AWS GovCloud Services: Sensitive Data on the Public Cloud

AWS GovCloud is a special, highly secured Amazon region built for United States government agencies and companies that work with and support them. It operates alongside the even more secure Top Secret and Secret Regions that support the intelligence community and other agencies who store classified information.

In this post, we’ll provide an overview of GovCloud, as well as the Top Secret and Secret Regions, explain the value of GovCloud and who can benefit from it, and list the main AWS services supported within the region. In addition, we’ll show how NetApp Cloud Volumes ONTAP can help optimize storage for your sensitive data on AWS GovCloud.

This is part of our series of articles about AWS high availability and ways to assure resilience and reliability for sensitive and mission critical workloads.

In this article, you will learn:

• What is AWS GovCloud
• AWS GovCloud Security Features
• AWS Top Secret and Secret Regions
• Why Use AWS GovCloud
• AWS GovCloud Supported Services
• Migrating Sensitive Data to the Cloud with Cloud Volumes ONTAP

What is AWS GovCloud?

AWS GovCloud (US) is a separate AWS Region intended for the use of USA government agencies, organizations working with the United States government, or projects that need to adhere to stringent standards or regulations. GovCloud helps users move sensitive workloads to the Amazon cloud, while adhering to their specific regulatory and compliance requirements.

Apart from its special security and access capabilities, GovCloud is a regular Amazon region that provides all the basic Amazon services. However, not all Amazon services are supported; learn more below. GovCloud provides three AWS availability zones, allowing users to set up a high availability architecture similar to other regions, but without multi-region redundancy.

The on-demand and reserved pricing models used in the rest of the Amazon cloud are also available in GovCloud, however, pricing may differ from that offered in regular AWS regions, and is not publicly available.

AWS GovCloud Security Features

The USA Air Force's Next Generation GPS system runs in GovCloud, and so does the General Services administration's Cloud.gov website, a central cloud platform used by the federal government. In addition, agencies such as the Justice Department use the cloud both for internal operations and public-facing services (see a case study on the use of NetApp Cloud Volumes ONTAP by the Justice Department on AWS). GovCloud Data Sense features include data safety and access control, with granular control of individual data at the API level.

Access to the GovCloud region is restricted to a vetted set of USA-based individuals. Its servers are situated on United States soil, and it is managed and run only by United States citizens.

These and other security-related features bring it into full compliance with a broad range of United States government security and restricted-access regulations including:

• Federal Risk and Authorization Management Program (FedRAMP)
• Department of Defense Security Requirements Guide (SRG) through level 5
• Department of Justice Criminal Justice Information Service Security Policy
• Defense Federal Acquisition Regulation Supplement (DFARS)
• U.S. International Traffic in Arms Regulations (ITAR)

AWS Top Secret and Secret Regions

In addition to GovCloud, Amazon provides two more dedicated regions for the use of USA government agencies.

AWS Top Secret Region
Amazon signed a $600 million contract with the U.S. Central Intelligence Agency (CIA), leading it to establish the AWS Top Secret Region in 2014. The Top Secret region is intended for the exclusive use of 17 government agencies comprising the USA intelligence community.

The Top Secret Region is hosted on-premise at the CIA, and is “air gapped”, completely separated from the public Internet for extra security.

AWS Secret Region
In 2017, Amazon created the AWS Secret Region. AWS Secret Region runs as part of Amazon’s data centers and not on-premise at the CIA, and can be used by any government agency at all classification levels. It uses the same tools and best practices as the Top Secret Region.

The AWS Secret Region is used for sensitive, classified workloads by non-intelligence government organizations, and can be used by intelligence organizations to share data that is not top secret with other agencies.

Why Use AWS GovCloud?

There are several reasons to prefer AWS GovCloud:

• Safeguard sensitive data—shield sensitive unclassified data with server-side encryption in Amazon S3. Store and handle security keys yourself with AWS CloudHSM or use the AWS Key Management Service (AWS KMS).
• Improve cloud visibility—audit access and use of sensitive data with your keys in AWS CloudTrail, an API logging service operated by USA citizens.
• Strengthen identity management—restrict access to sensitive data by time and location, and specify which API calls users can make. GovCloud offers identity federation, simple key rotation, and other powerful access control features.
• Shield accounts and workloads—apply continuous security monitoring for AWS accounts and workloads using Amazon GuardDuty. Monitor workloads for malicious or unauthorized behavior that may indicate an account compromise.

AWS GovCloud Supported Services

AWS GovCloud supports a wide range of Amazon services. Below you can see the main supported services; see the official documentation for a complete list, with usage instructions for each service.

Optimizing GovCloud Storage with Cloud Volumes ONTAP

GovCloud deployments can get an additional boost from NetApp Cloud Volumes ONTAP. Cloud Volumes ONTAP works as a management layer on top of storage and compute resources in the GovCloud, providing more efficient disaster recovery and data replication capabilities with tight security features to fully support critical governmental compliance and privacy requirements.