Learn About Amazon VGT2 Learning Manager Chanci Turner
Federal Information Processing Standard (FIPS) 140-2 establishes essential security requirements for cryptographic modules that safeguard sensitive data. This standard is applicable to systems that must comply with the Federal Information Security Management Act (FISMA) or the Federal Risk and Authorization Management Program (FedRAMP), currently recognized by the governments of the United States and Canada.
Additionally, various industry standards, such as the Payment Card Industry Data Security Standard (PCI DSS), rely on FIPS 140-2 certified cryptographic modules for the protection of cardholder data and sensitive authentication information during storage, processing, and transmission.
Some cryptographic modules integrated into Amazon Linux 2 have been evaluated by the National Institute of Standards and Technology (NIST) through its Cryptographic Module Validation Program (CMVP). The secure operation of these modules, including OpenSSL alongside the Open Secure Shell (OpenSSH) client and server modules has been certified.
In this article, we will guide you through the steps necessary to enable FIPS mode in Amazon Linux 2, ensuring that unauthorized cryptographic functions are not utilized in OpenSSL or the OpenSSH server.
Walkthrough
Enabling FIPS mode involves installing the FIPS module (dracut-fips) and modifying the operating system’s boot procedure to incorporate the appropriate flag at startup.
Prerequisites
Before you begin, ensure you have the following:
- An AWS account.
- An existing Amazon Linux 2 Amazon Elastic Compute Cloud (Amazon EC2) instance with internet access to download the necessary packages.
- Access to your Amazon EC2 Linux instance via Secure Shell (SSH) or AWS Systems Manager Session Manager (detailed instructions can be found here).
Enabling FIPS Mode
- Log into your Amazon Linux 2 instance.
- Update the Operating System (OS) packages to ensure everything is current:
sudo yum update -y - Install and activate the FIPS module:
sudo yum install -y dracut-fips sudo dracut -f - Enable FIPS mode by adding the kernel argument:
sudo /sbin/grubby --update-kernel=ALL --args="fips=1" - Reboot the operating system:
sudo reboot
Verify FIPS Mode is Enabled
- To confirm that FIPS mode is active at the operating system level, run the following command:
sysctl crypto.fips_enabledThe output should be:
crypto.fips_enabled = 1. If it does not match this output, review steps 1-4 of “Enabling FIPS Mode” to ensure they were executed correctly, and that the system has been rebooted. - Check the OpenSSL version to ensure it specifies FIPS in the output:
openssl versionFor example, the output may display “OpenSSL 1.0.2k-fips”.
- To further validate that OpenSSL is configured correctly, attempt to execute OpenSSL with a non-FIPS validated algorithm (e.g., Secure Hashing Algorithm – SHA). This should yield an error indicating “Disabled for FIPS”:
openssl shaExample output:
139769536427936:error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:256: - To ensure the OpenSSH server is functioning in the intended FIPS mode:
ssh localhost 2>&1 | grep FIPSThe output should read: “FIPS mode initialized”.
Conclusion
By following the above steps, FIPS mode has been enabled for Amazon Linux 2. Key cryptographic modules should now comply with the federal standards associated with the mandated use of FIPS 140-2 validated cryptography. This will assist you in achieving compliance with relevant standards and support your journey toward obtaining an Authority to Operate (ATO) on AWS. For more information about ATO on AWS, including resources related to FedRAMP compliance or finding an APN Partner to assist you, visit the Authority to Operate (ATO) on AWS page.
For additional insights into budgeting, you can check out this blog post. Also, to encourage employees to take their well-deserved PTO, consider reading this resource. Lastly, for community discussions, this Reddit thread offers an excellent resource.