Facilitating FedRAMP Compliance in AWS with Terraform
C2 Labs has built a wealth of experience in the world of cybersecurity and compliance. In a recent project, our client was pursuing FedRAMP authorization and needed to ensure that their AWS-bases SaaS platform met the necessary compliance standards.Autonomous was able to evaluate the client’s AWS setup to identify compliance issues, and provide detailed fixes and recommendations to address those issues.
Thought Leadership
Evaluated existing AWS
infrastructure to identify
compliance issues and
weak points.
Provided detailed
recommendations and
useful documentation
concerning the steps
necessary to harden
infrastructure and systems
and make them compliant.
Worked closely with client
engineers within client’s
change management
processes to ensure they
understood the changes
and could maintain them
going forward.
The Client
Our client is a company with an e-Learning SaaS product hosted in AWS. They have
been building out an AWS infrastructure for several years, and have more recently
begun managing their AWS infrastructure using Terraform. However, the infrastructure
they had built was not all FedRAMP-ready.
Challenges
1. Complex Existing Codebase:
The client’s AWS infrastructure was largely managed by a mature and complex Terraform codebase. Locating the appropriate pieces of
code which needed to be updated to change particular infrastructure objects in AWS required careful examination, and an understanding of both AWS and Terraform.
2. Detailed but Non-Disruptive Changes to Existing Architecture:
Some FedRAMP controls proved to require rather complex changes to the existing infrastructure.Implementing these changes without creating disruptions provided an additional challenge.
Solution
To address these challenges, our team carefully went through each compliance-related
finding in AWS Security Hub, examining the relevant existing AWS infrastructure and
making careful determinations concerning what changes would need to be made in
order to being the infrastructure into compliance.
Then, our team provided detailed documentation of the findings, controls, and
recommended changes. In addition, the team also provided recommended changes to
the Terraform code for review by the client’s engineering teams. After discussing the
recommended changes with the client’s engineering teams, the changes were
implemented.
Results
As a result of our team’s engagement, CIS compliance benchmark scores were increased from 49% to 81%. Our team also provided detailed recommendations for addressing all of the remaining findings (19%). The overall Security Hub score increased from ~45% to ~70%. This brought the client much closer to FedRAMP compliance. Moreover, the detailed documentation provided by our team served to aid the client in
appropriately documenting the steps taken to ensure compliance.
FedRAMP enablement at your organization
FedRAMP authorization can be a difficult process. It is complex, and it requires a great deal of technical expertise and plenty of work. It helps to have some additional experts in your corner when making a push toward any compliance program, or even simply making efforts to improve cybersecurity.