AWS GovCloud User Guide [UPDATED AUGUST 2021]

Posted on 08.24.2021
-
Written by Dane Warner
-

What is AWS GovCloud (US)?

AWS GovCloud User Guide is here to help you. AWS GovCloud is a compliant infrastructure hosting option for government and defense contractors required to satisfy FedRAMP High, ITAR, DFARS, and other strict compliance frameworks that require data and infrastructure to reside in the United States, and to be operated by U.S. citizens.

For companies, government entities, and other organizations that do not have the manpower, capital, or other resources to host applications and digital workloads on their own, the AWS GovCloud offering provides the necessary compliant hosting infrastructure in the cloud. Quickly satisfy compliance requirements, such as CMMC Levels 1 through 5, without the overhead and risk of managing a data center on your own [Read our perspective on the state of CMMC here]. Govcloud offers all of this capability along with the traditional benefits of cloud scale and speed. Get started with Oxalis GovCloud services.

Amazon Web Services GovCloud trails slightly behind the public cloud offering of Amazon Web Services in terms of access to new features, but that delay is shortening and the capability gap has just about closed. For standard workload requirements, application hosting, or storage needs, services residing on Amazon’s sovereign cloud are more than sufficient, compliant, and safe to use. Continue reading our AWS GovCloud User Guide to decide if this service is right for you.

Can I Trust the AWS GovCloud Services?

Well, that’s a good question. The answer is “Yes”. You can trust in the AWS Govcloud Services.

The Department of Homeland Security, U.S. Army, and countless government and intelligence agencies are all landing mission critical workloads on this infrastructure. 

However, please note, AWS GovCloud is just a platform. Without a trusted partner or in-house knowledge of this advanced technology, you can quickly get yourself into trouble. Data exposures, compromised services and systems, or worse have all happened when organizations do not develop, deploy, or maintain well architected and operated cloud solutions. 

Advantages of Moving to the Cloud

If you are thinking about moving to the cloud, chances are you have considered these main advantages. For those who are still evaluating, here are the primary advantages of moving your workloads to the cloud in a generic sense:

  • Elasticity – Using auto-scaling and load balancing, only use resources according to your demand.
  • Cost Savings – Only pay for the computing power, storage, and resources that you use! The AWS cloud also has no long-term contracts or up-front commitments.
  • Flexibility – You choose the system, programming language, and services that are right for your business.

AWS GovCloud (US) offers all of these advantages, with the addition of high security and compliance.

Thinking about migrating to the Cloud? Check out our post detailing out 5 Considerations for your AWS Cloud Migration Strategy.

Amazon GovCloud, Summarized:

  • GovCloud is a compliant hosting infrastructure in an isolated section of Amazon’s AWS cloud.
  • GovCloud is equipped to handle all categories of Controlled Unclassified Information (CUI) data and government-oriented, publicly available data.
  • GovCloud restricts physical and logical administrative access to US citizens, and can run workloads that contain all categories of CUI data.
  • AWS only allows vetted US citizens with access controls to administer the GovCloud Region, and the AWS GovCloud sovereign cloud is completely isolated from Amazon.com.
  • Even though AWS does manage access controls for GovCloud, each business is responsible for controlling their own content.

Do you have questions about moving to the Cloud? Do you think AWS GovCloud is the right move for your business, or do you want to learn more? Oxalis provides AWS Govcloud Services that can help you scale your efforts.

What are the benefits of AWS GovCloud?

There are many benefits of Amazon’s AWS as a cloud platform. For people unfamiliar with what AWS offers, here is a quick run down of the most common AWS Cloud services and why they matter:

Amazon Elastic Cloud Compute (EC2)AWS Elastic Cloud Compute (EC2), one of the basic building blocks of any AWS cloud solution, provides dynamic and scalable compute capacity. EC2 is available in pay-as-you-go plans or discounted long-term contracts.

Business Example: EC2 can be used for dedicated hosting of applications, software and websites on the cloud. Dynamic and scalable compute capabilities make EC2 a key solution for a growing application or application
Amazon Simple Storage Service (S3)The second key building block of an AWS cloud solution, S3 provides secure data storage on the cloud. S3 storage is accessible from any system connected to the internet and correctly authenticated into your AWS configuration.

Business Example: Permission-based file storage, accessible from anywhere by individuals or applications with the appropriate credentials.
Amazon Aurora and Amazon DynamoDBAmazon Aurora and DynamoDB are the final core building blocks of the AWS cloud solution, offering relational and nonrelational database capabilities, respectively.
Amazon Aurora is a relational database built for your cloud services and is compatible with both MySQL and PostgreSQL.
Amazon DynamoDB is the NoSQL parallel to Amazon Aurora.

Business Example: Cost-effective open source database solution for your cloud applications and environments.
AWS LambdaSimilar to EC2, AWS Lambda offers compute capacity in the cloud, but executes serverlessly. Lambda comes at a small premium, but lets you run code without managing EC2s or incurring the ongoing costs of a dedicated instance. AWS Lambda will handle all administrative tasks, including server and system maintenance, capacity provisioning and scaling, and code monitoring and logging.

Business Example: Background tasks are best suited for AWS Lambda, where persistent server environments are not necessary and workloads are small, sporadic, or hard to predict.
Amazon ELBDistribute incoming application traffic using an Amazon ELB (Elastic Load Balancing). ELB can function across availability zones and services including EC2 instances, containers, IP addresses, Lambda functions, and virtual appliances.
Amazon VPCAmazon’s virtual private network solution, isolated within the AWS GovCloud. Defined per your requirements and specifications, including private IP address range, subnets, route tables, and network gateways.

Business Example: Deploy a VPC and ELB to logically isolate production back-end services from public entry point.
Amazon WorkspacesSecure, persistent, and managed cloud desktop virtualization services. Accessible from supported devices.

Business Example: Virtual Desktop Infrastructure is a standard security practice for organizations desiring to centralize their workforce within compliant and secure desktop infrastructure. Amazon Workspaces is the AWS GovCloud-available solution to meet this need
Simple Email Service (SES)Recently added to the Amazon GovCloud (US) suite, SES is an email service for your AWS GovCloud (US) services.
RedshiftRedshift is a data warehouse service in the cloud. Capable of managing petabytes of data, Redshift is the AWS solution for acquiring new insights for your business.
CloudWatchCloudWatch is AWS’s resource monitor service that can be used to collect and track metrics relevant for your applications and resources.

Business Example: Set up alarms to alert your administrators during an unauthorized access attempt to your AWS Console. Tie these alarms to a slack channel for quick and distributed alerting. 
An overview of a reference implementation can be found below:

A full list of AWS GovCloud services can be found on the product details page: AWS GovCloud (US) Product Details – Amazon Web Services

How do the AWS GovCloud Services (US) Differ from Standard Amazon Web Services (AWS)?

AWS Govcloud vs AWS. Compliant vs. General Purpose. Premium vs Bargain. How do these two AWS tiers stack up against each other and is GovCloud worth it?

Well, we are happy to share that both products provide agencies and businesses with a complete infrastructure web services platform in the cloud. This includes all of the above-mentioned compute, analytics, networking, monitoring, and storage services. The standard and GovCloud products begin to diverge, however, when we dive into the world of compliance and government regulations, with GovCloud coming out as a clear leader.

For example, AWS GovCloud guarantees that your cloud data is stored within the continental U.S. and managed by U.S. Citizens according to ITAR regulations. More precisely, AWS GovCloud is designed to meet specific regulatory and compliance requirements of US government agencies and their contractors who require handling of sensitive data and workloads in the cloud. Contact us to get help with govcloud services.

AWS GovCloud (US) includes a few key additional features when compared to standard AWS:

  1. Endpoints – AWS GovCloud (US) endpoints are only accessible to AWS GovCloud (US) customers. FIPS 140-2 compliant endpoints are also available exclusively for AWS GovCloud (US) Regions.
  2. Services – No major differences in the available cloud services, but certain restrictions apply to GovCloud (these are subject to change):
    • EC2 instances must be launched in an Amazon Virtual Private Cloud.
    • SageMaker (machine learning) is only available in GovCloud US West.
    • AWS Trusted Advisor – not all checks are supported in GovCloud.
    • Amazon Cognito – not all features are supported in GovCloud.

What Regulatory and Compliance Requirements can be Satisfied by AWS GovCloud (US)?

AWS GovCloud (US) is designed to meet the most stringent regulatory and compliance requirements encountered by U.S. Government agencies and contractors. Below is a list of some of these frameworks supported by AWS GovCloud (US):

  • International Traffic in Arms Regulations (ITAR) – ITAR controls the export of sensitive defense and military data, information, and technology.
  • Defense Federal Acquisition Regulation Supplement (DFARS) – DFARS is actually supported by the standard AWS cloud as well as GovCloud. This regulation applies to the safeguarding of DoD data, which includes data in the cloud.
  • The Federal Risk and Authorization Management Program (FedRAMP) – A Federal Government program that provides standardized security assessment and authorization criteria, as well as continuous monitoring for cloud products and services.
  • Department of Defense (DoD) Cloud Computing Security Requirements Guide (DOD SRG) – Standardizes the security assessment and authorization process for sensitive Defense Department data and systems operating in the cloud.
  • Cybersecurity Maturity Model Certification (CMMC) – The DoD’s comprehensive cybersecurity program to protect sensitive information.
  • Criminal Justice Information Services (CJIS) – Governs the security of criminal justice information services for federal and state and local law enforcement.
  • IRS-1075 – Applies to the protection of federal tax information.
  • FIPS 140-2, which specifies cryptographic security requirements to protect sensitive U.S. government information.
  • Health Insurance Portability and Accountability Act (HIPAA) – Protects the processing and storage of health information.

It is important to note here that AWS GovCloud provides the infrastructure and design to enable customers to meet these regulatory requirements, but ultimately the implementation of cloud services within AWS GovCloud requires careful and intentional management to ensure security and compliance. 

What are the Pros and Cons of AWS GovCloud versus Azure Government or regular AWS?

An entire article could be dedicated to this comparison, but for the sake of this blog we will keep it short. Amazon AWS and Microsoft Azure make up the largest public cloud services. Each company has made significant investment in security for their standard tier cloud infrastructure and extended that into full Government compliance with the AWS GovCloud and Azure Government offerings.

A few considerations to take into account:

  1. AWS has been around longer. Launched in 2006 with the standard cloud offering, AWS was the first to offer Government-level compliant cloud services.
  2. AWS features quick-start guides, helping you configure your instances to the tightest compliance requirements, such as HIPAA and CMMC.
  3. Both solutions offer Secret and Top Secret regions, to meet the unique security needs of the Intelligence Community (IC) –  Azure Secret and Top Secret and AWS Secret and Top Secret

Need help deciding? The choice can be difficult, but Oxalis is experienced in both Azure Government and AWS GovCloud. Reach out to our experts for assistance with evaluating the cloud migration dilemma. Get help with Govcloud Services.

Who Can Use AWS GovCloud (US)? What Requirements Do I Have to Meet In Order to Use AWS GovCloud (US)?

All U.S. persons can request access to AWS GovCloud (US) resources, but access is subject to approval. Access is restricted to customers who:

  1. Are U.S. persons.
  2. Not subject to export restrictions.
  3. Who comply with US export control laws and regulations, including the International Traffic in Arms Regulations (ITAR).

Government entities are required to sign a customer agreement and an agreement specific to AWS GovCloud (US) in order to access AWS GovCloud (US) resources.

Interested in applying for access to AWS GovCloud? Oxalis has experience applying, deploying, and managing multiple AWS GovCloud instances internally as well as for our customers. Reach out for a fit consultation to determine if AWS GovCloud (US) is the right solution for your needs. Our U.S.-based team of experts can help you navigate the application process.

Once you’ve determined that AWS GovCloud (US) is the right solution for you, qualified customers can request access to from the AWS Management Console of a standard AWS account, by contacting an AWS business representative, or by reaching out to Oxalis for assistance.

What does AWS GovCloud Pricing Look Like? What Does Amazon Web Service Hosting Cost?

The AWS offerings within standard and GovCloud are vast and flexible. For the purposes of this quick comparison, we will focus on relative costs of the major compute and storage offerings of AWS Govcloud vs AWS. AWS is the standard for cloud-based offerings and can be taken as a benchmark when calculating the impact of moving to a compliant cloud like AWS GovCloud. 

Note: Cloud compute and storage prices are constantly in flux so please consult the AWS calculator for the most up-to-date pricing: https://calculator.aws. The numbers included below are up-to-date as of August 2021.

Before diving into the numbers, let’s have a look at the AWS compute tiers to better understand what options are available and begin to decipher Amazon’s naming conventions. EC2 offers the most customization and the options can often be overwhelming when reviewed for the first time. Read on to learn the framework. Contact us to learn more about Govcloud Services.

An Intro to EC2 Tiers

Amazon groups EC2 compute options into tiers, which offer varying optimization balances to maximize your EC2 purchase. These tiers are differentiated by an alphanumeric ID representing the ratio of Memory, vCPU, Network Performance, and Storage provided to each instance. Each tier is cost-optimized for that particular ratio. You can use the AWS calculator to determine the appropriate tier based on a particular memory or vCPU requirement, or you can select a specific tier via the Advanced Estimate option.

The EC2 Families

To better understand the AWS offerings, we can group the tiers into five families:

  1. General Purpose
    • T3, T3a, T2 Instance Types are configured for the lowest price general purpose computing. 
    • These are your standard current-generation instances for a majority of your application support needs.
  2. Compute Optimized
    • The C5, C5n, and C4 instance types offer the lowest price per CPU ratio of the instance types.
  3. Memory Optimized
    • The R6g, R5, R5a, R5n, R4, X1e, and X1 instance types are memory optimized with standard network performance for a more affordable option than the Accelerated Computing family.
  4. Accelerated Computing
    • P3, P2, Inf1, G4, G3, and F1 feature accelerated computing with high Network Performance ratings and enormous Memory options.
  5. Storage Optimized
    • The I3, I3en, D2, and H1 families make up the storage optimized instances, featuring dedicated SSD storage instead of the standard EBS storage option.

AWS Pricing Compared to AWS GovCloud (US)

Note: Cloud compute and storage prices are constantly in flux so please consult the AWS calculator for the most up-to-date pricing: https://calculator.aws. The numbers included below are up-to-date as of  August 2021.

You likely have a number of questions when it comes to AWS GovCloud pricing:

  • How much more expensive is AWS GovCloud (US)?
  • How much does a standard selection of AWS GovCloud (US) services cost when compared to AWS Standard? 
  • How much does AWS GovCloud (US) cost per hour? Per month? How does that pricing change when reserved in an annual subscription?

Below we provide a few examples of the pricing breakdown for standard AWS options, along with the percent difference between GovCloud and standard AWS cloud. Get the conversation started about Govcloud Services.

Services Analyzed:

  1. S3 – Storage
  2. EC2 – Compute
  3. Lambda – Serverless Compute
  4. Application ELB – Load Balancing
  5. CloudWatch – Logging
  6. VPC Nat Gateway – Gateway and VPC

Pricing Assumptions:

  • Using AWS GovCloud West and US West (Oregon) regions for GovCloud and AWS Standard estimates, respectively.
  • 1 year cost estimate is for 100% upfront payment

1 – S3 Standard Storage Costs per Month

Storage SizeAWS (USD)AWS GovCloud (US) (USD)% Difference
1 TB23.5539.9452% Increase
100 TB2,304.003,891.2051% Increase
1000 TB22,067.2037,222.4051% Increase

2 – EC2 Hourly Compute Costs per Hour (On-Demand and 1 Year Reserved)

Example Specifications

FamilyTierMemoryvCPUsNetwork PerformanceStorage
General Purposet3.large8 GiB2Up to 5 GigabitEBS only*
Compute Optimizedc5.large4 GiB2Up to 10 GigabitEBS only*
Memory Optimizedr6g.large16 GiB2Up to 10 GigabitEBS only*
Accelerated Computinginf1.xlarge8 GiB4Up to 25 GigabitEBS only*
Storage Optimizedi3.large15.25 GiB2Up to 10 Gigabit1 x 475 NVMe SSD

*EBS = Elastic Block Store: either SDD or HDD-based high-performance block storage

Cost Comparison

FamilySelected TierOn-Demand Hourly Cost AWS (USD/hr)1 Year ReservationAWS (USD/hr)On-Demand Hourly Cost GovCloud (US) (USD/hr)1 Year Reservation AWS GovCloud (US) (USD/hr)% Difference (1 year reserved)
General Purposet3.large0.08320.04870.09760.057416% Increase
Compute Optimizedc5.large0.0850.050.1020.0618% Increase
Memory Optimizedr6g.large0.10080.05930.12080.07118% Increase
Accelerated Computinginf1.xlarge0.2280.1340.2280.16923% Increase
Storage Optimizedi3.large0.1560.0990.1880.1219% Increase

3 – Lambda – Serverless Compute Costs Per Month

AWS Lambda starts to become more cost-effective than standard EC2 when running small workloads at most one quarter of the time (when compared to an always-on compute load). Interestingly enough, there does not appear to be a premium on running Lambda functions on AWS GovCloud (US) at this time.

Lambda Memory Size (GB)Runtime FrequencyAWS (USD)AWS GovCloud (US) (USD)% Difference
2¼ Active*21.7321.730 %
2⅙ Active*14.4914.490 %
4¼ Active*43.3343.330 %
4⅙ Active*28.8928.890 %

*Assuming 1 execution running for 1 second at specified memory and runtime frequency, distributed over 1 month.

4 – Application ELB – Load Balancing Fixed Costs Per Month*

Number of Load BalancersType of Load BalancerAWS (USD)AWS GovCloud (US) (USD)% Difference
1Application16.4323.3635% Increase
2Application32.8546.7235% Increase

*Estimate does not include LCU usage charges

5 – CloudWatch – Logging Costs Per Month

Number of MetricsDashboardsAlarmsAWS (USD)AWS GovCloud (US) (USD)% Difference
205915.2216.216% Increase
40102039.3241.245% Increase

6 – VPC and NAT Gateway Costs Per Month

Data Processed per NAT Gateway (GB)AWS (USD)AWS GovCloud (US) (USD)% Difference
1033.3039.9618% Increase
10037.3544.8218% Increase
100077.8593.4218% Increase

Pricing Analysis Summary

Increased compliance and security comes at an increased cost. Approximately 20% greater cost.

As expected, our calculations show that AWS GovCloud (US) is more expensive than standard, approximately 20% to 50% increase in cost, depending on the service. Some key takeaways:

  • Certain services, such as CloudWatch, did not experience a significant price change (6%) when upgraded to an AWS GovCloud (US) datacenter deployment while Lambda services did not increase in price at all.
  • Storage was the most significant increase in price at an average of 51% increase
  • Compute resources fell within the average with a 16% – 23% increase in price for computing.

Calculating your migration costs and need help? Reach out to our team of experts to evaluate your cloud migration landscape and anticipated costs. We can help you set up the cost calculator and find the solution(s) that meet your specific needs. Ready to learn more about govcloud services?

How do you Implement AWS GovCloud?

So you’ve decided AWS GovCloud is the right solution for your needs. How do you go about purchasing a license and getting started with configuration? The first step is to sign up for the service, which can be done manually or through a solution provider such as Oxalis.

Interested in contacting a Solution Provider? Click here to contact our team of experts in Govcloud services.

Sign Up

  • Option 1 – Create an AWS GovCloud (US) account through a Solution Provider
    • Recommended for organizations who don’t yet know what AWS services they will need, or those who are interested in optimizing their AWS GovCloud procurement and resource allocation.
  • Option 2 – Create an AWS GovCloud (US) from a standalone AWS account.
    • To do this, create or log into your AWS standard account and navigate to the “My Account” page at the top of the Console
    • At the bottom of the “My fAccount” page, there will be a GovCloud (US) section. If you do not see this section, ensure you logged in with the root credentials otherwise, create a support ticket. Click “Sign up for AWS GovCloud (US).”
    • This will navigate you to the AWS GovCloud (US) Sign Up Portal where it will ask you to accept the AWS GovCloud (US) legal agreement and provide additional information, so we can verify your eligibility for an AWS GovCloud (US) account.
AWS Management console - Govcloud services Oxalis
Accessing the My Account Page and GovCloud Signup
  • Option 3 – Create an AWS GovCloud (US) with AWS Organizations. 
    • AWS Organizations allows your organization to create and manage a set of accounts across regions and partitions.
    • For more information on AWS Organizations, visit https://aws.amazon.com/organizations/.

Account Linking

Since AWS GovCloud (US) accounts are associated with standard AWS accounts for billing, service, and support purposes, customers are required to have an existing standard account before signing up for an AWS GovCloud (US) account. It is recommended to create a new AWS account that will only be used solely for AWS GovCloud sign up and billing to ensure your standard AWS workloads will not be affected when transferring or closing GovCloud accounts.

Onboarding

There are a few steps required to onboard your AWS GovCloud account, which are outlined here:

  • Sign in to your account.
  • Create an alias for your account.
  • Create and download access keys.
  • Verify AWS CloudTrail is Enabled.

Configuration

At this step, we recommend configuring a few console items to secure your account before allocating any AWS services or migrating data to the cloud:

  • Configure the AWS CLI
  • Create an IAM User to Access the Console
  • Configure Audit Logging
  • Enable Multi-Factor Authentication (MFA) for IAM users
  • Sign Up for AWS GovCloud (US) Customer Support

Allocation

Last but not least, you will need to procure the AWS services that your organization needs for the cloud. Below is an example of what a final implementation may look like for a moderately-sized application on AWS GovCloud (US):

Resources Dashboard  AWS Govcloud services

The EC2 instances allocated for this application are deployed on T3 and T2 instance types for the general purpose, long-running, burstable workloads of the application:

Govcloud services AWS - Oxalis

What does success look like?

Mammoth HR needed to get their primary revenue generating application to the cloud fast. The business was about to scale dramatically and something needed to be done to set the stage for the uptime, expansion, and partnerships coming quickly. Oxalis was engaged to assess, architect, and migrate Mammoth’s monolith code base to AWS services and resilient cloud architecture so that the business could proceed with revenue generating partnerships.

Previous efforts had failed and something needed to be done.

Find out more by reading our AWS Migration case study with Mammoth HR

How Oxalis Can Help with Govcloud Services

Oxalis offers various services for AWS GovCloud including:

  • Cloud Architecture Design
  • Cloud Infrastructure Implementation
  • Serverless Architecture
  • Cloud Migration
  • Cost Optimization

Thinking about migrating to the Cloud? Check out our post detailing out 5 Considerations for your AWS Cloud Migration Strategy.

Do you think AWS GovCloud is the right move for your business, or do you want to learn more? Enter your information below to contact one of our experts to start the conversation today, or learn more about our Amazon Govcloud services.

Need more Info? Check out our AWS GovCloud Services User Guide

Here is what our AWS GovCloud user guide includes:

  • Overview of AWS GovCloud Services with related ITAR boundaries.
  • Instructions on signing up for and setting up AWS GovCloud.
  • Differences between standard AWS regions vs. GovCloud.
  • A brief usage and troubleshooting guide.
Oxalis AWS GovCloud User Guide - Govcloud Services

Want to review the full Amazon GovCloud services Solution User Guide?

Contact us to get more information about Govcloud Services

Get the conversation started!

Feel free to send us a message in the form below. We’re very approachable and would like to talk more about how we can meet your needs: