Amazon Web Services introduces AWS GovCloud (US) as a region dedicatedly designed “to host sensitive data, regulated workloads, and address the most stringent U.S. government security and compliance requirements”.
But, one must doubt or eager to know what specifically are the “stringent U.S. government Security and Compliance regulations” addressed and how the security has embedded in when developing the AWS GovCloud architecture. We bring this article to answer this question and describe AWS physical and operational security processes under the management of the AWS GovCloud (US) region.
AWS GovCloud Compliance Program
If you visit the AWS Compliance page, you could understand the robust controls AWS global infrastructure and managed services address within the frame of cloud security and data protection. If AWS GovCloud ranks in terms of the controls embedded in an IaaS platform, it could rank at the very top above any cloud platform by any cloud vendor. To clear-out, the following are the compliance and regulations addressed in total by the AWS GovCloud (US) region.
- SOC 1 (ISAE 3402/ SSAE 16/ SAS 70), SOC 2, and SOC 3
- FISMA, DIACAP, and FedRAMP
- Department of Defense Cloud Computing Security Requirements Guide for Impact Levels 2, 4, and 5
- Department of Defense Cloud Security Model (CSM) Level 3-5 Provisional Authorization
- PCI DSS Level 1
- ISO 9001 / ISO 27001 / ISO 27017 / ISO 27018
- International Traffic in Arms Regulations (ITAR)
- FIPS 140-2
- Multi-Tier Cloud Security (MTCS) Level 3
- (Health Information Trust Alliance) HITRUST
- Export Administration Regulations (EAR)
- Criminal Justice Information Systems (CJIS) Security Policy
- Family Educational Rights and Privacy Act (FERPA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Cloud Security Alliance (CSA) Star Level 2
In the following chapters, we will discuss when and where the AWS GovCloud security surpasses the standard AWS regions.
Physical and Environmental Security
AWS GovCloud’s perimeter of usage limits at the US border and exclusive only to US citizens. However, the physical infrastructure access for GovCloud regions is even more stringent. That is because physical access for data centers in AWS GovCloud regions is restricted for employees validated as US citizens. The administration of the AWS GovCloud is allowed only to vetted US professionals with distinct access controls separated from other AWS regions. Therefore, AWS GovCloud is secured with the highest possible physical security to operate the US public sector workloads.
AWS GovCloud operates in two geographical regions as AWS GovCloud (US-West) and AWS GovCloud (US-East). Each of these AWS GovCloud regions has designed for fault-tolerance with three isolated locations as ‘availability zones’.
AWS GovCloud service endpoints are publicly available and accessible over the Internet. But, only accessible if authenticated as a registered AWS GovCloud customer.
Authorization and Sign-up Process
Only a customer who possesses a green card or a US citizenship defined by the US Department of State is permitted to access the root account keys and sign-up for the entity. Also, during the sign-up process, the entity as well will be screened to recognize whether it is a US entity which can either be a government body, contracting company, or an educational organization.
For increased security, AWS does not allow you to access any other AWS region accounts with your GovCloud user credentials: AWS GovCloud account access key or AWS govCloud IAM user credentials.
Access to AWS GovCloud (US) Console
Accessing the AWS GovCloud console is unlike how you log-in to your standard AWS management console with your email address and the password. Your email address is a publicly populated figure vulnerable to compromise. Therefore, IAM user credentials will require you to access the GovCloud console as an extra layer of precaution above your data.
However, as a customer, you also have a responsibility for security. Therefore, be mindful not to share your IAM credentials to grant temporary access to anyone. If required, you can create IAM user profiles for those with a requirement when you as an IAM administrative user.
AWS GovCloud regions use a different authentication stack to that of which standard AWS regions use. It is a vital measure by AWS for the distinction of AWS GovCloud regions from other AWS regions. As a result, the probability of exploiting the GovCloud platform will lessen even when any other AWS region gets exploited. On the contrary, AWS GovCloud supports only a few MFA devices such as Authy, Duo Mobile, LastPass Authenticator, Microsoft Authenticator, Google Authenticator on Android, and iPhone, and key fob devices exclusively designed for the AWS GovCloud.
CIS Hardened Images for Built-In Security
Amazon Machine Images (AMIs) offer virtual images that are pre-configured as per the CIS benchmarks to spin up in the AWS GovCloud. Thereby, there is no need to manually and individually applying CIS benchmarks to improve cyber-security defenses in your cloud environment. It can minimize security loopholes in your application hosting environment while automatically complying with DFARS regulations.
Authority To Operate (ATO) on AWS
ATO on AWS is a partner-driven program by Amazon Web Services to help and empower customers, partners, and independent solution vendors to accelerate the security and compliance authorization process. Qualified system integrators of the Amazon Partner Network get together through this program and bring training, recommendations for tools, pre-built automated deployment capabilities, pre-built artifacts, and control implementation guidance.
To prove the capability of this program, SmartSheets is an organization that could acquire FedRAMP compliance within ninety days with the ATO program. Other than FedRAMP compliance, currently, ATO has experts who can deliver professional consultation inline DOD PA ATO (IL4/ IL5), IRS-1075 authorization, PCI-DSS certifications, CJIS authorization, HITRUST, and HIPAA certifications.
The Infrastructure as Code, Policy as Code, and Compliance as Code artifacts that are delivering through the ATO can also be used in the implementation of Security Automation and Orchestration methodology for improving security analyst productivity, fastening the response time for security threats, and multiplying and consolidating the volume of alerts.
AWS Security Automation and Orchestration Methodology
The Security Automation and Orchestration Remediation (SOAR) market is a fairly new methodology in the cybersecurity industry. AWS has brought the implementation capability of SOAR into the GovCloud platform which is a huge leap for the public sector.
Continuous Integration, Continuous Delivery, Continuous Risk Treatment, Microservices, Infrastructure as Code, Configuration Management, Policy as Code, Compliance as Code, and Continuous Audit and Compliance make up the AWS SOA methodology. It is truly a game-changer by AWS for securing applications hosted in the GovCloud.
Final Thoughts for Best in Class AWS GovCloud Security Practices
Security is a business enabler and a business-driver. That is why AWS implements best in class security practices in the AWS GovCloud (US) region. Security controls of the application-hosting environment are equally important as the security controls embedded in the application itself. Therefore, as a US government agency personal or a US government contractor or an IT engineer of a US government institution, it is vital that you evaluate whether the security of the application-hosting environment compliments the baseline security requirements of your client.