top of page
Search

FIPS 201-3 Compliance Automation: Harnessing Policy-as-Code

  • Writer: Sai Sravan Cherukuri
    Sai Sravan Cherukuri
  • Mar 17
  • 4 min read

Updated: Mar 22

A Practical Implementation Guide with Terraform
A Practical Implementation Guide with Terraform

Executive Summary

This white paper presents a real-world implementation of FIPS 201-3 compliance using Policy-as-Code (PaC) in a cloud environment. It details an organization's challenges in securing identity and access management, the role of PaC in automating compliance enforcement, and the technical approach used to implement, validate, and monitor security policies.


The white paper includes Terraform, Open Policy Agent (OPA), AWS IAM Policies, CI/CD automation, and monitoring solutions demonstrating a practical application of compliance automation in a cloud infrastructure.

 

1. Introduction: The Need for Policy-as-Code in a Cloud Security


1.1 The FIPS 201-3 Compliance Mandate

Federal contractors and agencies must adhere to FIPS 201-3 to standardize identity verification using Personal Identity Verification (PIV) credentials. Compliance mandates:


  • Strong authentication (Multi-Factor Authentication - MFA)

  • Access control enforcement (Role-Based Access Control - RBAC, Least Privilege)

  • Interoperability with other federal systems (Single Sign-On - SSO)

  • Auditability (Logging and monitoring for security events)

Cloud environments introduce complexity in ensuring consistent security policies, making Policy-as-Code (PaC) an essential strategy for automating compliance.


1.2 Why Policy-as-Code (PaC)?


PaC enables:

  • Automated enforcement of compliance policies.

  • Consistency across cloud environments

  • Version-controlled policies for audit

  • Integration with CI/CD pipelines for real-time validation


 

2. Real-World Implementation Approach

This section details how an organization implemented FIPS 201-3 compliance via PaC, using:

Component

Technology Used

Infrastructure Provisioning

Terraform

Access Management

AWS IAM, AWS SSO

Policy Enforcement

Open Policy Agent (OPA), HashiCorp Sentinel

CI/CD Automation

GitHub Actions, AWS CodePipeline

Monitoring & Auditing

AWS CloudTrail, AWS Config

2.1 Defining Access Control Policies with Terraform & AWS IAM

To enforce PIV-based authentication, the organization deployed AWS IAM policies using Terraform.

Terraform IAM Policy Enforcing PIV Authentication

resource "aws_iam_policy" "piv_auth_enforce" {

  name        = "EnforcePIVAuthentication"

  description = "Enforces PIV-based authentication for all federal users"

  policy      = jsonencode({

    Version = "2012-10-17",

    Statement = [{

      Effect = "Deny",

      Action = "*",

      Resource = "*",

      Condition = {

        "StringNotEqualsIfExists": {

          "aws:MultiFactorAuthPresent": "true",

          "aws:SourceIdentity": "piv"

        }

      }

    }]

  })

}

✅ Key Features:

  • Denies access unless MFA is present.

  • Requires authentication using PIV for cloud resource access.


Terraform Role-Based Access Control (RBAC) for Federal Users

resource "aws_iam_role" "federal_user_role" {

  name = "FederalUserRole"

 

  assume_role_policy = jsonencode({

    Version = "2012-10-17"

    Statement = [{

      Effect = "Allow",

      Principal = { "AWS": "arn:aws:iam::123456789012:root" }

      Action = "sts:AssumeRole"

      Condition = {

        "StringEquals": { "aws:SourceIdentity": "piv" }

      }

    }]

  })

}

✅ Key Features:

  • Grants access only to users with PIV authentication.

  • Implements Role-Based Access Control (RBAC).

 


3. Validating and Enforcing Policies with Open Policy Agent (OPA)

Integrated OPA into its CI/CD pipeline to prevent non-compliant changes.

OPA Policy to Enforce PIV Authentication

package compliance

 

default allow = false

 

allow {

  input.identity.method == "PIV"

  input.identity.mfa == true

}

  • Ensures users authenticate via PIV & MFA

  • Denies access for non-compliant users


Validating IAM Policies Using OPA

opa eval --input iam_policy.json --data policy.rego "data.compliance.allow"

If the policy fails, the deployment is blocked.

 


4. Automating Compliance via CI/CD

The organization embedded compliance checks in its GitHub Actions CI/CD pipeline.

GitHub Actions Workflow for Compliance Validation

name: "Terraform Compliance Check"

on: [push]

jobs:

  validate:

    runs-on: ubuntu-latest

    steps:

      - name: Checkout Code

        uses: actions/checkout@v2

      - name: Run Terraform Plan

        run: terraform plan -out=tfplan

      - name: Validate Policies with OPA

        run: |

          opa eval --input tfplan.json --data policy.rego "data.compliance.allow"

  • Prevents non-compliant configurations before deployment

  • Automates policy checks in CI/CD pipelines

 

5. Continuous Compliance Monitoring

The agency set up AWS Config & AWS CloudTrail to detect policy violations.

AWS Config Rule for Continuous PIV Authentication Compliance

{

  "ConfigRuleName": "EnforcePIVAuth",

  "Source": {

    "Owner": "AWS",

    "SourceIdentifier": "IAM_MFA_ENABLED"

  }

}

  • Ensures real-time compliance tracking

  • Flags non-compliant IAM configurations


AWS CloudTrail Logging for Audits

The organization used CloudTrail logs to track access events:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin

  • Provides audit logs for compliance reporting

 

6. Key Challenges and Root Cause Analysis (RCA)

During implementation, the agency encountered several challenges:

Challenge

Root Cause

Mitigation Strategy

IAM Policy Misconfigurations

Manual policy errors

Automate IAM policies using Terraform

Integration with Legacy Systems

Older systems lacked PIV support

Implement AWS SSO for federated identity

Resistance to Change

Teams unfamiliar with PaC

Conduct training workshops

Lack of Compliance Visibility

No real-time monitoring

Deploy AWS Config & CloudTrail alerts

 

7. Conclusion & Recommendations

By implementing FIPS 201-3 compliance via Policy-as-Code, the organization:


  • Automated security enforcement

  • Ensured continuous compliance monitoring

  • Reduced manual policy errors

  • Streamlined federal identity management


Key Takeaways:


✔️ Adopt Terraform & OPA for policy automation

✔️ Embed compliance validation in CI/CD pipelines

✔️ Use AWS Config & CloudTrail for real-time audits

✔️ Train teams on Policy-as-Code best practices


By leveraging PaC with cloud-native tools, organizations can enhance security, streamline compliance, and mitigate risk in cloud environments.

 
 
authors picture

Hi, I'm Sai Sravan Cherukuri

A technology expert specializing in DevSecOps, CI/CD pipelines, FinOps, IaC, PaC, PaaS Automation, and Strategic Resource Planning and Capacity Management.
 

As the bestselling author of Securing the CI/CD Pipeline: Best Practices for DevSecOps and a member of the U.S. Artificial Intelligence Safety Institute Consortium (NIST), I bring thought leadership and practical innovation to the field.

I'm a CMMC advocate and the innovator of the FIBER AI Maturity Model, focused on secure, responsible AI adoption.


As a DevSecOps Technical Advisor and FinOps expert with the Federal Government, I lead secure, scalable solutions across software development and public sector transformation programs.

  • LinkedIn

Creativity. Productivity. Vision.

I have consistently delivered exceptional results in complex, high-stakes environments throughout my career, managing prestigious portfolios for U.S. Federal Government agencies and the World Bank Group. Known for my expertise in IT project management, security, risk assessment, and regulatory compliance, I have built a reputation for excellence and reliability.

Subscribe

Thanks for submitting!

 

©2025 by Sai Sravan Cherukuri

bottom of page