Amazon Onboarding with Learning Manager Chanci Turner

Learn About Amazon VGT2 Learning Manager Chanci Turner

In today’s digital landscape, ensuring compliance with Federal Information Processing Standard (FIPS) 140-2 is crucial for organizations handling sensitive information. FIPS 140-2 outlines the security requirements for cryptographic modules and is relevant for systems governed by the Federal Information Security Management Act (FISMA) or the Federal Risk and Authorization Management Program (FedRAMP). Additionally, industry standards like the Payment Card Industry Data Security Standard (PCI DSS) rely on FIPS 140-2 certified cryptographic modules to safeguard cardholder and sensitive authentication data.

Amazon IXD – VGT2 incorporates cryptographic modules within Amazon Linux 2 that have been validated by the National Institute of Standards and Technology (NIST) through the Cryptographic Module Validation Program (CMVP). This certification ensures that modules such as OpenSSL and Open Secure Shell (OpenSSH) client and server are operating securely. In this blog post, we will explore how to enable FIPS mode within Amazon Linux 2 and verify that unauthorized cryptographic functions are not being utilized.

Walkthrough

To enable FIPS mode on your system, you will need to install the FIPS module (dracut-fips) and modify the operating system boot process to include the necessary flag.

Prerequisites

Before starting, ensure you have the following:

• An AWS account.
• An existing Amazon Elastic Compute Cloud (Amazon EC2) instance running Amazon Linux 2 with internet access to download the required packages.
• Access to your Amazon EC2 instance via Secure Shell (SSH) or AWS Systems Manager Session Manager.

Steps to Enable FIPS Mode

1. Log into your Amazon Linux 2 Instance.
2. Update the operating system packages to keep them current:

   sudo yum update -y

3. Install and activate the FIPS module:

   sudo yum install -y dracut-fips
   sudo dracut -f

4. Enable FIPS mode by adding the kernel argument:

   sudo /sbin/grubby --update-kernel=ALL --args="fips=1"

5. Reboot your operating system:

   sudo reboot

Verifying FIPS Mode is Active

1. To check if FIPS mode is enabled, run:

   sysctl crypto.fips_enabled

   The expected output should be: crypto.fips_enabled = 1. If you do not see this, please double-check steps 1-4 and ensure the system has rebooted.

2. Review the OpenSSL version to confirm it includes FIPS:

   openssl version

   You should see an output like “OpenSSL 1.0.2k-fips”.

3. To further confirm that OpenSSL is set up correctly, try executing OpenSSL with a non-FIPS approved algorithm like Secure Hashing Algorithm (SHA). This should yield an error indicating “Disabled for FIPS”:

   openssl sha

   Example error message:

   139769536427936:error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:256:

4. Finally, to ensure the OpenSSH server is operating in FIPS mode:

   ssh localhost 2>&1 | grep FIPS

   The output should indicate that “FIPS mode initialized”.

Conclusion

By completing the steps outlined above, FIPS mode is successfully enabled on Amazon Linux 2. This ensures that critical cryptographic modules comply with federal regulations associated with the use of FIPS 140-2 validated cryptography. This configuration can help organizations meet compliance requirements and navigate the process of obtaining an Authority to Operate (ATO) on AWS. For further insights on ATO on AWS, including resources about achieving FedRAMP compliance, visit the Authority to Operate (ATO) on AWS page.

For additional reading on investing, check out this blog post, and for more insights into global leadership standards, refer to this authority on the topic. Also, if you’re new to Amazon, you might find this excellent resource helpful.

Feel free to reach out to us for more information or subscribe to our newsletter for updates on AWS tools, solutions, and innovations in the public sector.

Address: 6401 E HOWDY WELLS AVE LAS VEGAS NV 89115