├── .travis.yml ├── CloudFormation └── component.yaml ├── EC2 └── component.yaml ├── IAM └── component.yaml ├── MultiFactor └── component.yaml ├── README.md ├── S3 └── component.yaml ├── VPC └── component.yaml ├── opencontrol.yaml └── test_data_valid.py /.travis.yml: -------------------------------------------------------------------------------- 1 | language: python 2 | 3 | sudo: false 4 | 5 | python: 6 | - "3.4" 7 | 8 | cache: pip 9 | 10 | install: 11 | - git clone https://github.com/opencontrol/schemas 12 | - travis_retry pip install pytest 13 | - travis_retry pip install pykwalify 14 | - travis_retry pip install pyyaml 15 | 16 | script: 17 | - py.test 18 | -------------------------------------------------------------------------------- /CloudFormation/component.yaml: -------------------------------------------------------------------------------- 1 | documentation_complete: false 2 | name: Cloud Formation 3 | references: 4 | - name: What is AWS CloudFormation? 5 | path: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html 6 | type: URL 7 | satisfies: 8 | - control_key: CM-2 9 | covered_by: [] 10 | implementation_status: none 11 | narrative: 'DevOps maintain baseline configurations for VPC, EBS, EC2 instances 12 | and AMIs. AWS Cloud Formation templates help the organization maintain a strict 13 | configuration management scheme of the cloud infrastructure. If an error or 14 | misconfiguration of the infrastructure or associated security mechanism (security 15 | groups, NACLs) is detected, the administrators can analyze the current 16 | infrastructure templates;compare with previous versions, and redeploy the 17 | configurations to a known and approved state. 18 | 19 | AWS Cloud Formation templates are the approved baseline for all changes to the 20 | infrastructure and simplify provisioning and management on AWS. They provide an 21 | automated method to assess the status of an operational infrastructure against 22 | an approved baseline. 23 | 24 | Linux instances are based on the standard AWS AMI images with configuration to 25 | GSA requirements based on secure configurations documented in CM-6. 26 | 27 | DevOps maintain copies of the latest Production Software Baseline, which includes 28 | the following elements: Manufacturer, Type, Version number, Software, Databases, 29 | and Stats. 30 | 31 | ' 32 | standard_key: NIST-800-53 33 | - control_key: CM-3 34 | covered_by: [] 35 | implementation_status: none 36 | narrative: '- The organization provisions its infrastructure with AWS 37 | CloudFormation, the AWS CloudFormation template describes exactly what resources 38 | are provisioned and their settings. Because these templates are text files, the 39 | organization can simply track differences in these templates to track changes to 40 | its infrastructure, similar to the way developers control revisions to source 41 | code. 42 | 43 | - The organization uses several version control systems(i.e. AWS Config, AWS 44 | Service Catalog) with its templates to know exactly what changes were made, who 45 | made them, and when. If at any point the organization needs to reverse changes to 46 | infrastructure, it can use a previous version of a template. 47 | 48 | ' 49 | standard_key: NIST-800-53 50 | schema_version: 2.0 51 | -------------------------------------------------------------------------------- /EC2/component.yaml: -------------------------------------------------------------------------------- 1 | documentation_complete: false 2 | name: EC2 3 | references: 4 | - name: EC2 Documentation 5 | path: https://aws.amazon.com/ec2/ 6 | type: URL 7 | satisfies: 8 | - control_key: SC-7 9 | covered_by: [] 10 | implementation_status: none 11 | narrative: "#### a \nThe AWS network provides significant protection against traditional\ 12 | \ network security issues, and 18F can implement further protection. The following\ 13 | \ are a few examples:\nDistributed Denial Of Service (DDoS) Attacks. AWS API endpoints\ 14 | \ are hosted on large, Internet-scale, infrastructure. Proprietary DDoS mitigation\ 15 | \ techniques are used. Additionally, AWS\u2019s networks are multi-homed across\ 16 | \ a number of providers to achieve Internet access diversity.\nMan in the Middle\ 17 | \ (MITM) Attacks. All of the AWS APIs are available via SSL-protected endpoints\ 18 | \ which provide server authentication. Amazon EC2 AMIs automatically generate\ 19 | \ new SSH host certificates on first boot and log them to the instance\u2019s\ 20 | \ console. 18F can then use the secure APIs to call the console and access the\ 21 | \ host certificates before logging into the instance for the first time. 18F uses\ 22 | \ SSL for all interactions with AWS.\nIP Spoofing. Amazon EC2 instances cannot\ 23 | \ send spoofed network traffic. The AWS-controlled, host-based firewall infrastructure\ 24 | \ will not permit an instance to send traffic with a source IP or MAC address\ 25 | \ other than its own.\n\nAmazon EC2 provides a complete firewall solution; this\ 26 | \ mandatory inbound firewall is configured in a default deny-all mode and Amazon\ 27 | \ EC2 customers must explicitly open the ports needed to allow inbound traffic.\ 28 | \ The traffic may be restricted by protocol, by service port, as well as by source\ 29 | \ IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).\n\ 30 | The firewall is configured in groups permitting different groups of instances\ 31 | \ to have different rules.\n \n" 32 | standard_key: NIST-800-53 33 | schema_version: 2.0 34 | -------------------------------------------------------------------------------- /IAM/component.yaml: -------------------------------------------------------------------------------- 1 | documentation_complete: false 2 | name: Identity and Access Management 3 | references: 4 | - name: AWS Identity and Access Management (IAM) 5 | path: https://aws.amazon.com/iam/ 6 | type: URL 7 | satisfies: 8 | - control_key: AC-2 (5) 9 | covered_by: [] 10 | implementation_status: none 11 | narrative: "Account log out is set to 15 minutes of inactivity within the Identity and Access Management (IAM) console 12 | per account within the organization's virtual infrastructure. 13 | " 14 | standard_key: NIST-800-53 15 | - control_key: AC-2 (1) 16 | covered_by: [] 17 | implementation_status: none 18 | narrative: "AWS infrastructure as a service Management Life Cycle is automated to 19 | use AWS CLI scripts. The organization's AWS Virtual Private Cloud (VPC) can use the AWS Command Line 20 | Interface (CLI) to automate the account management LifeCycle within its envoriment. 21 | The organization uses the AWS Identity and Access Management (IAM) console for semi-automated 22 | automated account manamgemt. 23 | " 24 | standard_key: NIST-800-53 25 | - control_key: AC-6 26 | covered_by: [] 27 | implementation_status: none 28 | narrative: "Identity and Access Management (IAM) policies are attached to the users, enabling centralized control 29 | of permissions for users under the organization's AWS Account to access services, buckets or 30 | objects. With IAM policies, the organization only grant users 31 | within its own AWS account permission to access its Amazon resources. 32 | 33 | AWS IAM policies are defined to grant only the required access for the organizational staff 34 | necessary to perform their functions. The organization defines least privilege access to each 35 | user, group or role. 36 | 37 | Security functions within the AWS infrastructure are explicitly defined within 38 | IAM to include read-only permissions for any user functions. 39 | 40 | The organization incorporates running the IAM Policy Simulator to test policies for least privilege 41 | access for users and groups. 42 | " 43 | standard_key: NIST-800-53 44 | - control_key: AC-6 (1) 45 | covered_by: [] 46 | implementation_status: none 47 | narrative: "The organization explicitly authorizes access to administrative and security functions 48 | of its virtual infrastructure and residing platforms to designated individuals 49 | within the organization's SecOps and DevOps team. No other authorizations to security and administrative 50 | information is granted to individuals outside these teams. 51 | " 52 | standard_key: NIST-800-53 53 | - control_key: AC-2 (2) 54 | covered_by: [] 55 | implementation_status: none 56 | narrative: "This control is not applicable. All Temporary accounts are handled by 57 | associating resources with Identity and Access Management (IAM) Roles. There are no guest/anonymous, group, or 58 | temporary user accounts in the organization's AWS environment. 59 | " 60 | standard_key: NIST-800-53 61 | - control_key: AC-5 62 | covered_by: [] 63 | implementation_status: none 64 | narrative: "#### a \nThe organization implements Identity and Access Management (IAM) Policies\ 65 | \ roles and individual user accounts for separation of duties. IAM policies\ 66 | \ are attached to the users, enabling centralized control of permissions for users\ 67 | \ under AWS Account.\n \n#### b \nThe organization documents separation of duties of\ 68 | \ AWS users. All AWS IAM users, groups and roles can be viewed\ 69 | \ wthin the AWS console. IAM users reports are generated to show all separation\ 70 | \ of duties. \n 71 | " 72 | standard_key: NIST-800-53 73 | - control_key: AC-14 74 | covered_by: [] 75 | implementation_status: none 76 | narrative: "#### a \nThere are no administrative actions than can be performed\ 77 | \ within the organization's Virtual Private Cloud (VPC) without multifactor authentication. Per AWS,\ 78 | \ privileged users can not gain access to the AWS console without identification and authorization\ 79 | \ to its a VPC.\n \n#### b \nIt is not possible for members of the 18F Devops\ 80 | \ and SecOps teams to access the organization's VPC infrastructure without\ 81 | \ muitifactor authetication. \n \n 82 | " 83 | standard_key: NIST-800-53 84 | - control_key: AC-3 85 | covered_by: [] 86 | implementation_status: none 87 | narrative: "The organization follows best practices by implementing the majority of the following:\n\ 88 | \ - Create the organization's individual accounts for anyone that requires access to the virtual\ 89 | \ infrastructure or APIs or use Identity and Access Management (IAM) federation from enterprise identity management\ 90 | \ system\n - Use groups or roles to assign permissions to IAM users\n\ 91 | \ - Enable multi factor authentication for all IAM users\n - Use roles for applications\ 92 | \ that run on EC2 instances\n - Delegate by using roles instead of sharing credentials\n\ 93 | \ - Rotate credentials regularly\n - Store SSH keys securely to prevent disclosure,\ 94 | \ and promptly replace lost or compromised keys.\n 95 | " 96 | standard_key: NIST-800-53 97 | - control_key: AC-2 98 | covered_by: [] 99 | implementation_status: none 100 | narrative: "#### a \nAWS accounts are managed through AWS Identity and Access Management\ 101 | \ (IAM). Only users with a need to operate the AWS management console are provided\ 102 | \ individual AWS user accounts. The following types are used:\n * User-\ 103 | \ Individual IAM accounts\n * System- system and application account not\ 104 | \ used for interactive access\nThere are no guest/anonymous, groups, or temporary\ 105 | \ user accounts in the organization's environment\n \n#### k \nThe organization does not allow shared/group\ 106 | \ account credentials within the AWS environment. All users have individual accounts\ 107 | \ to access the AWS environment. The organization has created specific policies that allow\ 108 | \ individual users to assume a role within the AWS environment.\n \n 109 | " 110 | standard_key: NIST-800-53 111 | - control_key: AC-6 (5) 112 | covered_by: [] 113 | implementation_status: none 114 | narrative: "The organization restricts privileged accounts such as administrator and root access\ 115 | \ accounts to designated members within the Devops and SecOps teams. Within\ 116 | \ the virtual infrastructure the admin account is not used for privileged access.\ 117 | \ It\u2019s only used for billing and metrics.\n 118 | " 119 | standard_key: NIST-800-53 120 | - control_key: IA-2 121 | covered_by: [] 122 | implementation_status: none 123 | narrative: "All users have individually unique identifiers to access and authenticate 124 | to the AWS environment through the AWS management console. The organization's AWS Identity and 125 | Access Management (IAM) users are placed into IAM roles based on their assigned roles and permissions 126 | 127 | Additional temporary permission are delegated with the IAM roles usually for applications 128 | that run on EC2 Instances in order to access AWS resources all user accounts for 129 | staff are maintained within the organization's AWS environment. 130 | 131 | Shared or group authenticators are not utilized, Service accounts are implemented 132 | as Managed Services Accounts within AWS. 133 | " 134 | standard_key: NIST-800-53 135 | schema_version: 2.0 136 | -------------------------------------------------------------------------------- /MultiFactor/component.yaml: -------------------------------------------------------------------------------- 1 | documentation_complete: false 2 | name: Multi-Factor Authentication 3 | references: 4 | - name: Multi-Factor Authentication Documentation 5 | path: https://aws.amazon.com/iam/details/mfa/ 6 | type: URL 7 | satisfies: 8 | - control_key: IA-2 (1) 9 | covered_by: [] 10 | narrative: 'AWS multifactor authentication (MFA) for privileged users of the AWS 11 | console is implemented. This service has been configured for 18F administrative 12 | accounts in IAM. Multifactor authentication adds an extra layer of security for 13 | login access to the AWS management console. 18F users are prompted for a username 14 | and password, as well as the authentication code from their MFA device. 15 | 16 | ' 17 | standard_key: NIST-800-53 18 | - control_key: IA-3 19 | covered_by: [] 20 | implementation_status: none 21 | narrative: 'The underlying AWS infrastructure does not permit unauthenticated privileged 22 | user access for console or API access. 23 | 24 | ' 25 | standard_key: NIST-800-53 26 | - control_key: IA-2 (2) 27 | covered_by: [] 28 | narrative: 'AWS multi-factor authentication (MFA) for non-privileged users of the 29 | AWS console is implemented. With MFA enabled, all users are prompted for a username 30 | and password, as well as the authentication code from their MFA device. 31 | 32 | ' 33 | standard_key: NIST-800-53 34 | schema_version: 2.0 35 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AWS Compliance 2 | This repository contains compliance data for the following AWS components: 3 | CloudFormation, IAM, S3, EC2, MultiFactor, and VPC 4 | 5 | To import these data into a OpenControl project add the follow code to your opencontrol.yaml file. 6 | ```yaml 7 | dependencies: 8 | systems: 9 | - url: https://github.com/opencontrol/aws-compliance 10 | revision: master 11 | ``` 12 | 13 | For more information on the opencontrol.yaml visit the [Compliance Masonry CLI](https://github.com/opencontrol/compliance-masonry#creating-an-opencontrol-project). 14 | -------------------------------------------------------------------------------- /S3/component.yaml: -------------------------------------------------------------------------------- 1 | documentation_complete: false 2 | name: S3 3 | satisfies: 4 | - control_key: AU-4 5 | covered_by: [] 6 | implementation_status: none 7 | narrative: 'Administrators can define the amount of storage dedicated to audit record 8 | storage on their instances. Using S3 bucket will ensure storage of audit events 9 | will never be exceeded. 10 | 11 | ' 12 | standard_key: NIST-800-53 13 | schema_version: 2.0 14 | -------------------------------------------------------------------------------- /VPC/component.yaml: -------------------------------------------------------------------------------- 1 | documentation_complete: false 2 | name: Amazon Virtual Private Cloud 3 | references: 4 | - name: Amazon VPC 5 | path: https://aws.amazon.com/vpc/ 6 | type: URL 7 | satisfies: 8 | - control_key: AC-4 (21) 9 | covered_by: [] 10 | implementation_status: none 11 | narrative: 'The virtual private cloud logically separates the hosted services from other information systems within its environment. Any service built using AWS VPC will reside within its 12 | own virtual private network and may have its own dedicated elastic load balancers for incoming traffic. 13 | 14 | ' 15 | standard_key: NIST-800-53 16 | - control_key: SC-7 17 | covered_by: [] 18 | implementation_status: none 19 | narrative: "#### a \nAWS Boundary Protection - Secure Network Architecture\n18F\ 20 | \ utilizes the AWS provided virtual network devices, including firewall and other\ 21 | \ boundary devices, in place to monitor and control communications at the external\ 22 | \ boundary of the network and at key internal boundaries within the network. These\ 23 | \ boundary devices employ rule sets, access control lists (ACL), and configurations\ 24 | \ to enforce the flow of information to specific information system services.\n\ 25 | ACLs, or traffic flow policies, are established on each managed interface, which\ 26 | \ manage and enforce the flow of traffic.\n Designated privileged users(PU) connects to\ 27 | \ an AWS access point via HTTP or HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol\ 28 | \ that is designed to protect against eavesdropping, tampering, and message forgery.\n\ 29 | PU utilizes the AWS Virtual Private Cloud (VPC), which provides a private subnet\ 30 | \ within the AWS cloud. Each VPC is configured to utilize Routing Rules, Subnet\ 31 | \ Rules, and Security Group Rules. Each of these controls must have appropriate\ 32 | \ rules and routes in-place before any external service is able to reach a host\ 33 | \ within AWS.\n \n#### b \nEach VPC is configured to utilize Routing Tables,\ 34 | \ and Security Groups. Each of these controls must have appropriate rules and\ 35 | \ routes in-place before any external service is able to reach the host within the \ 36 | \ information system boundry.\n \n#### c \nThe information system is internal to the defined\ 37 | \ VPC and does not connect to external networks or information\ 38 | \ systems outside the VPC.\n \n" 39 | standard_key: NIST-800-53 40 | - control_key: AC-17 (4) 41 | covered_by: [] 42 | implementation_status: none 43 | narrative: "Since the infromation system platform resides within the defined virtual infrastructure,\ 44 | \ Privileged User (PU) must use SSH remote access method to troubleshoot issues and\ 45 | \ update services that are only resolved by logging into a Bastion Host (BH).\ 46 | \ The BH themselves are virtual machine deployed within the organization's\ 47 | \ virtual private cloud. They are the only access points for designated PU\ 48 | \ members to run privileged commnds that affect the entire platform. No other\ 49 | \ privileged remote access is available to the information system.\n" 50 | standard_key: NIST-800-53 51 | - control_key: AC-4 52 | covered_by: [] 53 | implementation_status: none 54 | narrative: "The organization incorporates security features within its vpc such as IAM security\ 55 | \ groups, network ACLs, routing tables, and external gateways. Each of these items\ 56 | \ is complementary to providing a secure, isolated network.\nNetwork Access control\ 57 | \ lists (ACLs) are created to allow or deny traffic entering or exiting these\ 58 | \ subnets. Each subnet has routing tables attached to them to direct the flow\ 59 | \ of network traffic to Internet gateways, virtual private gateways, Network Address\ 60 | \ Translation (NAT) for private subnets.\nThe organization's Virtual Private Cloud (VPC) infrastructure\ 61 | \ has firewalls enabling filtering on both ingress and egress traffic from its\ 62 | \ instances. The default group enables inbound communication from other members\ 63 | \ of the same group and outbound communication to any destination.\nTraffic is\ 64 | \ restricted by IP protocol, by service port, as well as source/destination IP\ 65 | \ address (individual IP or Classless Inter-Domain Routing (CIDR) block).\n" 66 | standard_key: NIST-800-53 67 | schema_version: 2.0 68 | -------------------------------------------------------------------------------- /opencontrol.yaml: -------------------------------------------------------------------------------- 1 | schema_version: "1.0.0" 2 | name: AWS 3 | metadata: 4 | description: Amazon Web Services 5 | maintainers: 6 | - gabriel.ramirez@gsa.gov 7 | components: 8 | - ./CloudFormation 9 | - ./IAM 10 | - ./S3 11 | - ./EC2 12 | - ./MultiFactor 13 | - ./VPC 14 | -------------------------------------------------------------------------------- /test_data_valid.py: -------------------------------------------------------------------------------- 1 | from glob import iglob 2 | from pykwalify.core import Core 3 | 4 | import yaml 5 | 6 | 7 | def get_schema(): 8 | return yaml.load(open('schemas/opencontrol-component-kwalify-schema.yaml')) 9 | 10 | 11 | def test_component_data_valid(): 12 | """ Check that the content of data fits with masonry schema v2 """ 13 | validator = Core(source_data={}, schema_data=get_schema()) 14 | for component_file in iglob('*/component.yaml'): 15 | print(component_file) 16 | source_data = yaml.load(open(component_file)) 17 | validator.source = source_data 18 | try: 19 | validator.validate(raise_exception=True) 20 | except: 21 | assert False, "Error found in: {0}".format(component_file) 22 | --------------------------------------------------------------------------------