Meeting the FedRAMP FIPS 140–2 requirement on AWS
FedRAMP is a compliance program for cloud services to process US Federal government data. If you haven’t heard of it, consider yourself lucky. Your luck may be running out, though, as the FedRAMP marketplace grew from 100 to 377 authorized products in the last five years. This includes LaunchDarkly, where I led our effort for FedRAMP Moderate authorization. As more organizations work on FedRAMP compliance, they’ve learned around the dreaded FIPS 140–2 requirement.
FedRAMP says all Federal data must be encrypted with FIPS 140–2-validated encryption modules (which I’ll shorten from here on to FIPS modules). Cloud service security folks — those poor souls tasked with obtaining FedRAMP authorization — have found themselves perplexed. How can we use FIPS modules everywhere, when right now we’re using vanilla off-the-shelf crypto? This single nuance in the huge set of FedRAMP requirements has an outsized impact on architectural decision-making.
This blog post is divided into two parts. First, I’ll stitch together the published statements that describe the FedRAMP FIPS 140–2 requirement. Then, I’ll share some ideas I’ve collected for implementing encryption that uses FIPS modules on AWS.
The FedRAMP FIPS 140–2 requirement
FedRAMP is composed of many NIST 800–53 controls. One of those controls — SC-13: Cryptographic Protection — describes how data should be encrypted:
The information system implements [cryptography] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography.
FedRAMP expects to see all data at rest and in transit encrypted. This is unsurprising, even if some would argue cloud encryption is worthless. But, we also need to follow applicable standards, which includes FIPS-validated cryptography. Does that mean that we can’t use standard crypto libraries like NaCL? The FedRAMP Authorization Boundary Guidance confirms our fears:
Security control SC-13 requires the use of FIPS-validated cryptography.
Note: FIPS validation applies to cryptographic modules, not protocols (e.g., TLS). The cryptographic module that sets up the TLS tunnel must be FIPS validated.
You can’t just use Approved Security Functions for FIPS from NIST (e.g. AES, SHA256) with your chosen hardware and software. The module on which your cryptography runs must be validated by an accredited labs under the Cryptographic Module Validation Program (CMVP). You can search the list of several hundred active validated modules on the NIST website, including six related to AWS.
Before I describe how to meet this compliance objective, I want to state that I think FedRAMP requiring FIPS modules is bad. Some reasons:
- The recommended cryptographic algorithms don’t evolve quickly enough (see https://hackernoon.com/the-trouble-with-fips)
- Validated FIPS modules have vulnerabilities which require patching and recertification (see http://veridicalsystems.com/blog/secure-or-compliant-pick-one/)
- It’s unclear how FIPS validation, which relies on specific hardware and software configurations, works in the shared responsibility model of cloud
- It’s a huge burden on software development to ask that data stored and sent anywhere uses code subject to onerous third-party validation
FedRAMP services can have tons of security-relevant code (e.g. authentication and authorization protocols) where no specific algorithms, let alone implementations, are enforced. Why can’t FedRAMP just, say, require the FIPS “approved” algorithms and leave the implementation validation to the CSP and auditors, rather than NIST/NSA? I’ve heard StateRAMP (at least for now) does not require FIPS modules, only “modern cryptography”.
Unless FedRAMP changes its mind to “STOP DOING FIPS”, it’s up to those at FedRAMP authorization-seeking cloud services to show how they meet this requirement.
AWS and FIPS
Before describing techniques for meeting the FIPS requirement on AWS, I’ll note that my advice may not be accurate for your organization. The FedRAMP authorization process is a conversation between your auditors, agency, and the PMO. Technical stacks diverge, and there are unique complexities that you’ll need to solve for on your journey. Also, I’ve stitched together the relevant published information I could find. You’ll need more research and evidence to demonstrate a comprehensive FIPS strategy. For instance, you may want to review Customer Compliance Guides (CCGs) in AWS Artifact for customer responsibilities for FIPS for applicable AWS services. Good luck!
FIPS encryption in transit
The main AWS FIPS page is just a list of “FIPS Endpoints by Service”. It describes how you can access AWS services over TLS using FIPS modules. Recent SDKs have introduced the AWS_USE_FIPS_ENDPOINT environment variable to support automatic use of these endpoints, when they’re available. If you’re stuck with an old SDK version that doesn’t support the variable, or you’re using some other library to connect to AWS, you’ll have to manually point to FIPS endpoints. You might think that it would default to use these endpoints in GovCloud — you would be wrong. There’s also been a few bugs when FIPS endpoints aren’t available for your service and region. Another big caveat — these FIPS endpoints are almost always for the “control plane”, and don’t cover the data plane.
How can you be sure you’re using FIPS endpoints exclusively? An article about enabling FIPS 140–2 for Fargate discusses using CloudTrail to validate FIPS. You can look for the presence (or absence) of the term “fips” in the clientProvidedHostHeader in the tlsDetails data structure. This could be a good fit for a custom alert for CloudTrail, if that’s a capability you have.
A few additional areas where AWS supports FIPS modules:
- ALBs are commonly used to terminate TLS in many AWS architectures. There is no public interface for modifying or inspecting FIPS mode for ALB. Instead, it must be manually configured by contacting AWS support.
- You can run a FIPS-compliant Fargate cluster, but only in GovCloud.
- Instances on the Nitro system would likely use the Nitro Card Security Engine CVMP certificate for VPC communication.
In addition to relying on AWS services to use FIPS modules, you must write your code to leverage FIPS modules for encryption in transit. Both Ubuntu Pro and Amazon Linux 2 have FIPS modules for common cryptographic libraries like OpenSSL. Each distro also includes other FIPS modules for utilities like GnuTLS, Strongswan, and libgcrypt. Other distros (RHEL, CentOS, etc) may also have builds that promise FIPS compliance. There’s at least another blog post worth of material here, so I’ll leave this as an exercise to the reader.
FIPS encryption at rest
There’s not much AWS documentation on using FIPS modules for encryption at rest. FedRAMP-compliant AWS managed services, like RDS, DynamoDB, etc. that offer KMS-based encryption at rest should be using FIPS modules. A plausible piece of evidence is that AWS KMS uses FIPS modules for the underlying HSMs. Then, you can show that the “encrypted” setting is turned on for all Federal data storage infrastructure, and that infrastructure is based on FedRAMP-compliant AWS services and the KMS FIPS module.
This story is flimsy for high-volume data backends that rely on intermediate cryptographic mechanisms, like including EBS data keys and S3 bucket keys. There would be too many KMS calls if you had to roundtrip an encrypt/decrypt call for every request. So, make sure you have a solid understanding of your auditor’s interpretation of the requirements, and don’t hesitate to lean on AWS support to provide explanations that aren’t available in public-facing documentation.
AWS has some Operational Best Practices for FedRAMP that describe how SC-13 maps to a few existing AWS Config rules. These rules check that KMS-based encryption at rest is enabled for S3 buckets, SageMaker notebooks, SNS topics, and Redshift clusters. Not a bad start, but not the basis for a comprehensive control implementation. Ideally, each data store containing Federal data should be tagged, and policies should alert when these data stores are marked as encrypted.
The FIPS requirement is among the most painful in FedRAMP. It’s difficult to interpret and fulfill, and there’s not enough AWS or FedRAMP documentation describing comprehensive strategies. Whatever you do, make sure you plan to use FedRAMP-worthy FIPS modules as early as you can. Retrofitting the requirements after the service is up and running can be a real challenge.
Thoughts about this article? Let me know on Mastodon: https://infosec.exchange/@alsmola
