Amazon Developer Portal security

[pamelacorey]

Has anyone's agency done any security review (A&A) of the Amazon Developer portal? My agency is saying that it isn't in the FedRAMP package space and thus they'll have to validate the security of the space before I can start working within it to create my skill.

[TechInnovationOffice]

It looks like all of the Alexa skills are done in Amazon Web Services: https://developer.amazon.com/blogs/post/TxDJWS16KUPVKO/New-Alexa-Skills-Kit-Template:-Build-a-Trivia-Skill-in-under-an-Hour Amazon Web Services are approved in FedRAMP to varying degrees. Which AWS environment are you working out of?

[pamelacorey]

I want to use a AWS Lambda instance and my folks are saying it is not part of the FedRAMP package. Since NIST hasn't ever used Lambda they have to do an approval package before I can play in that space.

[TechInnovationOffice]

According to FedRamp, AWS US East/West was most recently authorized on January 4, 2017: https://marketplace.fedramp.gov/index.html#/product/aws-us-eastwest That's well after Lambda premiered in 2014 ( https://aws.amazon.com/blogs/aws/run-code-cloud/ ). That may be a question of commercial cloud vs. GovCloud ( https://marketplace.fedramp.gov/index.html#/product/aws-govcloud ), which as been re-authorized since 2013.