AWS has reached a major security milestone with its Amazon Linux 2023 (AL2023), a Fedora-based distro developed and maintained by AWS and specifically optimized for use on Amazon’s cloud infrastructure, achieving FIPS 140-3 Level 1 validation for its cryptographic modules.
Simply put, this makes the distro a compliant operating system for industries with strict regulatory requirements—think government agencies, healthcare, financial services, and defense contractors.
FIPS 140-3, the latest Federal Information Processing Standards iteration, replaces FIPS 140-2 and sets a higher bar for cryptographic security. The validation, jointly administered by NIST and the Canadian Centre for Cyber Security (CCCS), ensures that cryptographic modules meet stringent government-backed security benchmarks.
Key modules in AL2023—including OpenSSL, Linux Kernel Cryptographic API, NSS, GnuTLS, and Libgcrypt—have undergone rigorous testing by a NIST-accredited lab. The evaluation verified essential security features such as:
- Approved cryptographic algorithms
- Secure key management
- Strong entropy generation
- Protected memory boundaries
It’s important to note that FIPS compliance isn’t just a best practice for organizations handling sensitive or regulated data—it’s often a mandatory requirement. AL2023’s validation simplifies compliance for sectors like U.S. and Canadian government workloads, HIPAA-covered healthcare systems, and financial institutions.
Enabling FIPS mode on AL2023 is straightforward, with AWS providing a step-by-step guide for configuration. Customers can also access compliance details through the AWS Compliance Programs portal and stay updated via the AWS Security Blog, which offers best practices and FAQs for both Amazon Linux 2 and AL2023.
For more information, see the official announcement.
