NIST 800-171 / CMMC 2.0 Level 2 in AWS GovCloud

[HSEngin]

The current conformance packs for NIST 800-171 and CMMC 2.0 Level 2 do not seem to work with GovCloud East or GovCloud West. Confirmed in site for conformance pack "Operational Best Practices for NIST 800 171":

AWS Region: All AWS Regions where conformance packs are supported ([Region support] 
(https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html#conformance-packs-regions)) except AWS 
GovCloud (US-East), AWS GovCloud (US-West), and Middle East (Bahrain)

Is it possible to release a version of one of NIST 800-171 or CMMC 2.0 Level 2 (they should be checking the same underlying requirements) that can be used on GovCloud West? The GovCloud regions are offered to assist with meeting requirements of those standards (especially for export controlled information) so it seems odd they are not supported by the relevant conformance packs.

[Adam-Zvolanek]

My team ran into a similar issue and opened a support ticket. Here is a snippet of AWS Support response:

I have checked with our team on Conformance pack templates for GovCloud region and below is the input from the internal team,

"AWS Config provides the sample Conformance Pack templates as a reference point for customers to select from prescribed best practices and frameworks. Our recommendation is to review the rules available in GovCloud regions (https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html ) and amend the template for rules not yet available in those regions prior to deploying. "

Their stance is "Do it yourself".

[HSEngin]

Doing it ourselves was actually not too difficult. Started with the base and removed whatever rule was giving an error until no more errors resulted (this took longer than it needed to since only one error is displayed at a time).

Removing these rules from the Conformance Pack allowed us to use the CMMC 2.0 Level 2 conformance pack:

Elbv2AcmCertificateRequired OpensearchEncryptedAtRest OpensearchInVpcOnly OpensearchNodeToNodeEncryptionCheck RootAccountHardwareMfaEnabled RootAccountMfaEnabled Operational-Best-Practices-for-CMMC-2.0-Level-2.zip

[atheiman]

Would be nice if the template checked AWS::Region and disabled unsupported config rules as needed. Could even overengineer it to include a custom resource in the template to hit the Config api and check for available AWS managed rules, then conditionally not deploy unsupported Config rules. This is not possible with CloudFormation ☹️

[atheiman]

I put together a Python script to read a conformance pack CloudFormation template yaml file and print out unsupported config rule sourceIdentifiers for the current region. As far as I can tell, there is no public api to list supported config managed rules in a region, only the doc: https://docs.aws.amazon.com/config/latest/developerguide/managing-rules-by-region-availability.html

This script attempts to create a test rule for every Config managed rule found in the CloudFormation template. If the rule create fails with an error like The sourceIdentifier BLAH is invalid. then the rule is deemed not supported in that region and is printed to the console. The test rules are deleted immediately after successfully created, so it shouldn't leave extra resources in an account. Its quick and dirty, but its way better than repeatedly attempting to create the conformance pack in console or via cli, and iterating through several failed resource create attempts and waiting for CloudFormation stack create failures.

https://gist.github.com/atheiman/f345ea4aa059bf2d2c5dec490547a86f

Example usage for testing Operational-Best-Practices-for-NIST-800-171.yaml in us-gov-west-1:

$ CONFIG_CONFORMANCE_PACK_TEMPLATE=Operational-Best-Practices-for-NIST-800-171.yaml ./config_conformance_pack_region_validator.py
Testing for regional support of AWS Config managed rules
Region: 'us-gov-west-1'
Identity: 'arn:aws-us-gov:sts::111111111111:assumed-role/Admin/atheiman'
YAML CloudFormation template: 'Operational-Best-Practices-for-NIST-800-171.yaml'
Unsupported CloudFormation resource ids / ConfigRuleNames / SourceIdentifiers will be listed below:
-----
Ec2SecurityGroupAttachedToEniPeriodic / ec2-security-group-attached-to-eni-periodic / EC2_SECURITY_GROUP_ATTACHED_TO_ENI_PERIODIC
EcsTaskDefinitionNonrootUser / ecs-task-definition-nonroot-user / ECS_TASK_DEFINITION_NONROOT_USER
Elbv2AcmCertificateRequired / elbv2-acm-certificate-required / ELBV2_ACM_CERTIFICATE_REQUIRED
OpensearchAccessControlEnabled / opensearch-access-control-enabled / OPENSEARCH_ACCESS_CONTROL_ENABLED
OpensearchEncryptedAtRest / opensearch-encrypted-at-rest / OPENSEARCH_ENCRYPTED_AT_REST
OpensearchHttpsRequired / opensearch-https-required / OPENSEARCH_HTTPS_REQUIRED
OpensearchInVpcOnly / opensearch-in-vpc-only / OPENSEARCH_IN_VPC_ONLY
OpensearchLogsToCloudwatch / opensearch-logs-to-cloudwatch / OPENSEARCH_LOGS_TO_CLOUDWATCH
OpensearchNodeToNodeEncryptionCheck / opensearch-node-to-node-encryption-check / OPENSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK
RootAccountHardwareMfaEnabled / root-account-hardware-mfa-enabled / ROOT_ACCOUNT_HARDWARE_MFA_ENABLED
RootAccountMfaEnabled / root-account-mfa-enabled / ROOT_ACCOUNT_MFA_ENABLED

With this output, you can then easily update the CloudFormation template as it makes sense to you. Either remove the resources, or add a Condition to not deploy to the region you are interacting with.

Ive also put a GovCloud modified template on gist for easy download, but this could become out of date very fast if more config rules are added to GovCloud regions: https://gist.github.com/atheiman/3dc06afb63b96bfa8a81c8e96f36910c