Security-Integrated Test Framework for FedRAMP-Ready Cloud Applications
DOI:
https://doi.org/10.15662/3sd96468Keywords:
Cloud, Security, FedRAMP, ApplicationAbstract
As the modern SaaS architecture has complex and dynamic nature, it is a challenge to ensure
FedRAMP compliance related to the cloud-native environments. The paper entails a framework of a security
integrated test automation that can be used to test important FedRAMP controls namely access management,
enforcement of encryption, and audit logging accross multicloud environments. The framework takes advantage
of the Policy-as-Code principles and reinforcements IaC scanners, such as the tfsec and Regula, the admission
controllers in the Kubernetes area, such as the Gatekeeper and behavior monitoring based on SIEM-compatible
logs. The CI/CD workflows include tests that can support the continuous security between the code and the
runtime. The Terraform and Kubernetes configurations were deployed on the AWS, Azure, and GCP platforms
through implementation of policies before and after the deployment on the platforms. Its performance indicates
significant increase in the policy detection rates (up to 98 percent) and the speed at which it mitigates (less than
6 minutes) and very low false positive rates. It was also a portable framework, which was demonstrated to work
on such DevOps platforms as GitHub Actions, Jenkins, and Azure DevOps. This will automate security checks
and checks, and integrate those with current development pipelines, decreasing manual work, problems of
compliance drifting as well as aligning the cloud development with the strict FedRAMP requirements. The
framework proposed therefore amounts to a feasible, manageable and policy-based ready solution to cloud
applications facing governments bridging the disparity between agility in operation and government security
regulations.
References
Caracciolo, M. (2023). Policy as Code, how to automate cloud compliance verification with open-source
tools.
In Master Degree Course in Computer Engineering [Thesis]. POLITECNICO DI
TORINO. https://webthesis.biblio.polito.it/26908/1/tesi.pdf
[2] Kamaluddin, K. (2022). Security policy enforcement and behavioral threat detection in DevSECOPs
pipelines. European Journal of Technology, 6(4), 10–30. https://doi.org/10.47672/ejt.2723
[3] Patel, Kee Siong, C., Ng. (2025, May 31). Enabling secure and ephemeral AI workloads in data mesh
environments. https://arxiv.org/html/2506.00352v1
[4] Chauhan, M., & Shiaeles, S. (2023). An analysis of cloud security frameworks, problems and proposed
solutions. Network, 3(3), 422–450. https://doi.org/10.3390/network3030018
[5] Alavizadeh, H., Alavizadeh, H., Kim, D. S., Jang-Jaccard, J., & Torshiz, M. N. (2019). An automated
security
analysis
framework
and
implementation
for
cloud. arXiv
(Cornell
University). https://doi.org/10.48550/arxiv.1904.01758
[6] Manolov, V., Gotseva, D., & Hinov, N. (2025). Practical comparison between the CI/CD platforms Azure
DevOps and GitHub. Future Internet, 17(4), 153. https://doi.org/10.3390/fi17040153
[7] Stubbs, J., Padhy, S., Cardone, R., & Black, S. (2023). CloudSEC: an extensible automated reasoning
framework
for
cloud
security
policies. arXiv
(Cornell
University). https://doi.org/10.48550/arxiv.2307.05745
[8] Nikolaidis, F., Chazapis, A., Marazakis, M., & Bilas, A. (2021). Frisbee: automated testing of Cloud-native
applications in Kubernetes. arXiv (Cornell University). https://doi.org/10.48550/arxiv.2109.10727
[9] Reddy, A. K., Alluri, V. R. R., Thota, S., Ravi, C. S., & Bonam, V. S. M. (2021, August 31). DevSecOps:
Integrating
Security
into
the
DevOps
Pipeline
for
Cloud-Native
Applications. https://aimlstudies.co.uk/index.php/jaira/article/view/192
[10] Banse, C., Kunz, I., Schneider, A., & Weiss, K. (2021). Cloud Property Graph: Connecting Cloud Security
Assessments with Static Code Analysis. Cloud Property Graph: Connecting Cloud Security Assessments
With Static Code Analysis, 13–19. https://doi.org/10.1109/cloud53861.2021.00014
