Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to deal with FedRAMP non-compliant LZA resources?

0

Hi all

I used the Landing Zone Accelerator (LZA) to create infrastructure to make my env FedRAMP compliant - https://aws.amazon.com/blogs/publicsector/support-fedramp-cmmc-compliance-landing-zone-accelerator-aws/. But when I deployed AWS Config Conformance Pack for FedRAMP - https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-fedramp-moderate.html, I could see so many of LZA created resources are not compliant. For example, in the Audit account:

cloudwatch-log-group-encrypted:
    /AWSAccelerator-SecurityHub
    /aws/lambda/AWSAccelerator-LoggingSta-AutoScalingServiceLinked-xyzxyzxyz
    ...

cw-loggroup-retention-period-check:
    /aws/lambda/aws-controltower-NotificationForwarder
    ...

lambda-inside-vpc:
    AWSAccelerator-LoggingSta-AutoScalingServiceLinked-xyzxyzxyz
    AWSAccelerator-LoggingSta-AutoScalingServiceLinked-xyzxyzxyz
    ...
    AWSAccelerator-NetworkVpc-CustomDeleteDefaultVpcCu-xyzxyz	
    AWSAccelerator-NetworkVpc-CustomGetResourceShareCu-xyzxyz
    ....

sns-encrypted-kms:
    arn:aws-us-gov:sns:us-gov-east-1:[account-id]:aws-controltower-AggregateSecurityNotifications
    arn:aws-us-gov:sns:us-gov-east-1:[account-id]:aws-controltower-AllConfigNotifications
    arn:aws-us-gov:sns:us-gov-east-1:[account-id]:aws-controltower-SecurityNotifications

...

Some of them can be remediated manually, but some cannot, e.g., lambda-inside-vpc since I am not sure I can move the Lambda functions into VPCs and the LZA works as expected.

Is it ok that the LZA resources are not compliant to FedRAMP for applications' FedRAMP compliance? I.e., can I say that it should be ok since those resources has nothing to do with the application, those non-compliant resources does not impact FedRAMP compliance?

Or did I miss anything when I deployed the LZA, e.g., config option, to make all the deployed resources compliant to FedRAMP?

Thanks.

Topics
Infrastructure as CodeSecurity, Identity, & Compliance
Tags
FedRAMPLanding Zone Accelerator on AWS
Language
English
asked a year ago203 views
1 Answer
0
Accepted Answer

The LZA documentation contains a page addressing Security Hub (SH) findings which gives you guidance for most of the findings you are having issues with and why they can be ignored. It looks like you are viewing this through the AWS Config lens (which is what feeds SH), so you might find it difficult to piece together how those SH findings tie back to Config rules, but not that's not impossible.

If your FedRAMP accreditior is willing to accept the LZA team guidance, I would recommend suppressing the findings.

If there are certain findings that are outside of that list / what you are willing to accept, I would recommend pushing fixes via the LZA (either through a native LZA feature or via Customization). If you do not, there is definitely a chance the LZA will correct for the drift introduced via manual changes.

answered a year ago
EXPERT
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content