of scope of an assessment when it comes to CMMC, however the JAB includes the DoD as a governing body. Actual CMMC requirements, as of this time, are still pending the rule making period. In most FedRAMP workloads, the use of the console is generally not considered part of the authorization boundary.

AWS
Rajarshi_D
answered 8 months ago
  • Matt
    8 months ago

    Interesting Rajarshi that is good insight about the FedRAMP workloads. Still curious as to what Dave meant by "The SSO service can be configured for FIPS-only endpoints". Looking for a solution that guarantees the usage of fips endpoints while working in the console. I appreciate the help!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content