-
Notifications
You must be signed in to change notification settings - Fork 0
MCP External Access FedRAMP Readiness Review
Prepared for the AWS Summit DC FedRAMP review session — June 30, 2026
This page rolls up a FedRAMP / NIST 800-53 readiness review of the mcp-external-access spec (Path B — Cognito JWT authorizer on the existing AgentCore Runtime). It complements the engineering design at MCP-External-Access-Design-Path-B and the broader scaling proposal at MCP-Access-Architecture-Proposal, viewing the same architecture through a federal-authorization lens.
Scope note. The subject spec is design-complete but not yet implemented — every implementation task (Task 0 onward) is still open. This is a review of the architecture, which is the right time to surface FedRAMP issues before code is written.
Path B exposes the 51-tool MDC MCP RAG server to two new external consumer classes — GitHub Actions CI and HPC user sessions (Hera, Orion, Hercules, Gaea, Ursa) — by attaching a Cognito-issued JWT authorizer to the existing AgentCore Runtime. The developer SigV4 path is preserved byte-identical. Path C (AgentCore Gateway + Cedar tool-level policy) is explicitly deferred.
The authorization model is sound and maps cleanly onto NIST 800-53: least-privilege IAM, no long-lived CI secrets (GitHub OIDC), server-side scope-to-tool enforcement, structured per-call audit, and everything-in-CDK with drift detection. The principal risk is foundational, not architectural: the feature runs on Bedrock AgentCore in commercial us-east-1, and AgentCore does not appear to be in any FedRAMP boundary yet.
Everything in this spec targets commercial us-east-1 on Bedrock AgentCore Runtime. From public AWS sources (verify against the live FedRAMP Marketplace and AWS services-in-scope):
| Service | FedRAMP status (public sources) | Implication |
|---|---|---|
| Amazon Bedrock | High — GovCloud (US-West) only (AWS, Aug 2024) | Commercial-region authorization not established |
| Bedrock AgentCore | New service (Cedar engine GA 2026-03-03); no FedRAMP evidence found | Likely not in any authorized boundary yet |
| Amazon Cognito | FedRAMP-authorized in US East/West commercial (AWS P-ATO) | The auth layer is on solid ground |
So the authentication layer (Cognito) is FedRAMP-ready in commercial us-east-1, but the hosting runtime almost certainly is not.
Reframing the design's gate. The design (§2 AD-2) treats "is the public endpoint reachable under VPC mode" as the go/no-go before implementation. From a FedRAMP standpoint that is the wrong gate — the real gate is "is AgentCore in an authorized boundary at all, and in which region/baseline." That reframing should be settled before the reachability test matters.
- What is the FedRAMP authorization roadmap for Bedrock AgentCore (Runtime, Gateway, Identity) — baseline, region, and timeline?
- If unauthorized, does this system need to move to GovCloud, and what is the AgentCore GovCloud timeline?
- Confirm Cognito's commercial-region FedRAMP Moderate authorization still covers our intended use.
| Area | Control(s) | Why it's strong |
|---|---|---|
| Least-privilege IAM | AC-6 | Token_Broker scoped to one Lambda ARN; Secrets read scoped to one secret; OIDC role sub allowlisted to specific repo+ref |
| No long-lived CI secrets | IA-5 | GitHub OIDC federation; Property P8 statically forbids any static key in the CI path |
| Least functionality | AC-3, CM-7 | Server-side scope→tool enforcement with a single source of truth (allowedToolSets.js); CI locked out of all mutation tools; guarded by ESLint + CODEOWNERS |
| Audit & accountability | AU-2, AU-3 | One structured JSONL entry per call with attributable identity (incl. GitHub run_id/repo/ref), payloads deliberately excluded |
| Config management | CM-2, CM-6, CA-7 | All resources in CDK; cdk diff gate; nightly drift detector; RETAIN policies on stateful resources |
| Data-plane isolation | AC-4, SC-7 | Neptune and OpenSearch stay VPC-private; only the AWS-managed MCP edge is public |
-
MFA — IA-2(1), IA-2(11), M-22-09. Cognito MFA is
OPTIONALand OTP-based for human HPC users; not phishing-resistant. Fix already in the design's back pocket: federate Cognito to NOAA SSO (AD-1 option c) so PIV/CAC and central account lifecycle (AC-2) apply. Recommend elevating from "future enhancement" to baseline for the human path. - FIPS crypto — SC-13, SC-8(1). Endpoints are commercial (non-FIPS); R8.1 also permits TLS 1.2. Specify FIPS 140-validated modules and FIPS endpoints (or note GovCloud is FIPS-by-default).
-
Encryption at rest with CMK — SC-28, SC-12. DynamoDB stash is
AWS_MANAGED; KMS is only conditional (R9.3). Use customer-managed KMS for the audit log group, the CI secret, and the claims stash, with documented rotation. - DoS / boundary on the public edge — SC-5, SC-7. The public MCP endpoint is AWS-managed; no customer WAF/rate-limit is possible in Path B. This is a genuine argument for Path C (Gateway) — be ready to explain the interim posture.
- External connections — CA-3, SA-9. GitHub-hosted runners are outside the authorization boundary; assessors often require self-hosted runners in-boundary plus an interconnection writeup for the GitHub OIDC trust.
- Audit retention — AU-11. Design says 90 days (§4.6) but 365 days (§9.2). Reconcile to one documented value that meets the obligation.
- Data classification. State plainly that the indexed corpus is public NOAA-EMC open-source code + public docs — no CUI crosses the public edge. One sentence defuses much boundary scrutiny.
Minor: pin the GitHub Action to a commit SHA rather than @v4 (SA-12/RA-5); the refreshTokenValidity on the client-credentials CI client is dead config (that grant issues no refresh token).
Legend — ✅ addressed ·
| Family | Control | Status | Note |
|---|---|---|---|
| AC | AC-2 Account Management | Cognito-native lifecycle manual; SSO federation centralizes it | |
| AC | AC-3 Access Enforcement | ✅ | Scope→tool middleware, single source of truth (R5) |
| AC | AC-4 Information Flow | ✅ | Data stores VPC-private (R8) |
| AC | AC-6 Least Privilege | ✅ | Scoped Lambda/secret/OIDC role (R3) |
| AC | AC-12 Session Termination | Justify 1-day HPC refresh token | |
| IA | IA-2(1)/(2) MFA | ❌ | Optional OTP — set REQUIRED or federate SSO |
| IA | IA-2(11) Phishing-resistant MFA | ❌ | Needs PIV/CAC via NOAA SSO |
| IA | IA-5 Authenticator Mgmt | ✅ | No long-lived CI secrets (P8) |
| IA | IA-8 Non-org users | Document GitHub OIDC trust | |
| AU | AU-2 / AU-3 Audit | ✅ | One JSONL entry/call, attributable (R6) |
| AU | AU-9 Protect Audit | Add CMK on log group | |
| AU | AU-11 Retention | Reconcile 90 vs 365 days | |
| SC | SC-5 DoS | No WAF on public edge until Path C | |
| SC | SC-7 Boundary | Customer WAF needs Path C Gateway | |
| SC | SC-8(1) Transmission | Require FIPS TLS | |
| SC | SC-12 / SC-13 Crypto | FIPS modules + required CMK | |
| SC | SC-28 Encryption at Rest | CMK for stash/secret/logs | |
| CM | CM-2 / CM-6 Baseline | ✅ | CDK + diff gate + RETAIN (R9) |
| CM | CM-7 Least Functionality | ✅ | CI excluded from mutation + GitHub tools |
| CA | CA-7 Continuous Monitoring | ✅ | Drift detector (Task 13) |
| CA/SA | CA-3 / SA-9 External Connections | GitHub runners outside boundary | |
| SA/RA | SA-12 / RA-5 Supply Chain | Pin Action to SHA | |
| — | Service in FedRAMP boundary | ❓ | Primary risk — confirm AgentCore |
| — | Data classification | ✅ | Public NOAA-EMC code/docs, no CUI |
The full table with per-control "where the spec addresses it" detail and POA&M-style follow-ups lives in the source repo at docs/reports/2026-06-30-mcp-external-access-fedramp-control-mapping.md.
- Confirm AgentCore FedRAMP status / region before further build (gating).
- Elevate NOAA SSO federation to the baseline human-auth path → resolves IA-2(1), IA-2(11), AC-2 together.
- Specify FIPS endpoints + FIPS-validated crypto across all service calls (SC-13, SC-8(1)).
- Require customer-managed KMS on audit log group, CI secret, claims stash + rotation (SC-28, SC-12, AU-9).
- Reconcile audit retention to one documented value (AU-11).
- Document the GitHub interconnection (CA-3 / SA-9); evaluate self-hosted in-boundary runners.
- State interim DoS/boundary posture for the public MCP edge pending Path C (SC-5 / SC-7).
- Subject spec:
.kiro/specs/mcp-external-access/(requirements R1–R11, design, tasks) - Control mapping detail:
docs/reports/2026-06-30-mcp-external-access-fedramp-control-mapping.md - Engineering design: MCP-External-Access-Design-Path-B
- Scaling / CI-CD proposal with Gateway-path FedRAMP mappings: MCP-Access-Architecture-Proposal
- AWS — Bedrock achieves FedRAMP High (GovCloud)
- AWS — Cognito FedRAMP P-ATO (US East/West)
- AWS — Services in scope for FedRAMP
This page is an analysis aid, not an authorization artifact. Control determinations must be validated by the system's 3PAO and reflected in the SSP/POA&M. Service-authorization facts change — verify against the live FedRAMP Marketplace before relying on them.