Sign up for our newsletter! →

From AFT to ATO: The Prequel

Written By
Michael Greenlaw HanaByte blog on AFT to ATO

How to Get Started with FedRAMP Automation

In the last installment of this blog series, we covered how to create a new AWS environment using AFT and the beginnings of using AFT pipelines to generate infrastructure. The purpose of this installment was originally to continue our journey; however, I was fortunate enough to speak on this topic in-depth at HashiTalks. Due to its technical nature, we thought it better to complete the blog series by taking a step back and providing a discussion about what the tool is, the problems it solves, and how it can empower us.

AWS Control Tower Account Factory for Terraform (AFT), is a tool built through the collaboration of HashiCorp and AWS. The idea is to allow us to leverage Terraform-based account provisioning and account customizations, while providing a way to govern said accounts with AWS Control Tower. This is done by creating accounts and Organizational Units (OUs) in Control Tower, using Terraform to create pipelines within AWS CodePipeline, then importing the CT accounts/OUs into pipelines. Thus allowing for provisioning and customizations to be applied to the accounts. Once all steps are completed, you are able to manage the state of the Control Tower governed accounts with Terraform. This enables you to customize accounts with a supplied automation pipeline; however, what is the importance of these features?

The importance derives from complications that arise when going for Federal Risk and Authorization Management Program (FedRAMP) approval. When companies begin their journey to obtaining an Authority to Operate (ATO) with AWS, an often-recurring issue identified by HanaByte is the scale of the authorization boundary. The authorization boundary can officially be defined as “all components of an information system to be authorized for operation by an authorizing official. This excludes separately authorized systems to which the information system is connected.” Simply put, it is a boundary that separates our FedRAMP-govern cloud environments from non-regulated federal data environments. When considering the effort required to create a logical separation of boundaries within a preexisting application’s cloud environment, it can be much easier to create an entirely different account or organization of accounts. In such a case, we now need to create AWS Accounts, Organizations, guardrails, pipelines, Infrastructure as Code (IaC), etc., all of which AFT either does or streamlines for us. It empowers us to bridge the gap between a greenfield AWS account and receiving an ATO, through 4 key features and benefits:

  • Automating Account Creation
  • Infrastructure as Code
  • Centralized Governance and Compliance
  • Scalability and Customizability

Automating Account Creation

The initial process is to create accounts using AWS Control Tower. From an engineer’s perspective, this task is not fully automated, but it does achieve the goal of having the account imported into our Terraform pipelines. Upon post-importation, we’re able to create new accounts using standardized Terraform templates that provide us with predefined IAM roles, policies, and resource limits. This process not only accelerates the provisioning and customization of accounts, but effectively ensures error-free account configurations.

Infrastructure as Code

By defining AWS account configurations in Terraform manifests, we are able to utilize version control to collaborate and iterate on account settings and customizations. The pipelines and AWS Step Functions are generated automatically, and the solution natively integrates with CodeCommit providing the capability to keep all tooling native to AWS.

Centralized Governance and Compliance

By encapsulating governance policies and compliance controls within Terraform templates, AFT can enforce standardized configurations across all AWS accounts. Additionally, using the global configurations, changes can be applied to all accounts being tracked by the AFT Terraform state. This centralized approach not only bolsters security, but also streamlines auditing and compliance efforts.

Scalability and Customization

As environments scale, so does AFT. Adding new accounts via Terraform automatically generates new pipelines, streamlining creation of workload accounts. By utilizing Terraform modules in this process, AFT is able to repeatedly create and destroy customized environments tailored to your compliance needs.

Conclusion

With continuous updates and relatively low deployment costs, AFT continues to be a top contender for Terraform automation of AWS Control Tower resources. It empowers us to create scalable, governed and compliant environments from scratch, while simultaneously streamlining our ability to create tailored FedRAMP customizations. There are many different ways to approach FedRAMP, and many tools to select from. Thus, it’s imperative to assess one’s environment before embarking on such a journey, as picking the right tools can drastically reduce time to ATO. HanaByte is your partner in cybersecurity that specializes in compliance and automation, and would love to help you start your journey to ATO.

Relevant Blogs

rise against hunger, hanabyte hearts, corporate outreach
HanaByte Culture

HanaByte Hearts: Rise Against Hunger Rechallenge

During the holiday season, HanaByte had the opportunity to coordinate with Rise Against Hunger for a second time. The first time that HanaByte met at the warehouse location, there was a small group with only 5 employees. A year later, a boisterous group of excited team members with their friends and family stood together waiting.

Read More →
hanabyte blog, HanaByte Hearts, Gwinnett County Parks and Rec
Corporate Outreach

HanaByte Hearts: Gwinnett County Parks & Recreation

Beyond the premises where the old data once existed, still exists people coding and working on security in the cloud from the comfort of their homes, and there the conversation started: must we not protect where we physically exist if we are to continue to protect what conceptually exists?

Read More →
Jeff Pemberton, Google Cloud, Carbon footprint, Hanabyte blog
Cloud Security

Reduce Your Carbon Footprint in Google Cloud (and be more secure!)

Google has many services that can be leveraged to create a low cost, secure environment for your cloud infrastructure; Load Balancing, Google Kubernetes Engine (GKE), Cloud Security Command Center, Intrusion Detection System, and Identity and Access Management (IAM). Google’s security mindset and sustainability initiatives overlap and strengthen each other in several ways.

Read More →