Cloud Security Posture Management (CSPM) is the practice of continuously assessing your cloud environment against security and compliance baselines, detecting configuration drift, and surfacing misconfigurations before they become incidents. In government cloud programs, CSPM isn't optional — it's a core component of NIST RMF Step 6 (Monitor) and FedRAMP continuous monitoring deliverables.
AWS GovCloud provides the native tooling to build a comprehensive CSPM pipeline. This covers how Rutagon configures and integrates these tools for federal programs.
The Government CSPM Stack on AWS GovCloud
AWS GovCloud (us-gov-west-1, us-gov-east-1) supports the same CSPM toolset as commercial AWS:
- AWS Config — resource inventory and compliance rule evaluation
- AWS Security Hub — aggregated security findings across services and standards
- Amazon GuardDuty — threat detection from CloudTrail, VPC flow logs, and DNS queries
- AWS Inspector — vulnerability assessment for EC2, Lambda, and container images
- IAM Access Analyzer — external access path analysis for IAM policies and S3 buckets
All five services are available in GovCloud regions and included in FedRAMP High authorizations, making them the default CSPM stack for Rutagon-managed government programs.
AWS Config: The Compliance Baseline Engine
AWS Config continuously tracks resource configuration changes and evaluates them against rules. For government programs, Config rules map to NIST 800-53 controls:
Managed Config rules (pre-built, no code required):
| Config Rule | NIST Control |
|---|---|
s3-bucket-public-read-prohibited | AC-3, SC-7 |
s3-bucket-ssl-requests-only | SC-8 |
encrypted-volumes | SC-28 |
rds-storage-encrypted | SC-28 |
cloud-trail-enabled | AU-12 |
cloudwatch-alarm-action-check | AU-6 |
iam-password-policy | IA-5 |
root-account-mfa-enabled | IA-5 |
restricted-ssh | AC-17, SC-7 |
iam-no-inline-policy-check | AC-6 |
Rutagon deploys Config rules via Terraform, ensuring the compliance baseline is versioned and reproducible across environments:
resource "aws_config_rule" "s3_public_read_prohibited" {
name = "s3-bucket-public-read-prohibited"
source {
owner = "AWS"
source_identifier = "S3_BUCKET_PUBLIC_READ_PROHIBITED"
}
tags = var.compliance_tags
}Non-compliant resources trigger Config findings. These findings feed Security Hub and ultimately the program's ConMon dashboard. When a resource is brought into compliance (configuration corrected), Config automatically marks the finding as resolved — no manual status management required.
Custom Config rules address program-specific requirements. For example, a custom rule ensuring all EC2 instances use approved AMI IDs (the program's hardened image catalog) — a common requirement for DoD programs:
def evaluate_compliance(config_item, rule_parameters):
if config_item['resourceType'] != 'AWS::EC2::Instance':
return 'NOT_APPLICABLE'
ami_id = config_item['configuration']['imageId']
approved_amis = rule_parameters['approvedAmis'].split(',')
return 'COMPLIANT' if ami_id in approved_amis else 'NON_COMPLIANT'AWS Security Hub: Aggregated Findings and NIST Standards
Security Hub aggregates findings from Config, GuardDuty, Inspector, IAM Access Analyzer, and third-party tools (Prowler, Checkov via CI/CD). It provides two critical capabilities for government programs:
Security standards mapping: Security Hub's NIST SP 800-53 Rev 5 standard maps findings to controls, giving the ConMon team a control-level compliance view rather than a raw findings list. A finding from Config that an S3 bucket allows public access is presented as a failure of AC-3 and SC-7 — directly usable in ATO documentation.
Aggregated compliance score: Security Hub calculates a percentage compliance score per standard. Rutagon targets >95% compliance scores on NIST 800-53 for managed programs, with a process for addressing the remaining findings (accepted risks with POA&M entries, or active remediation items).
Cross-account aggregation: For multi-account GovCloud architectures, Security Hub aggregates findings from all accounts into a designated security account. The ConMon team sees the full program's posture from one dashboard, not account-by-account.
GuardDuty Tuning for Government Threat Detection
GuardDuty detects threats from three primary data sources: CloudTrail events, VPC flow logs, and Route 53 DNS query logs. Out of the box, it produces findings that are valuable but noisy — particularly in government programs with legitimate but unusual access patterns (contractors accessing from various locations, batch jobs with high-volume API activity).
Rutagon's GuardDuty tuning approach for government programs:
Suppression rules for known patterns: Automated CI/CD pipeline activity (frequent EC2 API calls, STS assume-role activity) and scheduled maintenance jobs often trigger GuardDuty findings for legitimate activity. Suppression rules filter known-good patterns from the active findings list while preserving them in the raw finding log.
IP set allowlists: Authorized jump-box or VPN egress IP ranges are configured in GuardDuty IP sets to reduce false positives on legitimate access from known addresses.
Threat intelligence feeds: GuardDuty integrates custom threat intel feeds. For programs with specific threat actor context, curated indicator feeds improve detection relevance.
Finding severity integration: Critical and High severity GuardDuty findings trigger PagerDuty alerts for immediate human review. Medium findings are batched for the daily ConMon review cycle. Low findings are logged for trend analysis.
ConMon Dashboard Integration
The CSPM findings pipeline feeds the program's ConMon dashboard through EventBridge routing:
GuardDuty → EventBridge → Lambda (finding processor) → DynamoDB (findings store) → QuickSight dashboard
Config → Security Hub → EventBridge → Lambda → DynamoDB → QuickSight
Inspector → Security Hub → EventBridge → Lambda → DynamoDB → QuickSightThe ConMon dashboard surfaces:
- Current NIST 800-53 compliance score by control family
- Open findings by severity, age, and responsible team
- Open POA&M items with target resolution dates
- Trend lines for the past 30/60/90 days
The program's AO (Authorizing Official) has read access to the dashboard — providing continuous visibility rather than quarterly status briefings. This is the infrastructure behind cATO: the AO can assess the current security posture any day of the month, not just at the next ConMon deliverable deadline.
Related: Continuous Monitoring NIST RMF | Infrastructure Compliance Scanning with Terraform | FedRAMP Readiness in Cloud Architecture
Frequently Asked Questions
What is CSPM and why does it matter for FedRAMP programs?
Cloud Security Posture Management (CSPM) is the automated, continuous assessment of cloud resource configurations against security and compliance baselines. For FedRAMP programs, CSPM satisfies the continuous monitoring requirements of NIST RMF Step 6 and FedRAMP's ConMon deliverable requirements. Without CSPM, programs rely on periodic manual assessments — which inevitably miss configuration drift between review cycles.
Is AWS Security Hub available in GovCloud?
Yes. AWS Security Hub is available in AWS GovCloud (us-gov-west-1, us-gov-east-1) and supports the NIST SP 800-53 Rev 5 security standard, CIS Benchmark, and AWS Foundational Security Best Practices. It's the standard aggregation layer for government program CSPM pipelines.
How do you prevent GuardDuty alert fatigue in government programs?
Alert fatigue from GuardDuty is addressed through suppression rules for known good patterns (CI/CD pipeline activity, scheduled jobs), IP set allowlists for authorized access sources, and severity-based routing (critical findings go to immediate alert, medium and low are batched). The goal is ensuring high-severity findings get immediate attention without burying the team in low-value noise.
Can AWS Config rules satisfy NIST 800-53 configuration management controls?
AWS Config rules provide automated, continuous evaluation of resources against defined configuration baselines, which satisfies the automation and continuous monitoring intent of CM-2 (Baseline Configuration), CM-6 (Configuration Settings), and CM-7 (Least Functionality). Config findings and compliance scores are usable as continuous monitoring evidence in FedRAMP and FISMA ConMon deliverables.
How does CSPM fit into the overall ATO evidence package?
CSPM provides the ongoing control effectiveness evidence required by the ATO — specifically for NIST AU (Audit and Accountability), CA (Assessment, Authorization, and Monitoring), CM (Configuration Management), and SI (System and Information Integrity) control families. Security Hub's NIST standard compliance score, Config compliance history, and GuardDuty finding summaries are standard components of FedRAMP continuous monitoring deliverables and support ATO maintenance between re-authorization cycles.