FedRAMP in 5: Amazon WorkSpace Hardening
Amazon Web Services offers many useful tools to achieve FedRAMP compliance. Amazon WorkSpaces is just one of them. Used to complete day-to-day business tasks from a cloud desktop environment, WorkSpaces offers businesses a managed and secure environment in which their personnel can complete tasks within the authorization boundary. Although WorkSpaces is designated as a FedRAMP High Authorized service (when leveraging AWS GovCloud), it does require a degree of hardening or additional configurations in order to reach FedRAMP compliance standards.
Unlike many cloud services, Amazon WorkSpaces has security settings that cannot be enabled once the WorkSpace is deployed. Therefore, Amazon WorkSpaces must be configured correctly as they are initially set up. However, hardening is not as simple as checking the “FedRAMP” box during deployment. There is plenty more to this configuration process. As with any other instance deployment, you must have an understanding of STIG or CIS benchmarks when setting up your initial WorkSpace image. Additionally, one must understand how to configure Directories and Security Groups for proper permission configuration. Numerous security settings, including but not limited to the following must be properly configured:
-
FIPS 140-2 validated encryption
-
Multi-Factor Authentication (MFA)
-
Port allowances
-
Digitally signed certificates
-
Whitelisting
Proper logging, scanning, and patching practices are also vital components of attaining FedRAMP standards. Due to their importance during the vulnerability remediation process, such activities must be properly configured in order for your business to show operational evidence including and related to the Monthly Plan of Actions & Milestones (POA&M). Additionally, scanning requirements detailed in the SA FedRAMP control family note the importance of scanning during the Configuration Management and Change Management processes. Most importantly, these practices are components of a secure system.
The operational evidence requirements detailed by FedRAMP make it such that you must configure WorkSpaces to capture various auditable events. You must configure WorkSpaces such that you can view, search, download, archive, analyze, and respond to such events, especially WorkSpace logins, both successful and unsuccessful.
Updates to Operating Systems and Event Detection Response, among other things, must occur regularly. Thus, you must configure WorkSpaces to be updated at this cadence in order to adhere to FedRAMP standards.
Scanning of WorkSpaces must occur every month. Any vulnerabilities discovered as a result of such scanning are considered “on the hook” as a part of the vulnerability remediation process. In other words, the timeline for remediating vulnerabilities “found” by these scans begins the moment scan results are compiled. Therefore, any and all such vulnerabilities must be remediated according to the 30-day (high), 90-day (moderate), 180-day (low) timeline as described in FedRAMP requirements. In addition to the remediation requirements, FedRAMP requires that at least 90% of vulnerability scans must be authenticated as FedRAMP requirements detail that only a 10% maximum is allowed on failed authenticated for vulnerability scanning.
All in all, Amazon WorkSpaces is an excellent tool to leverage in your FedRAMP boundary; however, there is some nuance to the configuration that, if not well considered, can slow the FedRAMP process. InfusionPoints has the expertise and skills to help you complete your entire AWS environment, including compliant WorkSpaces configuration. As an AWS Advanced Consulting Partner and Public Sector Partner, our AWS certified engineering team have automated tooling through the InfusionPoints XccelerATOr and XBU40 offerings that will give you peace of mind to focus on your product and customers.