Open in app

Sign in

Write

Sign in

Achieving FedRAMP Compliance with AWS Inventory

Iain Earl
Dell Boomi Engineering
Published in
4 min readMay 14, 2019

FedRAMP compliance has become quite a hot topic nowadays for anybody dealing with security in the cloud. For those who’ve not encountered it yet, FedRAMP (Federal Risk and Authorization Management Program) basically consists of a set of standardized security controls from the US government to help protect cloud software and it’s users.

If you want to find out more about FedRAMP compliance and why it may be important to you, take a look at the official US government web site.

FedRAMP.gov | FedRAMP.gov

The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a…

www.fedramp.gov

AWS Inventory to the rescue!

Part of FedRAMP compliance is the ability to provide an inventory of your assets in a standardized format. An example of this format can be found in the templates section of the official FedRAMP website.

The FedRAMP website provides example assets inventory templates

So, what exactly is AWS Inventory and how is it going to help you with your FedRAMP compliance?

AWS Inventory is a command line tool written in the Go programming language that concurrently loads the required information from the AWS HTTP API. It loads credentials for this from the default credentials file which is usually generated by running the AWS CLI’s configure command:

aws configure

It then uses the AWS Go SDK to communicate with AWS and gather the required data. Some of the key elements it loads include:

  • EC2 Instances,
  • ELBs,
  • RDS Instances,
  • and EBS Volumes.

Finally, it writes out the inventory to a .CSV file which can then be easily imported into the previously mentioned template.

If you want to find out more about the Go open source programming language, take a look at the official Go web site.

The Go Programming Language

Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.

golang.org

aws/aws-sdk-go

AWS SDK for the Go programming language. Contribute to aws/aws-sdk-go development by creating an account on GitHub.

github.com

Taking advantage of Go’s concurrency

By using channels and Go routines, AWS inventory is able to generate an inventory with 531 items in just 2.4 seconds!

For each EC2 instance, it also checks if there are any Route53 domains that point to either an IP address of DNS linked to the instance.

The project uses the idea of a queue with a worker to add each row to the inventory in a thread-safe manner and enable the functions that load the data to not worry about waiting for the inventory to be write-safe. As a basic example, this could look something like the following:

package mainimport (
    "sync"
)var (
    lines []string
    mutex sync.Mutex
)func main() {
    queue := make(chan string)
    done := make(chan bool, 1)
    go startWorker(queue, done)    queue <- "first item"
    queue <- "second item"
    queue <- "third item"
    close(queue)    <-done    mutex.Lock()
    for _, line := range lines {
        println(line)
    }
    mutex.Unlock()
}func startWorker(queue chan string, done chan bool) {
    for {
        s, ok := <-queue
        if s == "" && !ok {
            // The channel is empty and has been closed
            done <- true
            return
        }        mutex.Lock()
        lines = append(lines, s)
        mutex.Unlock()
     }
}
  • Here, we are creating a queue, and a done channel, starting the worker reading from the queue, and then sending messages to the queue.
  • Then in the background, the worker is taking items from the queue and adding them to the global lines variable using a Mutex to avoid race conditions.
  • The main function then closes the channel and waits for the done channel to receive a value. This should only happen once the queue has been closed and fully processed.
  • Finally we access the data inside another Mutex lock and print each line out to the screen.

This concept is used by AWS Inventory to gather data from the different AWS APIs at the same time, cutting down the time it takes to generate the inventory massively.

Open source goodness!

AWS Inventory is an open source tool so pull it down and try it for yourself!

If you run into any problems, feel free to open an issue or a PR to help us build the best tool we can. Many of our projects here at Dell Boomi are open source, and we like to embrace the open source spirit as much as we can. Our code is available publicly on GitHub.

manywho/awsinventory

Command line tool to generate a FedRAMP compliant inventory of AWS resources - manywho/awsinventory

github.com

Boomi Flow

Boomi Flow has 30 repositories available. Follow their code on GitHub.

github.com

About Dell Boomi

Dell Boomi (Boomi), one of the Dell group of companies, is the leading provider of cloud integration and workflow automation for building The Connected Business.

Our cloud-native, low-code platform helps more than 7,500 organizations run better, faster and smarter. Our technologies connect applications, assure data quality and automate business processes.

Please visit www.boomi.com for more information.

Golang
Open Source
Fedramp
Boomi
Cloud

--

--

Iain Earl
Dell Boomi Engineering

Written by Iain Earl

3 Followers
Writer for

I’m a TechOps engineer at Dell Boomi who enjoys playing with servers and building tools to automate workflows

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams