AWS GovCloud: Five Things To Know

For cloud customers looking to meet security compliance requirements, AWS GovCloud often seems like a good option. At Oxalis, we frequently help customers deploy their workloads in AWS GovCloud to meet their compliance needs – we even wrote the User Guide to AWS GovCloud!

Limited to just US customers, AWS GovCloud is, as Amazon puts it, “… designed to address specific regulatory and compliance requirements of US government agencies at the federal, state, and local level, as well as contractors, educational institutions, and other U.S. customers that run sensitive workloads in the cloud.”

After helping customers with compliant cloud migrations and deployments for many years, similar questions kept coming up. In this post we share 5 key concepts that customers should take into account when considering a migration to AWS GovCloud.

CONTACT US

You May Not Need AWS GovCloud

Many people hear about GovCloud and assume that because they have compliance requirements, they must use GovCloud. Depending on the specific compliance regime however, you may be able to use AWS’s standard Commercial offerings.

For instance, for customers requiring FedRAMP Moderate compliance, AWS’s standard US East and West regions are compliant and have an ATO.

AWS US East-West (Northern Virginia, Ohio, Oregon, Northern California) has been granted a Joint Authorization Board Provisional Authority-To- Operate (JAB P-ATO) and multiple Agency Authorizations (A-ATO) for moderate impact level. The services in scope of the AWS US East-West JAB P-ATO boundary at Moderate baseline security categorization can be found within AWS Services in Scope by Compliance Program.  

https://aws.amazon.com/compliance/fedramp/

AWS’s Compliance program is a good starting point for understanding what compliance regimes exist and if GovCloud is required to meet them. https://aws.amazon.com/compliance/services-in-scope/

At Oxalis, our first question on any compliant cloud project is what specific compliance regimes need to be covered. Choosing GovCloud unnecessarily can add cost and complexity if its unique certifications are not required.

Unsure if AWS GovCloud is the right choice for your compliance needs?

Contact Us

AWS GovCloud Has Different Services and Features

GovCloud is not “just another region” – new AWS services can take years to be made available as they go through the certification process. For instance, AWS ChatBot, a tool for Slack and Teams integrations, is not available in AWS GovCloud.

This means that if your solution depends on a specific AWS service, it is important to review the services currently in govcloud to avoid surprises – https://aws.amazon.com/govcloud-us/details/

While understanding whole services that are/are-not available is a relatively straightforward process, far more challenging is when specific services are missing features in GovCloud. For instance, while AWS Lambda is available in GovCloud, using a Container Image for a function is NOT. Almost every service has similar caveats that can cause surprises in GovCloud deployments.

Unlike services, there is no master list of these differences and sometimes aren’t documented at all. Successful, predicable GovCloud implementations require teams with GovCloud specific experience, not just AWS in general.

Looking for a GovCloud experienced team to help with an implementation?

Contact us

Just Because a Service is in GovCloud doesn’t mean it is certified

Because AWS GovCloud can be used to meet many different compliance requirements, if a specific service is available within GovCloud does not mean it has been certified. For Instance, AWS Firewall Manager is available in GovCloud but does not yet have approval for FedRAMP High. It is under review so it will likely be certified, but at time of writing you cannot use AWS Firewall Manager for FedRAMP high offerings.

Every GovCloud Account has a corresponding Commercial Account

As documented in our User guide, GovCloud accounts get created from a “standard” AWS account, with the standard account continuing to manage billing and budget management. For basic cloud deployments, this is as far as the account structure goes. If, however, you’re trying to setup a multi-account architecture following their recommendations for a well architected environment (https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.html) or the Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US), you end up with many accounts.\

CONTACT US
aws GovCloud structure

In these situations, the account pairing requires a strategy to make sure that the commercial standard accounts are secured and managed to avoid risks to the GovCloud accounts

Interested in pursuing a multi-account strategy in AWS?

Contact us

Security and Compliance Responsibility is Shared

There is no phrase that causes security experts to see red than “We’re secure because we’re hosted in AWS GovCloud”. Your choice of host only covers part of security needs – e.g. securing physical access to resources – but doesn’t in itself confer any compliance status.

aws Shared Responsibility Model
From https://aws.amazon.com/compliance/shared-responsibility-model/

You are still responsible, for instance, for using the services in a secure manner – e.g. GovCloud will do nothing to prevent you from inadvertently making a S3 Bucket’s contents public.

Additionally, most security and compliance certifications go beyond pure technical details. Under CMMC and NIST 800-171, there is a requirement to provide employees with insider threat training. Hosting on GovCloud provides no assistance to meeting that need.

Looking for help designing your security controls?

Contact us

Need more Info? Check out our AWS GovCloud Services User Guide

Here is what our AWS GovCloud user guide includes:

  • Overview of AWS GovCloud Services with related ITAR boundaries.
  • Instructions on signing up for and setting up AWS GovCloud.
  • Differences between standard AWS regions vs. GovCloud.
  • A brief usage and troubleshooting guide.
AWS Govcloud Guide

Bonus: Azure Government has (mostly) the same caveats

Remember, GovCloud isn’t the only option for high-compliance cloud services – Azure Government provides similar capabilities with similar caveats around service and feature availability.

Contact us

Recommended Blog posts

Mineral Migration to AWS Case Study

The Challenge

Mineral needed to get their primary revenue generating application to the cloud fast. The business was about to scale dramatically and needed to be move fast to set the stage for the fast approaching uptime requirements, expansion, and partnerships. Oxalis was engaged to assess, architect, and migrate Mineral monolith code base to AWS services and resilient cloud architecture so that the business could proceed with revenue generating partnerships.

Previous efforts had failed and something needed to be done.

Mineral logo

Our Approach

Oxalis is skilled with charting the path forward for complex technology migration and then delivering results. The following steps were taken:

  • Current state assessment: Oxalis did a deep dive into the existing application, infrastructure, and efforts to migrate. Not only was the technology considered, but so were the processes, existing CI/CD and tooling that would be needed to be implemented. Finally Oxalis built a concrete understanding of the desired state and scale requirements.
  • Cloud Architecture and Design: With a solid understanding of the current state and to be requirements defined. Oxalis quickly got to work mapping the cloud formation templates and desired architecture at an MVP level that was required to be successful with a Cloud migration.
  • Code and Process Remediation: Oxalis moved to remediate processes and code required to fully leverage the managed services of AWS such as RDS and EC2. Code was altered to parameterize the system to allow for automated deployment and the ability to fully leverage cloud formation automation.
  • Migration: One of the primary facets of the Oxalis service was technical leadership. This was brought to bear with an integrated team that was highly knowledgeable of migration best practices. Oxalis developed a robust migration script, tested it, then tested it again. Once vetted, the migration went off during a schedule outage window and exactly as rehearsed and planned.

Services we provided

  • AWS Cloud Architecture Design and Development
  • Programmatic Remediation and Refactor for Cloud Scale
  • Technology Leadership
  • Cloud Migration Services
  • Cloud AWS Development Operations and Maintenance

[bodymovin anim_id=”1235″ loop=”true” autoplay_viewport=”true” align=”center”]

The Outcome

It starts with the business challenge. Our team moves quickly to define the challenge and start executing a robust plan forward. The results for Mineral were clear. They now have a fully scalable cloud architecture, faster path to deployments, additional revenue opportunity, and a future development state that leverages advanced AWS capabilities to fully do region to region failover, and a full micro-service strategy going forward.

[bodymovin anim_id=”1236″ loop=”true” autoplay_viewport=”true” align=”center”]

Get more information

Feel free to send us a message in the form below

What the 2019 Capital One Breach Means for your AWS Firewall

Capital One Breach 2019: Here’s is the summary:

July 17, 2019, Capital One Financial Corp. was notified that an online hacker was soliciting the circulation of various sets of sensitive data mined from within internal servers. The source of the data stems from a system breach on March 22 and 23, 2019, which was quickly identified and neutralized. Within the limited amount of time the system was accessed, hacker Paige A. Thompson was able to gather sensitive information impacting millions of US and Canadian citizens.

Over 140,000 Social Security Numbers, 80,000 Bank Account Numbers, and 1 Million Canadian Social Insurance numbers were jeopardized.

Capital One was alerted, nearly 4 months after their data had been accessed, that sensitive information from various credit card applications was being advertised within private chat pages on social media. Thompson, under the alias “Netcave”, spoke openly on a public chat page within the software development site GitHub. She then created a private messaging channel under similar nomenclature within the messaging platform Slack. On this channel, Thompson posted various databases that she was able to hack into, naming various other organizations that could have been impacted including Ford Motor Co, Michigan State University, as well as the largest bank within Italy, UniCredit. Thompson, a Seattle resident, also posted her resume to the GitHub channel identifying her time as an Amazon Web Service engineer, which the CapitalOne servers were deployed on. She gained access to over 30 GB of CaptialOne data from within credit card applications submitted from consumers and small businesses the years 2005 until early 2019. Thompson went into detail on her twitter page, under the name “erratic” bosting about how she easily gained access. Learn more.

The Twitter account associated with Thompson shared insight into her methodology.

As an Amazon Web Service Client, how can you feel confident in your data security?

Thompson was able to gain access to through a “flimsy” firewall protecting Capital One’s cloud deployment on Amazon.com’s AWS software. Though Thompson posses familiarity with Amazon Web Services, working as a prior software engineer, the fault lies within Captial One’s weakened security. At the forefront of cloud deployment, Captial One sought to lead the charge with cloud-based software in the banking industry. The company rapidly deployed cloud-based software across all avenues, in hopes of revolutionizing the way industry leaders store information. Announced in 2015, Capital One rapidly integrated AWS software in hopes of consolidating data centers while emphasizing agile development.

Capital One’s major push toward innovative technology ultimately leads to detrimental ends.

After announcing the forward focusing initiate almost 5 years ago, Capital One faced major setbacks. Effectively having to rewrite all applications for a modern architecture proved to be much more time-consuming in reality. With progress halting on bold claims, Capital One instituted half-hearted security measures that proved to be far more detrimental than the progress made toward the cloud. Focusing on successfully deploying all cloud-based applications led to extreme oversight that, today, caused weak security standards to put millions of people at risk. Contact our experts.

Modern Architecture

How will you learn from Capital One breach mistake?

About what we could learn about the Capital one breach. Hackers, like Thompson, are numerous in today’s technological economy. Your data is incredibly valuable and could be at risk of exposure, how can you protect your cloud-based computing? Oxalis understands the implications, both positive and potentially negative when deploying to the cloud. Here are some of our best practices to deter hackers and limit access from your sensitive information.

  • Passwords: make sure passwords are continuously changed on a regular basis while also encouraging the use of “strong” passwords or phrases.
  • Two-factor authentification: this is incredibly important to provide roadblocks whenever possible to limit the access pathway for hackers. Instituting these methods whenever possible will help you gain valuable time to neutralize a threat once it is identified. Utilizing mobile codes as methods of authentification will help to increase the capabilities of bots or spoofed accounts.
  • Monitor your activity: Capital One is beginning to contact the accounts effected, do not wait until it is too late. Monitor your accounts for suspicious activity to help limit the access and reach of the hacker within internal domains. Get help.

Are you confident in your AWS security protocols?

After large corporations like Equifax and Capital One have been made incredibly vulnerable, how can you be entirely confident in your data security? Hackers have become incredibly sophisticated, transforming cyber attacks into cyber-warfare. Make sure you are utilizing the best resources as your disposal to maintain confidence in the protection of your sensitive data. Oxalis is here to help you understand the benefits and implications of scaling on the cloud, limiting your blind spots and vulnerabilities. We offer a range of AWS consulting services, including data security.

Contact us