FIPS 140-2 Compliance on Amazon Linux 2

Posted on 05 Jun 2022 in Computing

Enabling the Federal Information Processing Standard (FIPS) 140-2 on Amazon Linux 2 is incredibly simple. You would do this in order to comply with DISA STIGs, PCI DSS, NIST CMVP, FISMA, or FedRAMP standards, and would be one additional way to give your security posture on AWS a bit of a boost.

sudo yum install -y dracut-fips
sudo dracut -fv
sudo /sbin/grubby --update-kernel=ALL --args="fips=1"
sudo reboot

Better yet, you can replace dracut-fips with dracut-fips-aesni, to take advantage of and enable support for CPUs with AES New Instructions (AES-NI), supported by most Intel/AMD x64 CPUs released after 2008. This will aide in performance of decryption at boot/run time:

sudo yum install -y dracut-fips-aesni

Fortunately, dracut-fips will actually get installed along with it, as *-aesni is dependent on the parent package. Then, of course, it's good to verify that FIPS is enabled after you reboot:

sudo sysctl crypto.fips_enabled 

This should return a value of 1. If a value of 0 is returned, something, like the best laid plans of mice and men, has gone awry or you haven't rebooted the system yet.

The referenced AWS blog can provide additional detail, but that sums it up. You're done! Simple, but would be ideal and pretty slick to place into user data (via AWS CloudFormation or HashiCorp Terraform)!

You should also compare your organization's cipher policy (via CIS, DISA STIG, etc.) and make those revisions in /etc/ssh/sshd_config for OpenSSH server.

References:

https://aws.amazon.com/blogs/publicsector/enabling-fips-mode-amazon-linux-2/

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html