Compliance Posture
Per-control status computed live from AWS Config + Security Hub findings, mapped to each framework through a curated Control Crosswalk. Status is never hand-authored — the screen shows the truth, including partial and customer-owned controls.
Enabled Frameworks·set by Platform Admin · evidence is collected only for these 8
FedRAMP High Coverage
90%
36/40 satisfied
36 satisfied
1 partial (shared)
3 customer-owned
US Federal Agencies, SaaS vendors serving federal
NIST 800-53 Rev 5 High baseline for federal cloud systems. Required for Level 4/5 CUI and national-security-adjacent workloads.
Control Families
Click a row to filter the control list below.
Controls
40 of 40 shown
| Control | Title | Status | Layers | Evidence |
|---|---|---|---|---|
| AC-2 | Account Management | Satisfied | FoundationApp | identity.yaml (deploy roles); IAM Identity Center |
| AC-3 | Access Enforcement | Satisfied | FoundationAgentStampApp | Permission boundary (identity.yaml); agent-stamp IAM roles |
| AC-4 | Information Flow Enforcement | Satisfied | FoundationAgentStamp | VPC endpoints + endpoint policies (networking.yaml); SG rules |
| AC-6 | Least Privilege | Satisfied | FoundationAgentStampApp | Permission boundary (identity.yaml); per-tool IAM scoping |
| AC-17 | Remote Access | Satisfied | AWSFoundation | TLS 1.2+ enforced via S3 bucket policies and endpoint policies |
| AU-2 | Event Logging | Satisfied | FoundationAgentStampApp | CloudTrail (audit.yaml); Bedrock invocation logs; agent structured logs |
| AU-3 | Content of Audit Records | Satisfied | FoundationApp | CloudTrail event content (AWS-defined); custom event content (app) |
| AU-4 | Audit Storage Capacity | Satisfied | Foundation | S3 audit bucket (audit.yaml) — virtually unbounded |
| AU-9 | Protection of Audit Information | Satisfied | AWSFoundation | S3 Object Lock Compliance Mode (audit.yaml); CMK encryption (security.yaml) |
| AU-11 | Audit Record Retention | Satisfied | Foundation | 365-day Object Lock + Glacier Deep Archive (audit.yaml) |
| AU-12 | Audit Record Generation | Satisfied | FoundationAgentStampApp | Service-level AWS logging; agent structured logs to CloudWatch |
| CM-2 | Baseline Configuration | Satisfied | FoundationAgentStamp | This repo + parameters/<env>.json |
| CM-3 | Configuration Change Control | Satisfied | FoundationAgentStamp | Change-set review (bin/deploy.sh); CodePipeline manual approval (ci.yaml) |
| CM-5 | Access Restrictions for Change | Satisfied | Foundation | Deploy roles scoped (identity.yaml); permission boundary blocks IAM tampering |
| CM-6 | Configuration Settings | Satisfied | FoundationAgentStamp | CloudFormation Guard rules (shared/guard-rules/); cfn_nag scan |
| CM-7 | Least Functionality | Satisfied | FoundationAgentStampApp | No public networking (network-no-public.guard); per-tool IAM |
| CM-8 | System Component Inventory | Satisfied | FoundationAgentStamp | AWS Config (observability.yaml) |
| IA-2 | Identification and Authentication | Satisfied | AWSFoundation | IAM + IAM Identity Center |
| IA-5 | Authenticator Management | Satisfied | Foundation | Account password policy (identity.yaml custom resource) |
| IR-4 | Incident Handling | Satisfied | AWSFoundationAgentStampApp | GuardDuty + Security Hub (observability.yaml); operational runbooks |
| IR-5 | Incident Monitoring | Satisfied | Foundation | Security Hub (observability.yaml) |
| IR-6 | Incident Reporting | Customer | Customer | Customer responsibility — FedRAMP PMO reporting procedures |
| SC-7 | Boundary Protection | Satisfied | AWSFoundation | VPC + endpoint policies (networking.yaml); no IGW/NAT |
| SC-8 | Transmission Confidentiality | Satisfied | FoundationAgentStampApp | TLS 1.2+ enforced; RequireSecureTransport deny statement |
| SC-12 | Cryptographic Key Establishment | Satisfied | AWSFoundation | KMS key creation + rotation (security.yaml) |
| SC-13 | Cryptographic Protection | Satisfied | AWS | FIPS 140-3 Level 3 KMS HSMs (AWS-LC FIPS module) |
| SC-28 | Protection of Information at Rest | Satisfied | FoundationAgentStamp | CMK encryption on every storage resource (security.yaml, agent-stamp) |
| SI-2 | Flaw Remediation | Satisfied | AWSFoundationAgentStamp | AWS-managed for service infra; Inspector for container/Lambda (observability.yaml) |
| SI-3 | Malicious Code Protection | Satisfied | AWSFoundation | GuardDuty Malware Protection |
| SI-4 | System Monitoring | Satisfied | AWSFoundationAgentStampApp | CloudTrail; GuardDuty; CloudWatch alarms; agent-level metrics |
| SI-7 | Software/Firmware Integrity | Satisfied | FoundationAgentStamp | CloudTrail log file validation; ECR immutability + scanning (registry.yaml) |
| SI-10 | Information Input Validation | Customer | App | Bedrock Guardrails + Pydantic schemas (app responsibility) |
| RA-5 | Vulnerability Monitoring | Satisfied | FoundationAgentStamp | Inspector (observability.yaml) for ECR images, Lambda runtimes |
| CP-7 | Alternate Processing Site | Satisfied | AWSFoundation | Multi-AZ private subnets (networking.yaml); cross-region foundation deploy |
| CP-9 | System Backup | Satisfied | AWSFoundationAgentStamp | DynamoDB PITR (agent-stamp); S3 versioning + Object Lock; AWS Backup |
| CP-10 | System Recovery and Reconstitution | Satisfied | FoundationAgentStamp | Infrastructure-as-code reconstitution from this repo |
| SR-3 | Supply Chain Controls and Processes | Satisfied | AWSFoundation | ECR image scanning + immutability; CodeArtifact for vetted packages |
| CA-7 | Continuous Monitoring | Satisfied | Foundation | AWS Config conformance pack; Security Hub; GuardDuty |
| SA-11 | Developer Testing & Evaluation | Partial | FoundationApp | cfn-guard + cfn_nag in CI; app-layer testing is customer-owned |
| PL-2 | System Security Plan | Customer | Customer | Customer artifact — SSP is outside this repo |
Cross-framework Crosswalk
Capabilities in this stack mapped to their equivalents in other frameworks. 6 capabilities relevant to FedRAMP High.