This project creates hardened, FISMA Ready Ubuntu LTS Amazon Machine Instances (AMIs) that are suitable for use in Amazon Web Services (AWS). To be FISMA Ready, the AMI must be instantitated in either the US-East or US-West regions of AWS, or the AWS GovCloud, in order to properly inherit the AWS controls assessed by the FedRAMP program. We recommend additional customer level controls on top of the FedRAMP authorization for the AWS Console, and will be releasing those soon.
We are also working to expand support for other deployment environments and image types.
Prepared and maintained by 18F, a Federal digital services team.
- Takes a fresh Ubuntu 14.04 LTS AMI (
ami-9eaa1cf6
), as published by Canonical:
-
Launches an
m3.medium
instance from this AMI in your AWS account's Classic region (not a VPC). -
Uses the included Chef cookbooks and templates to connect to the instance and configures to controls recommended by the Center for Internet Security.
-
Creates a new AMI from the configured instance, and prints out the AMI ID.
-
Install the Chef Development Kit for your OS. This includes both Knife and Berkshelf, which are critical dependencies.
-
Install Packer for your OS. For Mac OSX users, we highly recommend using a package manager like Homebrew and then running:
$ brew doctor
$ brew tap homebrew/binary
$ brew install packer
At press time, we used Packer 0.7.5
$ packer version
Packer v0.7.5
- Set two environmental variables.
export AWS_ACCESS_KEY_ID=[your AWS access key]
export AWS_SECRET_ACCESS_KEY=[your AWS secret key]
- Run
ami.sh
.
That's it! Take note of the AMI ID this spits out to your console after it's done.
The team at 18F decided to start work where FedRAMP stops for open source components in a true infrastructure as a service environment - at the operating system layer. Secure baselines were available for Windows, Solaris, and Red Hat Enterprise Linux. But, there were no generally available — and certainly not public — baselines, for Ubuntu or the Debian version of Linux generally.
18F is committed to free and open source software - our intention is that the software we write can be run anywhere, without the need to pay for licensing fees.
Our hardened version of Ubuntu is still in active development. It is subject to change rapidly. Our intention is that no changes will be system breaking, and testing both in local virtual machines and the AWS is ongoing. We have also started to put common web workloads on servers running the hardened OS and no issues have yet arisen. Always use a testing environment before deploying a new OS configuration into production, and please report back with any Issues or Pull Requests.