{"component-definition":{"uuid":"6e754a65-2fa5-4974-b3b9-8faec26dc7b2","metadata":{"links":[{"rel":"latest-version","href":"https://github.com/CivicActions/oscal-component-definitions/tree/main"}],"roles":[{"id":"creator","title":"Creator"}],"title":"Amazon Web Service","parties":[{"name":"CivicActions","type":"organization","uuid":"a37f870b-12f8-46d9-82c4-df9a3a559fb2"}],"version":"20240513","published":"2022-10-10T17:00:34.329470+00:00","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"942f02cd-ca93-452a-8c4a-bcf7c67ece8c"}],"last-modified":"2024-05-13T15:00:00.612641+00:00","oscal-version":"1.0.0","responsible-parties":[{"role-id":"creator","party-uuids":["a37f870b-12f8-46d9-82c4-df9a3a559fb2"]}]},"components":[{"type":"software","uuid":"6faf95a1-d7e4-4eef-9a3b-fd9b37a0f8dd","title":"Amazon Web Services","description":"Amazon Web Services Platform-as-a-Sservice (PaaS)","control-implementations":[{"uuid":"4e8bac83-a13c-4bca-9f3e-408a06997ead","source":"https://raw.githubusercontent.com/usnistgov/oscal-content/v1.0.0/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_catalog.json","description":"NIST_SP-800-53_rev4","implemented-requirements":[{"uuid":"c9cbefe4-5c62-4a14-bbb6-91cb5658dfc8","control-id":"ac-2","statements":[{"uuid":"e0f7efea-4cba-4df2-93e7-c9b7a0f4ac6d","description":"In this architecture, the baseline AWS Identity and Access Management (IAM) groups and roles are associated with access policies to align user accounts with personnel functions related to infrastructure/platform management (e.g. Billing, Amazon EC2/VPC/Amazon RDS systems administration, I.T. auditing, etc.)","statement-id":"ac-2_smt.a"},{"uuid":"cbc8f16c-1e23-4ca2-b344-4ea55aacd5f5","description":"In this architecture, AWS CloudTrail and Amazon S3 Bucket logging are enabled, which provide the audit trail capability for the organization to monitor the use of AWS Identity and Access Management (IAM) accounts. An Amazon S3 bucket centrally contains the CloudTrail audit logs. Amazon CloudWatch Alarm is configured to send an alert when any of the following happen:\n  - an API call is made to create, update, or delete a Network ACL/Security Group\n  - AWS account *root user* activity is detected\n  - multiple API actions or login attempts fail\n  - IAM Configuration changes are detected\n  - new IAM access key was created\n  - changes to the CloudTrail log configuration are detected","statement-id":"ac-2_smt.g"}],"description":"The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: AWS account management."},{"uuid":"b3d13999-bed7-4e75-b951-e430f56993b2","control-id":"ac-3","description":"In this architecture, AWS Identify and Access Management (IAM) and Amazon Amazon S3 enforce access to the AWS infrastructure and data in Amazon S3 buckets. The baseline IAM groups and roles are associated with access policies to align user accounts with personnel functions related to infrastructure/platform management (e.g. Billing, Amazon EC2/VPC/Amazon RDS systems administration, I.T. auditing, etc.) Login/API access is restricted to those users for whom the organization has authorized and created, or federated, IAM user accounts, and assigned the appropriate IAM group and/or role memberships. Amazon S3 buckets have specific access control policies assigned to restrict access to those IAM users who are assigned the appropriate IAM roles/groups."},{"uuid":"def8e16d-7c03-487d-b7f8-e485c1557a6b","control-id":"au-2","statements":[{"uuid":"afa411ab-1d86-4759-aaf9-932ec8889b3f","description":"In this architecture, the following audit methods log all security-relevant user/API activities and Amazon S3 data access activities, and support the capability to audit organizationally defined events:\n\n- AWS CloudTrail logging\n- Amazon S3 bucket logging\n- Elastic Load Balancing (ELB) logging\n- Amazon RDS MySQL error logging","statement-id":"au-2_smt.a"},{"uuid":"aa6dfd4a-fce1-4f2e-ba48-41d0347df4f1","description":"In this architecture, the following audit methods provide data on activities occurring within the infrastructure:\n\n- AWS CloudTrail logging\n- Amazon S3 bucket logging\n- Elastic Load Balancing (ELB) logging\n- Amazon RDS MySQL error logging","statement-id":"au-2_smt.c"},{"uuid":"6c331b76-2777-4c0c-9023-ab01f79593d3","description":"In this architecture, the following audit methods log all security-relevant events and errors related to IAM user and API activities, Amazon S3 data access, network access, and Amazon RDS database errors, and support the capability to audit organizationally defined events:\n\n- AWS CloudTrail logging\n- Amazon S3 bucket logging\n- Elastic Load Balancing (ELB) logging\n- Amazon RDS MySQL error logging","statement-id":"au-2_smt.d"}],"description":"Requirements are implemented as described in the included statements."},{"uuid":"b467fceb-73a0-4abc-9a30-d6b53783bd6e","control-id":"au-3","description":"In this architecture, the following audit methods generate records with the level of detail specified for the control:\n\n- **AWS CloudTrail logging**: Provides information on activities\n  related to infrastructure changes.\n\n- **Amazon S3 bucket logging**: Provides data on activities related to the\n  access or manipulation of data stored in Amazon S3.\n\n- **Elastic Load Balancing (ELB) logging**: Provides information about\n  requests or connections.\n\n- **Amazon RDS MySQL error logging**: Captures errors encountered by the\n  database engine. In addition, the MySQL general query log can be enabled\n  by the customer organization to capture when clients connect or disconnect\n  and SQL statements received from clients.\n\n\nAWS logging information:\n\n- AWS native logging: https://aws.amazon.com/answers/logging/aws-native-security-logging-capabilities/\n- AWS CloudTrail logs: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html\n- Amazon S3 bucket logs: http://docs.aws.amazon.com/amazons3/latest/dev/ServerLogs.html\n- ELB logs: http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html\n    http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html\n\n- Amazon RDS logs: http://docs.aws.amazon.com/amazonrds/latest/UserGuide/USER_LogAccess.html"},{"uuid":"626f5336-a367-4663-8fea-a7b797afc992","control-id":"au-4","description":"In this architecture, logs track dynamic capacity growth to accommodate organizationally defined storage capacity requirements. Amazon S3 buckets are established to store audit logs from the following audit methods:\n\n- AWS CloudTrail logging\n- Amazon S3 bucket logging\n- Elastic Load Balancing (ELB) logging\n- Amazon RDS MySQL error logging"},{"uuid":"8012b4a9-9ade-429e-92c2-9c7379ad0f45","control-id":"au-5","statements":[{"uuid":"3cc1853f-dea0-4185-9a18-b5b1566147d3","description":"In this architecture, AWS CloudTrail is enabled, and provides the basis for audit processing within the infrastructure.\n\nAWS built-in features include customer alerting of AWS CloudTrail and other service failures through the following:\n\n- AWS Service Health Dashboard (http://status.aws.amazon.com)\n- RSS feeds to which the customer organization can subscribe\n- email\n- alerts sent directly to the AWS account *root user* for critical events\n- AWS internal Incident Response and corporate communications processes","statement-id":"au-5_smt.a"}],"description":"Requirements are implemented as described in the included statements."},{"uuid":"5f5a010f-649e-439a-816a-31bc60a7de6d","control-id":"au-8","statements":[{"uuid":"9d668117-8062-4679-9ab3-c3911e941293","description":"AWS includes the Amazon Time Sync Service. Running over Network Time Protocol (NTP), this service synchronizes the time on AWS instances using redundant satellite-connected and atomic clocks in all public AWS regions. The Amazon Time Sync Service provides accurate time stamp data to the following audit methods:\n\n- AWS CloudTrail logging\n- Amazon S3 bucket logging\n- Elastic Load Balancing (ELB) logging\n- Amazon RDS MySQL error logging","statement-id":"au-8_smt.a"},{"uuid":"3f39cc86-0ec6-4974-8a6b-59f5cc7095bd","description":"The Amazon Time Sync Service provides accurate time stamp data to the following audit methods:\n\n- AWS CloudTrail logging\n- Amazon S3 bucket logging\n- Elastic Load Balancing (ELB) logging\n- Amazon RDS MySQL error logging\n\nTime stamps are recorded as specified in the ISO 8601 standard. ISO 8601 represents local time (with the location unspecified), as UTC, or as an offset from UTC.","statement-id":"au-8_smt.b"}],"description":"Requirements are implemented as described in the included statements."},{"uuid":"f9575206-b8b4-4af4-aea7-8d788b7592e3","control-id":"au-9","description":"Access to audit data and tools is determined by access control policies for IAM groups and roles. Only users assigned to IAM groups and roles with access to audit data and tools can access them. Additionally, AWS uses server-side encryption on Amazon S3 bucket logs, and maintains them as read-only files."},{"uuid":"1310c2f7-29e1-4dbe-9c43-318bf970f767","control-id":"au-11","description":"AWS CloudTrail logs are stored in an Amazon S3 bucket, which dynamically allocates storage capacity to support continuous collection and storage of AWS CloudTrail log data. The storage capacity supports indefinite retention, but with 7 year retention specified, and migration to Amazon Glacier after 90 days in AWS regions where Glacier is available."},{"uuid":"5e4608f7-a586-4b21-887b-643bd8b08b09","control-id":"au-12","statements":[{"uuid":"1ca481aa-d482-4143-a56f-c3935ec306f6","description":"In this architecture, AWS CloudTrail, Amazon S3 bucket logging, Elastic Load Balancing (ELB) logging, and Amazon RDS MySQL error logging are  enabled, but initial Amazon EC2 instances launched by this deployment (bastion host, application servers, proxy servers, and any Amazon EC2-based NAT servers) do not have auditing enabled within the OS, as these are for example purposes only.\n\nAWS built-in features of logging mechanisms provide the audit record generation capability for the auditable events defined in AU-2a. by logging all security-relevant IAM user and API activities which address AWS infrastructure components (AWS Products and services), ELB","statement-id":"au-12_smt.a"},{"uuid":"5cf7282b-8681-4e67-8720-8f35ac347034","description":"In this architecture, AWS CloudTrail, Amazon S3 bucket logging, Elastic Load Balancing (ELB) logging, and Amazon RDS MySQL error logging are enabled AWS CloudTrail is enabled to log all available API events automatically within the AWS infrastructure and Amazon S3 bucket logging is enabled to log bucket activity.\n\nAWS built-in features of Identity and Access Management (IAM) allows policy to be applied to privileged users for administrator/audit access, allowing them to modify Amazon CloudWatch alarms, AWS Config rules, and Amazon S3 bucket logging to select the CloudTrail and Amazon S3 events that are to cause notification, alerting and automated reaction.","statement-id":"au-12_smt.b"},{"uuid":"11713d36-6709-4e3d-b2c7-829bb0b59168","description":"In this architecture, AWS CloudTrail, Amazon S3 bucket logging, Elastic Load Balancing (ELB) logging, and Amazon RDS MySQL error logging are enabled. However, the initial Amazon EC2 instances launched by this deployment (bastion host, application servers, proxy servers, and any Amazon EC2-based NAT servers) DO NOT have any auditing enabled within the OS, as these are in place for example purposes only.\n\nAWS built-in features of native logging generates audit records with the content defined in AU-3.\n\nAWS logging information:\n\n- AWS native logging: https://aws.amazon.com/answers/logging/aws-native-security-logging-capabilities/\n- AWS CloudTrail logs: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html\n- Amazon S3 bucket logs: http://docs.aws.amazon.com/amazons3/latest/dev/ServerLogs.html\n- ELB logs: http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html\n\n    http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html\n\n- Amazon RDS logs: http://docs.aws.amazon.com/amazonrds/latest/UserGuide/USER_LogAccess.html","statement-id":"au-12_smt.c"}],"description":"Requirements are implemented as described in the included statements."},{"uuid":"72a89d4a-2270-4e5f-8ab5-74ddb127ae26","control-id":"cm-2","description":"Hardware Baselines\n\nAll hardware is maintained by the AWS cloud. The system inherits hardware configuration aspects of this control from the FedRAMP Provisional ATO granted to AWS, dated 1 May 2013, for the following: baseline configuration."},{"uuid":"d7038b81-4983-4cfe-acd7-60fbaf9b9833","control-id":"cm-7","statements":[{"uuid":"dc671d42-8976-484d-950d-e956313ec754","description":"In this architecture, only essential capabilities for a multi-tiered web service are configured. AWS Identity and Access Management (IAM) baseline Groups and Roles are configured to support restricted access to AWS resources by privileged users and non-person entities (Amazon EC2 systems operating with a role) authorized and assigned by the organization.","statement-id":"cm-7_smt.a"},{"uuid":"1ccca4f4-1379-40bd-97a2-a167b9366dea","description":"In this architecture, ports, protocols, and services are restricted to those that are required for a multi-tiered web service, via AWS security group rules.","statement-id":"cm-7_smt.b"}],"description":"Requirements are implemented as described in the included statements."},{"uuid":"15b1a7b5-7c90-4873-b136-ae0a655f2715","control-id":"cm-8","statements":[{"uuid":"d3180e77-ff40-4202-97a3-a923283211e4","description":"AWS built-in features dynamically build and maintain an inventory of system components (infrastructure inventory)\n\n1. AWS built-in features provide an accurate, real time inventory of all infrastructure system and network components within the customer account and provides a single view for granularity for tracking and reporting.\n2. AWS built-in features provide an accurate, real time inventory of all infrastructure system and network components within the AWS account, and  AWS CloudFormation creates a unique set of stack names, and associated resource names  incorporate the stack name, for tracking components deployed by CloudFormation templates that align with an authorization boundary.\n3. AWS built-in features provide a level of granularity for tracking and reporting on all infrastructure system and network components and configuration settings for those components.\n4. AWS built-in features provide all available information about all infrastructure system and network components to achieve effective component accountability.","statement-id":"cm-8_smt.a"},{"uuid":"82bf17e7-b019-4102-b797-012e234d7a8b","description":"AWS built-in features provides a dynamically updated inventory of all infrastructure system and network components within the customer account. The AWS management console and AWS API calls support the capability for the organization to review the inventory.","statement-id":"cm-8_smt.b"}],"description":"Requirements are implemented as described in the included statements."},{"uuid":"8679c639-d985-45b4-81c1-4fee6c0a38b6","control-id":"cp-9","statements":[{"uuid":"e635bd6f-287e-435b-82ae-86507c24b1ac","description":"In this architecture, user data is limited to that which is stored in the Amazon RDS database. Amazon RDS is fully backed up by a daily snapshot as well as through transaction logging conducted by AWS as part of this managed service. Full database recovery from snapshot or point-in-time can be initiated from the Amazon RDS console/API.","statement-id":"cp-9_smt.a"},{"uuid":"f3082da7-d0ab-4dde-b692-d5d80ad653f3","description":"AWS built-in features automatically backs up system-level information limited to infrastructure CONFIGURATION information within the AWS account. While individual running Amazon EC2 instances and attached EBS volumes are NOT backed up, they can be reconstituted from Amazon Machine Images (AMIs) provided by AWS (which are backed up by AWS) and user data scripts included in CloudFormation templates. Once deployed, the CloudFormation template contents are backed up by AWS R488within the CloudFormation service. These AWS backups of AWS services are transparent to the customer as part of AWS backend processes.","statement-id":"cp-9_smt.b"},{"uuid":"6e5e3364-a267-4a73-a7fe-cbc80c772dd6","description":"AWS built-in features back up online administrator and developer documentation, limited to that which is published at https://aws.amazon.com/documentation.","statement-id":"cp-9_smt.c"},{"uuid":"7215549f-b680-4939-8d7c-acf7808597d3","description":"AWS built-in features protect the confidentiality, integrity, and availability of information that AWS services back up. This information includes the service configuration information within an account, AWS online administrator and developer documentation, and AWS CloudFormation stacks for templates once deployed into an account. R612","statement-id":"cp-9_smt.d"}],"description":"Requirements are implemented as described in the included statements."},{"uuid":"7aa4f694-6140-48f1-8ab1-aeceb8f3dcf3","control-id":"ia-2","description":"AWS built-in features of Identity and Access Management (IAM) provides the capability for uniquely identifying and authenticating users and processes acting on their behalf to both organizational and non-organizational users operating within the AWS account and infrastructure, providing privileges based on the credentials, group memberships, and access policies assigned to them. The customer organization, at its discretion, provides individual user accounts and privileges to both organizational non-organizational users in addition to organizational users."},{"uuid":"aa8c6f6c-8254-48de-aed9-45c8ebd6a0de","control-id":"ia-5.1","statements":[{"uuid":"16d2024d-109a-4ab2-a9bb-a526b1685959","description":"AWS built-in features of Identity and Access Management (IAM) provides minimum password complexity enforcement, but the characteristics to enforce must be manually configured by the customer. Refer to http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html","statement-id":"ia-5.1_smt.a"},{"uuid":"8ef0bdc1-8c25-43b8-b195-ceb7dc18b1cf","description":"AWS built-in features of AWS Identity and Access Management (IAM) and the AWS Console store passwords on AWS systems in a cryptographically-protected format and only support TLS connectivity to the console web site to protect passwords in transit via encryption.","statement-id":"ia-5.1_smt.c"},{"uuid":"683c3de8-3aa3-4bc8-9cb2-1ea3de23a343","description":"AWS built-in features of AWS Identity and Access Management (IAM) provides the capability to require new password to be entered upon login. The customer organization, at its discretion, configures IAM to enforce that requirement.","statement-id":"ia-5.1_smt.f"}],"description":"Requirements are implemented as described in the included statements."},{"uuid":"527cb5f2-a34f-45f5-a52e-3ffd14b2d05d","control-id":"ia-5.11","description":"AWS built-in features of AWS Identity and Access Management (IAM) provides the capability for Hardware MFA using Gemalto SafeNet IDProve 100 and 700 OTP Tokens which are compliant to OATH open standard (time based - 6 digits) Expected battery life is 3-5 years or approximately 15,000 - 20,000 clicks. These products are handheld devices that provide strong authentication by generating a unique password that is valid for only one attempt and for 30 seconds.\n\nIt is the customer organization's responsibility to implement Hardware MFA. Refer to http://aws.amazon.com/iam/details/mfa/ and http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html"},{"uuid":"79cb8204-c24b-48f8-8ff8-68f3c39779f5","control-id":"ia-6","description":"In this architecture, All Amazon EC2 instances (bastion host, web/proxy servers, application servers) employ SSH for interactive login, and when a key passphrase is prompted for, the SSH prompting mechanism obscures the feedback by default.\n\nAWS built-in features obscure keystroke feedback for password input during AWS console login with AWS Identity and Access Management (IAM) user credentials, and when the CloudFormation console prompts for an initial database password during Quick Start template deployment."},{"uuid":"4b8316b3-b66f-4184-a3a5-6b13fe03afeb","control-id":"ia-7","description":"AWS built-in features of AWS Identity and Access Management (IAM) authentication employs cryptographic modules that meet requirements as specified and assessed in the AWS FedRAMP authorization package."},{"uuid":"4740dc15-9a43-4f90-9419-17d5fe0126a6","control-id":"ia-8","description":"AWS built-in features of AWS Identity and Access Management (IAM) provide the capability for uniquely identifying and authenticating users and processes acting on their behalf to both organizational and non-organizational users, providing privileges based on the credentials, group memberships, and access policies assigned to them.\n\nThe customer organization at its discretion provides user accounts and privileges to both organizational non-organizational users in addition to organizational users."},{"uuid":"76e30112-9fca-4a2d-a1eb-f197c5424c91","control-id":"ir-1","description":"The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud Service Provider dated 1 May 2013."},{"uuid":"4429942b-746d-43a2-af54-5faa71e78907","control-id":"ir-2","description":"The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident response training."},{"uuid":"b8a85e89-1d1c-4fc1-8d50-14c22ff9c5f6","control-id":"ir-4","description":"The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident handling."},{"uuid":"514760c2-ec1e-4250-a872-b119d956e8cf","control-id":"ir-5","description":"The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident monitoring."},{"uuid":"e1934007-175c-483f-b2a1-f58e9af5c6a7","control-id":"ir-6","description":"The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident reporting."},{"uuid":"b01fd6b3-5cef-4961-86cc-fb425a57e35a","control-id":"ir-7","description":"The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident resonse assistance."},{"uuid":"788613c2-ae51-492d-879b-e9e098146ddb","control-id":"ir-8","description":"The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: incident response plan."},{"uuid":"4a9c2516-0af6-42e7-9848-aaee85cee706","control-id":"ma-1","description":"This System Maintenance control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications.\n\nFor the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP).\n\nRefer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/"},{"uuid":"251f7f8f-c8b9-4049-95e4-37695a09f015","control-id":"ma-2","description":"This System Maintenance control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications.\n\nFor the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP).\n\nRefer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/"},{"uuid":"b24cd91f-1f05-4126-8d63-786bb618d165","control-id":"ma-4","description":"This System Maintenance control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications.\n\nFor the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP).\n\nRefer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/"},{"uuid":"bb5460fd-77fe-4d29-9c35-f967e2e25c53","control-id":"ma-5","description":"This System Maintenance control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications.\n\nFor the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP).\n\nRefer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/"},{"uuid":"b7e75931-4b80-46d4-813a-c99af835f69f","control-id":"mp-1","description":"This Media Protection control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications.\n\nFor the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP).\n\nRefer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/"},{"uuid":"d73a375c-3258-495a-a407-e23ca644a78e","control-id":"mp-2","description":"This Media Protection control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications.\n\nFor the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP).\n\nRefer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/"},{"uuid":"af626662-7321-40c6-b9d0-e1f4bbce59c3","control-id":"mp-6","description":"This Media Protection control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications.\n\nFor the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP).\n\nRefer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/"},{"uuid":"5f600f9f-4f8a-4dd5-a43d-f023dc1bb658","control-id":"mp-7","description":"This Media Protection control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications.\n\nFor the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP).\n\nRefer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/"},{"uuid":"928c2b72-d584-461e-aada-1ed518b788a3","control-id":"pe-1","description":"This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications.\n\nFor the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP).\n\nRefer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/"},{"uuid":"5112c421-e4f4-45ae-86b9-b03149c3fd17","control-id":"pe-2","description":"This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications.\n\nFor the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP).\n\nRefer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/"},{"uuid":"e16a9c71-6200-46ba-bc87-570e6bea1596","control-id":"pe-3","description":"This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications.\n\nFor the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP).\n\nRefer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/"},{"uuid":"68b8b285-6794-4598-97ff-06d87029332d","control-id":"pe-6","description":"This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications.\n\nFor the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP).\n\nRefer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/"},{"uuid":"3cc9e099-4676-4cf4-89ad-680d2fda5e3d","control-id":"pe-8","description":"This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications.\n\nFor the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP).\n\nRefer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/"},{"uuid":"91bb446a-1d0a-42bd-b867-9857f59a3f38","control-id":"pe-12","description":"This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications.\n\nFor the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP).\n\nRefer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/"},{"uuid":"3325dc34-0f09-4c69-b11f-006ee6f69880","control-id":"pe-13","description":"This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications.\n\nFor the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP).\n\nRefer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/"},{"uuid":"5d1d0627-01ac-4b69-b3e4-fb29d71c309c","control-id":"pe-14","description":"This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications.\n\nFor the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP).\n\nRefer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/"},{"uuid":"96c4e1d7-4522-4387-a29c-43d6c444bce2","control-id":"pe-15","description":"This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications.\n\nFor the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP).\n\nRefer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/"},{"uuid":"c0d5843d-1c55-4ca2-8fcb-3db36b59e485","control-id":"pe-16","description":"This Physical Environment control associated with hardware components within AWS is generally either partially or fully inherited from the AWS physical infrastructure, while the customer organization is responsible for any part of the control that is applicable to customer-controlled equipment and facilities, and the customer's configurable portion of the AWS logical infrastructure, including the Operating systems on Amazon EC2 instances and the customer's applications.\n\nFor the U.S. East, U.S. West, and GovCloud regions, this control is inherited from pre-existing Agency Authority to Operate (ATO) or JAB provisional Authority to Operate under the Federal Risk and Authorization Management Program (FedRAMP).\n\nRefer to the AWS FedRAMP SSP artifacts, including the Control Implementation Summary and Customer Responsibility Matrix, available from the AWS Compliance Team. http://aws.amazon.com/compliance/fedramp/\""},{"uuid":"837f1b5a-0361-4aa7-80b8-bc5e5a2930e1","control-id":"pl-1","description":"The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud Service Provider dated 1 May 2013."},{"uuid":"84e0fe4a-7aa1-4ff1-9000-bcdba62de65a","control-id":"pl-2","description":"The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: AWS system security plan."},{"uuid":"0e2ca0c3-4c86-4098-b538-9ba115b15394","control-id":"ps-1","description":"The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud Service Provider dated 1 May 2013."},{"uuid":"ba9e5a58-571e-4691-8ccf-c54775a62522","control-id":"ra-1","description":"The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud Service Provider dated 1 May 2013."},{"uuid":"0b9c9323-dcf9-4ccc-aa79-8d7fb787962d","control-id":"ra-5","description":"The system partially inherits this control from the FedRAMP Provisional ATO granted to the AWS Cloud dated 1 May 2013 for the following: vulnerability scanning."},{"uuid":"c7378b7b-9a6b-40f5-8659-cb73113a631c","control-id":"sa-5","statements":[{"uuid":"08f0cfcf-e4a6-4a35-a21c-b1bd22df3e88","description":"In this architecture, documentation of the infrastructure configuration in the form of AWS CloudFormation templates in JSON or YAML format, architecture diagrams, deployment user guide and security controls implementation details is included.\n\nAWS built-in features include online documentation for management of the infrastructure at http://aws.amazon.com/documentation/","statement-id":"sa-5_smt.a"},{"uuid":"41030bae-6248-44ab-b1ee-f2c1f450fddc","description":"AWS built-in features include online documentation of AWS services at http://aws.amazon.com/documentation/\n\n1. AWS built-in features include online documentation for AWS account users at\n   http://aws.amazon.com/documentation/ such as user Guides, API reference guides, CLI\n   reference guides and developer reference guides to provide information on how to\n   effectively use security functions.\n\n2. AWS built-in features include online documentation for AWS account users within the\n   infrastructure at http://aws.amazon.com/documentation/ such as user Guides, API\n   reference guides, CLI reference guides and developer reference guides to provide\n   information on how to access AWS services and components in a more secure manner.\n\n3. AWS built-in features include online documentation for AWS account users at\n   https://aws.amazon.com/security/security-resources/ that provides information\n   related to security responsibilities of customers using AWS services.","statement-id":"sa-5_smt.b"},{"uuid":"1ed188f2-6e30-495c-a6ee-0f6b2b90e509","description":"AWS built-in features include online documentation that is protected by AWS from unauthorized modification or deletion within AWS system.","statement-id":"sa-5_smt.d"},{"uuid":"14b690a2-f3c4-4f40-8a61-02fcb4e614d7","description":"AWS built-in features include online documentation located at http://aws.amazon.com/documentation/ that is publicly available.","statement-id":"sa-5_smt.e"}],"description":"Requirements are implemented as described in the included statements."},{"uuid":"32be1f43-a1fd-426b-aec9-4123fb0fcbf9","control-id":"sc-7","statements":[{"uuid":"9c7f4177-e2e0-499f-bb5f-e3084ee7903d","description":"In this architecture, network communications to, from, and between VPCs, subnets and Amazon S3 buckets are controlled as follows: AWS Route Tables specify which subnets in each VPC are accessible through gateways and which are isolated/private. AWS Security Groups provide stateful inbound/outbound port/protocol restrictions, Amazon Simple Storage Service (Amazon S3) buckets support access control restrictions based on network source/destination.","statement-id":"sc-7_smt.a"},{"uuid":"78fd092b-c1f3-4dee-8d61-d76c4cd55067","description":"In this architecture, subnetworks for publicly accessible system components are logically separated from internal private subnetworks via AWS security groups, refined routing tables, and NACLs.","statement-id":"sc-7_smt.b"},{"uuid":"fb2e847a-3b0a-49ce-941a-a4c9a1e34aae","description":"In this architecture, connection to external networks is possible only through Internet Gateways (IGWs) or NAT gateways (in regions where supported by AWS VPC) and are restricted based on ports/protocols via AWS Security groups, and default subnet rules provided by NACLs.","statement-id":"sc-7_smt.c"}],"description":"Requirements are implemented as described in the included statements."},{"uuid":"4a5c1410-42ff-4296-abef-30bfada0917c","control-id":"sa-12","description":"In this architecture, initial private/public SSH keys stored in Identity and Access Management (IAM) are supplied to Amazon EC2 instances upon launch, and the public key portion is managed within the AWS Amazon EC2 service. In addition, server-side encryption is used for Amazon S3 storage and Amazon RDS databases, using key management provided by AWS for the storage buckets and Amazon RDS databases."},{"uuid":"a16779ce-0c7b-4d04-87c5-faf7f5b174a1","control-id":"sa-13","description":"In this architecture, encryption mechanisms are employed for data at rest and in transit. For data at rest, AES-256 Server Side encryption is employed for data stored in Amazon S3, and Amazon RDS databases. For data in transit, to protect against exposure of any cleartext data transmitted deliberately (upload/download) or incidentally during interactive systems management operations, Amazon S3 object access can only be conducted over encrypted sessions via TLS; the bastion host, Amazon EC2 instances and associated security groups are configured for encrypted SSH sessions only. For web user access, the Elastic Load Balancing (ELB) employs a TLS endpoint.\n\nAWS built-in features employ TLS for AWS Management Console sessions, AWS API calls, and AWS Command Line Interface connections."},{"uuid":"dcc5f047-09c7-47b6-89be-6475b59ea821","control-id":"sa-39","description":"In this architecture, the AMIs that make up the operating systems deployed on Amazon EC2 instances maintain separate execution domains/address spaces for executing processes within the customer operating environment.\n\nAWS built-in features of the hypervisors that support the infrastructure maintain separate execution domains/address spaces for executing processes."}]}]}]}}