Building CJIS and FedRAMP Moderate Compliant Infrastructure with Amazon Q Developer
- Vishal Masih
- 11 minutes ago
- 9 min read
Introduction
When tasked with building infrastructure that meets CJIS (Criminal Justice Information Services) and FedRAMP Moderate compliance requirements, I faced a critical challenge: achieving FIPS 140-2 compliance in AWS Public Cloud. This wasn't just about security best practices—it was about meeting strict federal compliance mandates for handling sensitive law enforcement and government data when not using AWS GovCloud.
Over 7 development phases, Amazon Q Developer helped me navigate complex compliance requirements and build a 266-resource Terraform infrastructure across 11 modules. Here's how we achieved CJIS and FedRAMP Moderate compliance in AWS Commercial Cloud.
The Compliance Challenge
The project required meeting two stringent compliance frameworks:
CJIS Compliance Requirements
FIPS 140-2 validated cryptography for all data at rest and in transit
Audit logging with tamper-evident trails
Access controls with least privilege
Network isolation and segmentation
Encryption for all sensitive data
FedRAMP Moderate Requirements
7-year audit log retention (CloudTrail, AWS Config)
Continuous monitoring and alerting
Configuration management and drift detection
Incident response capabilities
FIPS 140-2 compliance throughout the stack
The FIPS 140-2 Challenge in AWS Public Cloud
Here's where it got complicated: AWS Fargate does not support FIPS 140-2 in Commercial Cloud—FIPS-enabled Fargate is only available in AWS GovCloud.
Since we needed to deploy in AWS Public Cloud, we had to architect around this limitation.
The Solution: EC2-Based ECS with FIPS Compliance
After researching options with Amazon Q, we determined the path forward:
Architecture Decision
AWS Fargate - No FIPS support in Commercial Cloud (rejected)
ECS on EC2 with Amazon Linux 2023 FIPS-enabled AMI (selected)
FIPS-enabled container images built on AL2023 FIPS base
Bouncy Castle FIPS for Keycloak cryptographic operations
This became a critical architectural decision that Amazon Q helped me implement correctly.
How Amazon Q Helped Navigate FIPS Compliance
1. Understanding the FIPS Limitation
My initial prompt:
"I need to deploy ECS Fargate with FIPS 140-2 compliance for CJIS requirements. How do I enable FIPS mode on Fargate?"
Amazon Q's response identified the issue:
Fargate FIPS is only available in GovCloud regions
For Commercial Cloud, need EC2-based ECS with FIPS-enabled AMI
Recommended Amazon Linux 2023 with FIPS mode enabled
Explained container image requirements for FIPS compliance
This saved days of trial-and-error deployment attempts.
2. Designing the EC2-Based ECS Architecture
With the constraint identified, I asked:
"Create an ECS cluster using EC2 instances with Amazon Linux 2023 FIPS-enabled AMI. I need auto-scaling, proper IAM roles, and CloudWatch monitoring."
Amazon Q generated:
ECS cluster configuration for EC2 launch type
Launch template with AL2023 FIPS-enabled AMI
Auto Scaling Group with proper capacity management
IAM instance profile with ECS agent permissions
User data script for ECS agent configuration
CloudWatch Container Insights integration
Proper security group configuration
Key configuration:
# Amazon Linux 2023 FIPS-enabled AMI
ami = "ami-xxxxx" # AL2023 FIPS AMI for us-east-1
# User data to enable FIPS mode
user_data = <<-EOF
#!/bin/bash
# Enable FIPS mode
fips-mode-setup --enable
# Configure ECS agent
echo "ECS_CLUSTER=${cluster_name}" >> /etc/ecs/ecs.config
echo "ECS_ENABLE_CONTAINER_METADATA=true" >> /etc/ecs/ecs.config
# Restart ECS agent
systemctl restart ecs
EOF
3. FIPS-Enabled Container Images
Next challenge: ensuring containers themselves run in FIPS mode.
"How do I build container images that are FIPS 140-2 compliant for use with AL2023 FIPS-enabled EC2 instances?"
Amazon Q provided guidance:
Use AL2023 FIPS-enabled base images
Install FIPS-validated OpenSSL libraries
Configure applications to use FIPS-approved algorithms
Validate FIPS mode is active in containers
Dockerfile pattern:
# Use AL2023 FIPS-enabled base
FROM public.ecr.aws/amazonlinux/amazonlinux:2023
# Minimal runtime: Java, CA roots, crypto policies, curl (for healthcheck)
RUN dnf update -y && \
dnf install -y \
crypto-policies-scripts && \
update-crypto-policies --set FIPS && \
dnf clean all && \
rm -rf /var/cache/dnf /var/cache/yum
4. The Keycloak FIPS Challenge
Keycloak (our identity provider) presented a unique challenge—it needed to run in strict FIPS mode for cryptographic operations.
"I need to configure Keycloak to run in strict FIPS mode using Bouncy Castle FIPS provider. How do I integrate this with my container image?"
Amazon Q helped me:
Understand Bouncy Castle FIPS requirements
Design artifact repository for FIPS libraries
Configure Keycloak to use BC FIPS provider
Set up proper Java security properties
Implementation:
Created FIPS-compliant artifact repository in S3
Stored Bouncy Castle FIPS JAR files with checksums
Modified Keycloak container to include BC FIPS
Configured Java security properties for FIPS mode
Keycloak FIPS configuration:
# Start with the official Keycloak image as our base
# This gives us Keycloak already installed and configured
FROM quay.io/keycloak/keycloak:26.4.5
# Enable health and metrics support
ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true
ENV KC_HTTP_MANAGEMENT_SCHEME=http
# Pass this via command line or env variable
# DB URL, DB USERNAME, DB PASSWORD, KEYSTORE PASSWORD
# Copy your keycloak.conf file into the container
# This assumes keycloak.conf is in the same directory as this Dockerfile
# Copy your files
COPY keycloak.conf /opt/keycloak/conf/keycloak.conf
COPY server.bcfks /opt/keycloak/conf/server.bcfks
COPY *.jar /opt/keycloak/providers/
COPY kc.java.security /opt/keycloak/conf/
# Fix ownership + safe permissions in one go
USER root
RUN chown -R keycloak:root /opt/keycloak && \
find /opt/keycloak/themes -type d -exec chmod 755 {} \; && \
find /opt/keycloak/themes -type f -exec chmod 644 {} \; && \
find /opt/keycloak/providers -type f -exec chmod 644 {} \;
RUN chmod 640 /opt/keycloak/conf/server.bcfks
# Switch back — Keycloak must run as 'keycloak'
USER keycloak
HEALTHCHECK --interval=60s --timeout=10s --start-period=120s --retries=3 \ CMD bash -c "{ printf 'HEAD /health/ready HTTP/1.0\r\n\r\n' >&0; grep 'HTTP/1.0 200'; } 0<>/dev/tcp/localhost/9000" || exit 1
# Build Keycloak with your configuration
# This optimizes Keycloak for faster startup
RUN /opt/keycloak/bin/kc.sh build --features=fips --fips-mode=strict
# Define what command runs when the container starts
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
5. Artifact Repository for FIPS Components
To manage FIPS-compliant software distributions:
"Create a secure artifact repository for storing FIPS-validated libraries, Keycloak distributions, checksums, and SBOMs with versioning and encryption"
Amazon Q built:
S3 bucket with KMS encryption
Versioning for compliance tracking
Folder structure:
keycloak/
- FIPS-compatible Keycloak distributions
bouncycastle/fips/
- BC FIPS cryptographic libraries
checksums/
- SHA256 checksums for integrity verification
sbom/
- Software Bill of Materials for supply chain security
Bucket policy restricting access to specific AWS account
Access logging to CloudTrail
Security features:
All objects encrypted with customer-managed KMS key
Versioning enabled for audit trail
HTTPS required for all operations
Integration with CI/CD for automated builds
6. FedRAMP Moderate: 7-Year Audit Retention
For FedRAMP Moderate compliance:
"Configure CloudTrail with 7-year retention, KMS encryption, log file validation, and CloudWatch Logs integration for real-time monitoring"
Amazon Q implemented:
CloudTrail with multi-region support
S3 bucket with 2,555-day (7-year) lifecycle policy
KMS encryption for all log files
CloudWatch Logs for real-time analysis
Log file validation for tamper detection
AWS Config with compliance rules
VPC Flow Logs with 90-day retention
Compliance achieved:
7-year audit log retention (FedRAMP requirement)
Tamper-evident logging (CJIS requirement)
Real-time monitoring (both frameworks)
Configuration compliance tracking
7. Network Isolation for CJIS
CJIS requires strict network segmentation:
"Design network architecture with complete isolation—no internet access for workloads, all AWS service communication via VPC endpoints, and multi-layer security controls"
Amazon Q designed:
12 VPC endpoints (S3, ECR, Secrets Manager, CloudWatch, SES, KMS, SSM, STS, ECS)
Zero internet access for EC2 instances and containers
Security groups with deny-by-default egress:
Database: port 3306 only
VPC endpoints: port 443 only
Email service: port 587 only
Network ACLs for stateless firewall protection
VPC Flow Logs for network monitoring
Result: Complete network isolation meeting CJIS requirements.
8. Encryption Everywhere
Both CJIS and FedRAMP require encryption at rest and in transit:
"Implement comprehensive encryption using FIPS 140-2 validated KMS keys for all data at rest, and TLS 1.2+ for all data in transit"
Amazon Q configured:
5 dedicated KMS keys:
S3 encryption
RDS encryption
Secrets Manager encryption
CloudWatch Logs encryption
EBS volume encryption
TLS 1.2+ enforcement on ALB with FIPS-compliant cipher suites
Database encryption with KMS for Aurora clusters
Secrets encryption with automatic rotation
FIPS-compliant TLS policy:
ssl_policy = "ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04" # FIPS-compatible
9. Continuous Monitoring & Alerting
FedRAMP requires continuous monitoring:
"Create comprehensive CloudWatch monitoring with alarms for security events, performance issues, and compliance violations with SNS notifications"
Amazon Q created:
6 CloudWatch alarms:
5 ECS memory utilization alarms
1 ALB response time alarm
AWS Config rules for compliance monitoring:
S3 bucket encryption enabled
RDS encryption enabled
CloudTrail enabled
VPC security group rules
EBS encryption enabled
SNS notifications for security team
CloudWatch dashboards for operational visibility
Key Compliance Achievements
CJIS Compliance
FIPS 140-2 cryptography - AL2023 FIPS-enabled EC2 and containers
Bouncy Castle FIPS - Strict FIPS mode for Keycloak
Network isolation - Zero internet access, VPC endpoints only
Audit logging - CloudTrail with tamper-evident logs
Access controls - IAM roles with least privilege
Encryption - KMS for all data at rest, TLS 1.2+ in transit
FedRAMP Moderate Compliance
7-year log retention - CloudTrail and AWS Config
Continuous monitoring - CloudWatch alarms and Config rules
Configuration management - Terraform IaC with state locking
Incident response - SNS notifications and CloudWatch Logs
FIPS 140-2 - End-to-end FIPS compliance
Vulnerability scanning - Container image scanning in ECR
The FIPS Architecture Stack
Here's the complete FIPS-compliant stack we built:
Compute Layer
ECS Cluster: EC2 launch type (not Fargate)
EC2 Instances: Amazon Linux 2023 FIPS-enabled AMI
Container Images: AL2023 FIPS base images
Keycloak: Bouncy Castle FIPS provider in strict mode
Network Layer
VPC Endpoints: 12 endpoints for AWS service access
No Internet Gateway: Zero internet access for workloads
Security Groups: Deny-by-default with specific allow rules
Network ACLs: Stateless firewall for defense-in-depth
TLS 1.2+: FIPS-compliant cipher suites on ALB
Data Layer
Aurora RDS: KMS encryption with FIPS-validated keys
S3 Buckets: KMS encryption for all objects
Secrets Manager: KMS encryption with automatic rotation
EBS Volumes: KMS encryption for EC2 instance storage
Security Layer
KMS Keys: 5 dedicated FIPS-validated keys
IAM Roles: Least privilege access
WAF: SQL injection and XSS protection
CloudTrail: 7-year audit log retention
AWS Config: Continuous compliance monitoring
VPC Flow Logs: Network traffic monitoring
Artifact Management
S3 Repository: FIPS-compliant software storage
Bouncy Castle FIPS: Cryptographic library storage
Checksums: SHA256 integrity verification
SBOM: Software Bill of Materials for supply chain security
Lessons Learned: FIPS in AWS Public Cloud
Critical Insights
Fargate Limitation
FIPS Fargate only in GovCloud
Must use EC2-based ECS in Commercial Cloud
Amazon Q identified this immediately, saving days of troubleshooting
AL2023 FIPS Mode
Amazon Linux 2023 has built-in FIPS support
Must explicitly enable FIPS mode in user data
Container images must also be FIPS-enabled
Bouncy Castle FIPS
Keycloak requires BC FIPS for strict FIPS mode
Must configure Java security properties
Artifact repository critical for managing FIPS libraries
Network Isolation
VPC endpoints eliminate internet dependency
Critical for CJIS compliance
Reduces attack surface significantly
Compliance as Code
AWS Config rules automate compliance checking
CloudTrail provides tamper-evident audit trail
Terraform ensures consistent, repeatable deployments
What Amazon Q Helped With
Designed EC2-based ECS architecture with FIPS support
Configured AL2023 FIPS mode correctly
Implemented 7-year log retention for FedRAMP
Created artifact repository for FIPS components
Designed network isolation meeting CJIS requirements
Configured comprehensive encryption with KMS
Created a private hosted DNS zone so apps can still talk to their IdP (Keycloak) without traversing the internet
Real Example: The Keycloak FIPS Journey
This was the most complex compliance challenge. Here's how Amazon Q helped:
Initial prompt:
"I need Keycloak to run in strict FIPS mode for CJIS compliance. It's running in a container on ECS. How do I achieve this?"
Amazon Q's guidance:
Use Bouncy Castle FIPS provider (not standard BC)
Configure Java security properties to prioritize BC FIPS
Set Keycloak environment variable
KC_FIPS_MODE=strict
Verify FIPS mode is active at runtime
Store BC FIPS JARs in secure artifact repository
Implementation steps:
Created artifact repository module
Uploaded BC FIPS libraries with checksums
Modified Keycloak Dockerfile to include BC FIPS
Configured Java security properties
Set Keycloak FIPS environment variable
Added runtime FIPS verification
Result: Keycloak running in strict FIPS mode, meeting CJIS cryptographic requirements.
Time saved: What could have taken weeks of research and testing took 2 days with Amazon Q's guidance.
Metrics: Compliance Achievement
Requirement | Status | Implementation |
FIPS 140-2 Compute | Complete | AL2023 FIPS EC2 + containers |
FIPS 140-2 Crypto | Complete | Bouncy Castle FIPS for Keycloak |
Network Isolation | Complete | 12 VPC endpoints, private hosted DNS zone, zero internet |
7-Year Audit Logs | Complete | CloudTrail + AWS Config |
Encryption at Rest | Complete | 5 KMS keys for all data |
Encryption in Transit | Complete | TLS 1.2+ with FIPS ciphers |
Continuous Monitoring | Complete | CloudWatch + Config rules |
Access Controls | Complete | IAM least privilege |
Audit Trail | Complete | CloudTrail with validation |
Configuration Mgmt | Complete | Terraform IaC |
Compliance Frameworks Met:
CJIS Security Policy
FedRAMP Moderate
FIPS 140-2
Infrastructure Delivered
With Amazon Q Developer, I delivered:
266 AWS resources across 11 modules
CJIS compliant infrastructure
FedRAMP Moderate ready
FIPS 140-2 end-to-end compliance
EC2-based ECS with AL2023 FIPS AMI
FIPS-enabled containers on AL2023 base
Bouncy Castle FIPS for Keycloak strict mode
Zero internet access via VPC endpoints
7-year audit retention for CloudTrail
Comprehensive encryption with KMS
Continuous monitoring with CloudWatch and Config
In a fraction of the time manual implementation would require, with confidence in compliance.
Getting Started with Compliance-Focused Infrastructure
If you're building CJIS or FedRAMP compliant infrastructure:
1. Understand Your Compliance Requirements
Ask Amazon Q about specific compliance frameworks
Identify technical requirements (FIPS, encryption, logging)
Understand AWS service limitations (like Fargate FIPS)
2. Design for Compliance First
Don't retrofit compliance—build it in from the start
Use Amazon Q to validate architectural decisions
Choose services that support your compliance needs
3. Implement FIPS Correctly
For Commercial Cloud: EC2-based ECS with AL2023 FIPS
For GovCloud: Fargate FIPS is available
Verify FIPS mode at every layer (OS, containers, applications)
4. Automate Compliance Checking
Use AWS Config rules for continuous monitoring
Implement CloudTrail for audit trails
Set up CloudWatch alarms for security events
5. Document Everything
Maintain compliance documentation
Track configuration changes
Keep audit evidence readily available
The Bottom Line
Building CJIS and FedRAMP Moderate compliant infrastructure in AWS Public Cloud required navigating complex technical constraints—particularly around FIPS 140-2 compliance. Amazon Q Developer was instrumental in:
Identifying the Fargate FIPS limitation before wasting time on impossible implementations
Designing the EC2-based ECS solution with AL2023 FIPS support
Implementing Bouncy Castle FIPS for Keycloak strict mode
Architecting network isolation meeting CJIS requirements
Configuring 7-year audit retention for FedRAMP
Ensuring end-to-end encryption with FIPS-validated KMS
The result: A production-grade, compliance-ready infrastructure that meets the stringent requirements of law enforcement and federal government use cases.
Project Stats:
Total Resources: 266 AWS resources
Terraform Modules: 11 reusable modules
Compliance: CJIS + FedRAMP Moderate + FIPS 140-2
Compute: EC2-based ECS with AL2023 FIPS AMI
Containers: AL2023 FIPS-enabled base images
Keycloak: Bouncy Castle FIPS in strict mode
Audit Retention: 7 years (CloudTrail + Config)
Network: Zero internet access, 12 VPC endpoints
Timeline: 1 month (part-time)
Time Saved: 2 months of full time effort
Comments