Skip to content

GovCloud Config rule fixes for FedRAMP Low Conformance Pack #440

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

GovCloud Config rule fixes for FedRAMP Low Conformance Pack #440

wants to merge 3 commits into from

Conversation

iteuscher
Copy link

Issue #421 Conformance Pack for FedRamp not deployable in GovCloud

Description of changes:
The FedRAMP Low conformance pack does not function in AWS Gov Cloud. Specifically the rules listed below are not in GovCloud or several other regions. I performed a full analysis of the non-GovCloud Config Rules and provided suggestions for how to update the rules. The full content of my analysis is available in this public spreadsheet: https://docs.google.com/spreadsheets/d/1eKZpe2EPA-8RQkG6bWViwLRrdDeS4yUpvtvUpu_4WEg/edit?usp=sharing

For an example see the documentation below on root-account-mfa-enabled https://docs.aws.amazon.com/config/latest/developerguide/root-account-mfa-enabled.html

AWS Region: All supported AWS regions except China (Beijing), Asia Pacific (Thailand), Middle East (UAE), Asia Pacific (Malaysia), AWS GovCloud (US-East), AWS GovCloud (US-West), Mexico (Central), Israel (Tel Aviv), Canada West (Calgary), China (Ningxia) Region

Config rules that need to be fixed Suggested Change Note
cloudtrail-enabled cloud-trail-enabled Add hypen (cloud-trail)
ec2-instance-managed-by-systems-manager ec2-instance-managed-by-ssm Acronym for SSM
ec2-instances-in-vpc instances-in-vpc Remove ec2
ecs-task-definition-memory-hard-limit -- Consider creating custom rule
multi-region-cloudtrail-enabled multi-region-cloud-trail-enabled Add hypen (cloud-trail)
opensearch-in-vpc-only -- elasticsearch-in-vpc-only already used
restricted-common-ports nacl-no-unrestricted-ssh-rdp Use similar rule
restricted-ssh incoming-ssh-disabled Use similar rule
root-account-hardware-mfa-enabled -- No root account MFA checks in GovCloud
root-account-mfa-enabled -- No root account MFA checks in GovCloud
waf-regional-webacl-not-empty -- Consider creating custom rule

These changes have been made in this pull request and I confirmed that this version of the conformance pack successfully deploys in AWS GovCloud.

I confirm these files are made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode)

@iteuscher iteuscher mentioned this pull request May 20, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@iteuscher