AWS FedRAMP Rev5 Secure Configuration Guidance
Comprehensive security configuration guidance for AWS accounts and services aligned with FedRAMP Revision 5 Secure Configuration Guidance (SCG) requirements. This site contains FedRAMP specific guidance for AWS services. These guidances are provided as a point in time reference to how to configure AWS services and AWS top-level administration accounts in a secure fashion to align with FedRAMP.
Coverage
-
ALL Administrative guidance requirements
Requirements
-
All 4 SCG Cloud Service Offering (CSO) requirements
-
All 5 SCG Enhanced Capabilities (ENH) recommendations
About FedRAMP Rev5 SCG Requirements
FedRAMP Revision 5 introduces Secure Configuration Guide requirements that cloud service providers must address to help federal agencies secure their cloud environments. AWS provides comprehensive guidance to align with these requirements.
What AWS Provides:
-
Administrative Account Protection: Specific guidance for securing top-level administrative accounts
-
Machine-Readable Formats: OSCAL-compliant exports automation
-
API-Driven Configuration: Documentation on security settings configurable via AWS CLI and APIs where applicable
Complete SCG Coverage
Cloud Service Offering Requirements
| Requirement | Description | AWS Solution |
|---|---|---|
|
SCG-CSO-RSC |
Providers MUST create, maintain, and make available recommendations for securely configuring their cloud services (the Secure Configuration Guide) that includes at least the following information: Required: Instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering. Required: Explanations of security-related settings that can be operated only by top-level administrative accounts and their security implications. Recommended: Explanations of security-related settings that can be operated only by privileged accounts and their security implications. |
Create, maintain, and make available recommendations for securely configuring AWS services including: instructions for top-level administrative accounts (access, configure, operate, decommission), security-related settings operated by top-level administrative accounts, and privileged account security settings |
|
SCG-CSO-AUP |
Providers MUST include instructions in the FedRAMP authorization package that explain how to obtain and use the Secure Configuration Guide. |
Available |
|
SCG-CSO-PUB |
Public Guidance Providers SHOULD make the Secure Configuration Guide available publicly. |
AWS provides these secure configuration guidances available through the AWS documentation to the public for usage. |
|
SCG-CSO-SDF |
Providers SHOULD set all settings to their recommended secure defaults for top-level administrative accounts and privileged accounts when initially provisioned. |
AWS builds services with security in mind, we don’t enforce a minimum standard but provide security options to meet customer needs. |
Enhanced Capabilities
| Recommendation | Description | AWS Solution |
|---|---|---|
|
SCG-ENH-CMP |
Comparison Capability Providers SHOULD offer the capability to compare all current settings for top-level administrative accounts and privileged accounts to the recommended secure defaults. |
Leverage AWS Config |
|
SCG-ENH-EXP |
Export Capability Providers SHOULD offer the capability to export all security settings in a machine-readable format. |
OSCAL Formats will be available in the future |
|
SCG-ENH-API |
API Capability Providers SHOULD offer the capability to view and adjust security settings via an API or similar capability. |
AWS provides API access to AWS services |
|
SCG-ENH-MRG |
Machine-Readable Guidance Providers SHOULD also provide the Secure Configuration Guide in a machine-readable format that can be used by customers or third-party tools to compare against current settings. |
AWS Will provide OSCAL formatted guides |
|
SCG-ENH-VRH |
Versioning and Release History Providers SHOULD provide versioning and a release history for recommended secure default settings for top-level administrative accounts and privileged accounts as they are adjusted over time |
Each guide includes versioning details |
Get Started
Review & Implement Guidance
Explore security configuration guidance for administrative accounts and all avaialble AWS services. Use the examples provided to help implement security configurations of your AWS accounts and AWS services.
