AWS Secure Configuration Guidance

FRR-RSC-07: API Capability

Applies to: Low, Moderate, High
Last Updated: 2025-11-25
Version: 1.0.0

Download: JSON OSCAL Catalog OSCAL Component

Overview

All AWS security settings can be viewed and adjusted via AWS APIs. This enables programmatic configuration management, automation, and infrastructure-as-code approaches for maintaining FedRAMP compliance.

Apis

IAM API

Description:

Manages identity and access management configurations

How It Works:

RESTful API accessed via HTTPS. Supports JSON/XML responses. Uses AWS Signature Version 4 for authentication.

Configuration Items:

users: ['CreateUser, DeleteUser, UpdateUser - User lifecycle management', 'CreateAccessKey, DeleteAccessKey - Access key management', 'CreateLoginProfile, UpdateLoginProfile - Console password settings', 'EnableMFADevice, DeactivateMFADevice - MFA device management', 'ListMFADevices - Enumerate MFA devices', 'GetUser, ListUsers - Query user details', 'TagUser, UntagUser - User metadata management']
roles: ['CreateRole, DeleteRole, UpdateRole - Role lifecycle', 'PutRolePolicy, DeleteRolePolicy - Inline policy management', 'AttachRolePolicy, DetachRolePolicy - Managed policy attachment', 'UpdateAssumeRolePolicy - Trust policy modification', 'GetRole, ListRoles - Query role configurations', 'TagRole, UntagRole - Role metadata']
policies: ['CreatePolicy, DeletePolicy - Customer managed policy lifecycle', 'CreatePolicyVersion, DeletePolicyVersion - Policy versioning', 'SetDefaultPolicyVersion - Set active policy version', 'GetPolicy, GetPolicyVersion - Retrieve policy documents', 'ListPolicies, ListAttachedRolePolicies - Policy enumeration']
account_settings: ['GetAccountPasswordPolicy, UpdateAccountPasswordPolicy - Password requirements', 'GetAccountSummary - Account-level statistics', 'GetCredentialReport, GenerateCredentialReport - Compliance reporting', 'GetAccountAuthorizationDetails - Complete account configuration']

Example Cli:

# List all users
aws iam list-users

# Get password policy
aws iam get-account-password-policy

# Enable MFA for user
aws iam enable-mfa-device --user-name john --serial-number arn:aws:iam::123456789012:mfa/john --authentication-code-1 123456 --authentication-code-2 789012

Example Boto3:

import boto3
iam = boto3.client('iam')

# List users with MFA status
users = iam.list_users()
for user in users['Users']:
    mfa_devices = iam.list_mfa_devices(UserName=user['UserName'])
    print(f"{user['UserName']}: {len(mfa_devices['MFADevices'])} MFA devices")

Organizations API

Description:

Manages AWS Organizations and Service Control Policies (SCPs)

How It Works:

Centralized API for multi-account governance. SCPs provide guardrails across all accounts in the organization.

Configuration Items:

organization: ['CreateOrganization, DeleteOrganization - Organization lifecycle', 'DescribeOrganization - Query organization details', 'EnableAWSServiceAccess - Enable service integration', 'EnablePolicyType, DisablePolicyType - Policy type management']
accounts: ['CreateAccount, CloseAccount - Account lifecycle', 'ListAccounts, DescribeAccount - Account enumeration', 'MoveAccount - Organizational unit changes', 'TagResource, UntagResource - Account tagging']
organizational_units: ['CreateOrganizationalUnit, DeleteOrganizationalUnit - OU management', 'ListOrganizationalUnitsForParent - OU hierarchy', 'UpdateOrganizationalUnit - OU modifications']
policies: ['CreatePolicy, DeletePolicy - SCP/tag policy creation', 'UpdatePolicy - Policy modifications', 'AttachPolicy, DetachPolicy - Policy attachment to OUs/accounts', 'ListPolicies, DescribePolicy - Policy enumeration', 'ListPoliciesForTarget - Policies affecting specific account/OU']

Example Cli:

# List all SCPs
aws organizations list-policies --filter SERVICE_CONTROL_POLICY

# Attach SCP to account
aws organizations attach-policy --policy-id p-12345678 --target-id 123456789012

Example Boto3:

import boto3
orgs = boto3.client('organizations')

# List accounts and their attached SCPs
accounts = orgs.list_accounts()
for account in accounts['Accounts']:
    policies = orgs.list_policies_for_target(
        TargetId=account['Id'],
        Filter='SERVICE_CONTROL_POLICY'
    )
    print(f"{account['Name']}: {len(policies['Policies'])} SCPs")

Config API

Description:

Manages compliance rules and configuration recording

How It Works:

Continuously monitors and records AWS resource configurations. Evaluates compliance against defined rules.

Configuration Items:

recorder: ['PutConfigurationRecorder - Configure what to record', 'StartConfigurationRecorder, StopConfigurationRecorder - Recording control', 'DescribeConfigurationRecorders - Query recorder settings', 'DescribeConfigurationRecorderStatus - Check recording status']
delivery_channel: ['PutDeliveryChannel - Configure S3/SNS delivery', 'DescribeDeliveryChannels - Query delivery settings', 'DescribeDeliveryChannelStatus - Check delivery status']
rules: ['PutConfigRule, DeleteConfigRule - Compliance rule management', 'DescribeConfigRules - Query rule configurations', 'DescribeComplianceByConfigRule - Get compliance status', 'GetComplianceDetailsByConfigRule - Detailed compliance info', 'PutEvaluations - Submit custom rule evaluations']
conformance_packs: ['PutConformancePack, DeleteConformancePack - Pack management', 'DescribeConformancePacks - Query pack details', 'DescribeConformancePackCompliance - Pack compliance status', 'GetConformancePackComplianceDetails - Detailed compliance']
aggregation: ['PutConfigurationAggregator - Multi-account/region aggregation', 'DescribeConfigurationAggregators - Query aggregators', 'GetAggregateComplianceDetailsByConfigRule - Aggregated compliance']

Example Cli:

# Deploy conformance pack
aws configservice put-conformance-pack --conformance-pack-name fedramp-rsc --template-body file://conformance-pack.yaml

# Check compliance
aws configservice describe-compliance-by-config-rule --config-rule-names root-account-mfa-enabled

Example Boto3:

import boto3
config = boto3.client('config')

# Get all non-compliant resources
rules = config.describe_config_rules()
for rule in rules['ConfigRules']:
    compliance = config.get_compliance_details_by_config_rule(
        ConfigRuleName=rule['ConfigRuleName'],
        ComplianceTypes=['NON_COMPLIANT']
    )
    if compliance['EvaluationResults']:
        print(f"Rule {rule['ConfigRuleName']}: {len(compliance['EvaluationResults'])} non-compliant resources")

CloudTrail API

Description:

Manages audit logging and event history

How It Works:

Records AWS API calls and delivers log files to S3. Provides searchable event history for security analysis.

Configuration Items:

trails: ['CreateTrail, DeleteTrail - Trail lifecycle', 'UpdateTrail - Modify trail settings', 'StartLogging, StopLogging - Logging control', 'GetTrail, DescribeTrails - Query trail configuration', 'GetTrailStatus - Check trail status', 'PutEventSelectors - Configure what events to log', 'GetEventSelectors - Query event selectors']
event_data_stores: ['CreateEventDataStore, DeleteEventDataStore - Data store management', 'UpdateEventDataStore - Modify retention/settings', 'DescribeEventDataStore - Query data store details']
insights: ['PutInsightSelectors - Enable CloudTrail Insights', 'GetInsightSelectors - Query Insights configuration']
queries: ['LookupEvents - Search recent events (90 days)', 'StartQuery, CancelQuery - Run SQL queries on event data', 'DescribeQuery, GetQueryResults - Retrieve query results']

Example Cli:

# Create multi-region trail
aws cloudtrail create-trail --name fedramp-audit --s3-bucket-name audit-logs-bucket --is-multi-region-trail

# Lookup recent IAM events
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateUser

Example Boto3:

import boto3
from datetime import datetime, timedelta

cloudtrail = boto3.client('cloudtrail')

# Find all root account usage in last 90 days
events = cloudtrail.lookup_events(
    LookupAttributes=[
        {'AttributeKey': 'Username', 'AttributeValue': 'root'}
    ],
    StartTime=datetime.now() - timedelta(days=90)
)
print(f"Root account used {len(events['Events'])} times in last 90 days")

S3 API

Description:

Manages bucket security configurations

How It Works:

RESTful API for object storage. Supports bucket-level and object-level security controls.

Configuration Items:

bucket_security: ['PutBucketEncryption, GetBucketEncryption - Encryption settings', 'PutBucketVersioning, GetBucketVersioning - Versioning control', 'PutBucketLogging, GetBucketLogging - Access logging', 'PutPublicAccessBlock, GetPublicAccessBlock - Block public access', 'PutBucketPolicy, GetBucketPolicy - Bucket policies', 'PutBucketAcl, GetBucketAcl - Access control lists']
lifecycle: ['PutBucketLifecycleConfiguration - Retention policies', 'GetBucketLifecycleConfiguration - Query lifecycle rules']
replication: ['PutBucketReplication - Cross-region replication', 'GetBucketReplication - Query replication config']

Example Cli:

# Enable encryption
aws s3api put-bucket-encryption --bucket my-bucket --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'

# Block public access
aws s3api put-public-access-block --bucket my-bucket --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

Example Boto3:

import boto3
s3 = boto3.client('s3')

# Audit all buckets for encryption
buckets = s3.list_buckets()
for bucket in buckets['Buckets']:
    try:
        encryption = s3.get_bucket_encryption(Bucket=bucket['Name'])
        print(f"{bucket['Name']}: Encrypted")
    except:
        print(f"{bucket['Name']}: NOT ENCRYPTED")

KMS API

Description:

Manages encryption keys and key policies

How It Works:

Centralized key management service. Controls who can use keys and how they're used.

Configuration Items:

keys: ['CreateKey, ScheduleKeyDeletion - Key lifecycle', 'EnableKey, DisableKey - Key state management', 'DescribeKey, ListKeys - Key enumeration', 'PutKeyPolicy, GetKeyPolicy - Key policy management', 'EnableKeyRotation, DisableKeyRotation - Automatic rotation', 'GetKeyRotationStatus - Query rotation status', 'TagResource, UntagResource - Key tagging']
aliases: ['CreateAlias, DeleteAlias - Alias management', 'UpdateAlias - Change alias target', 'ListAliases - Enumerate aliases']
grants: ['CreateGrant, RevokeGrant - Temporary permissions', 'ListGrants - Query active grants']

Example Cli:

# Create key with automatic rotation
aws kms create-key --description "FedRAMP data encryption key"
aws kms enable-key-rotation --key-id

Example Boto3:

import boto3
kms = boto3.client('kms')

# Audit key rotation status
keys = kms.list_keys()
for key in keys['Keys']:
    try:
        rotation = kms.get_key_rotation_status(KeyId=key['KeyId'])
        if not rotation['KeyRotationEnabled']:
            print(f"Key {key['KeyId']}: Rotation DISABLED")
    except:
        pass

Sdks

name: AWS SDK for Python (boto3)
use_case: Automation scripts, Lambda functions
name: AWS SDK for JavaScript
use_case: Node.js applications, browser-based tools
name: AWS SDK for Java
use_case: Enterprise applications
name: AWS CLI
use_case: Command-line automation, shell scripts
name: AWS CloudFormation
use_case: Infrastructure as Code
name: AWS CDK
use_case: Programmatic IaC with familiar languages

🔒 AWS Secure Configuration Guidance

FRR-RSC-07: API Capability

Overview

Apis

IAM API

Organizations API

Config API

CloudTrail API

S3 API

KMS API

Sdks

Authentication