Skip to content

Architecture Decisions

Key design decisions and their rationale.

FIPS Kernel Strategy

Decision: Use kernel 6.1 for all builds until kernel 6.12 FIPS certification completes.

AL2023 defaults to kernel 6.12, but the NIST CMVP certificate for Amazon Linux covers kernel 6.1. All AMIs pin to kernel 6.1 for validated FIPS compliance. Commercial builds will move to kernel 6.12 once its FIPS certification completes.

nftables Over iptables

Decision: Use nftables for all packet filtering and NAT rules.

AL2023 ships nftables as the default packet filtering framework. iptables is available as a compatibility layer but is not the upstream-preferred path.

nftables provides:

  • Native masquerade support without extra modules
  • Atomic rule replacement (no transient states during updates)
  • A single framework for IPv4 and IPv6 (no separate ip6tables)
  • Better alignment with AL2023's upstream direction

The NAT rules are simple — a single masquerade rule per address family — so the nftables syntax is straightforward and requires no iptables translation layer.

fck-nat Configuration Fallback

Decision: Read /etc/pelotech-nat.conf as the primary config, falling back to /etc/fck-nat.conf.

pelotech-nat started as a hardened alternative to fck-nat. Many users deploy fck-nat via the terraform-aws-fck-nat Terraform module, which writes /etc/fck-nat.conf. Supporting this file as a fallback means existing deployments can swap the AMI ID with zero Terraform changes.

The config format is intentionally compatible — same variable names, same syntax. The only addition is fips_endpoints, which defaults to auto-detection and doesn't need to be set in most cases.

Single-Purpose Appliance

Decision: Accept CIS partition rule exceptions rather than adding dedicated partitions.

CIS Level 2 recommends separate partitions for /home, /var, /var/log, /var/log/audit, and /var/tmp to prevent disk-fill attacks from crossing mount boundaries. This makes sense for general-purpose servers where multiple services compete for disk space.

A NAT appliance:

  • Runs a single systemd oneshot service
  • Forwards packets — it does not write user data to disk
  • Ships logs to CloudWatch; local logs are transient
  • Uses a 6 GB root volume and is rebuilt from code on every deploy
  • Is ephemeral by design — if it breaks, a new instance replaces it

Adding 5 partitions to a 6 GB volume would create fragile, undersized mount points that are more likely to cause operational issues than the disk-fill scenario they're designed to prevent. The 5 rules are documented as accepted risks in the OpenSCAP tailoring file.