AWS GovCloud User Guide

Things you’ll learn

• What is AWS GovCloud
• AWS GovCloud security overview
• 10 Principal advantages and benefits of moving to the cloud
• AWS GovCloud Services vs Amazon Web Services
• Can I be assured my high-compliance requirements will be met?
• Pros and Cons of AWS GovCloud versus Azure Government / AWS
• Who are the principal users of AWS GovCloud?
• Pricing: AWS vs. AWS GovCloud
• Steps to implement AWS GovCloud

What is AWS GovCloud (US)?

AWS GovCloud User Guide is here to help you. Amazon Web Service’s GovCloud offers the similar services and the same high level of security as AWS, and meets specific regulatory and compliance requirements of US government agencies – such as FedRAMP High, ITAR, DFARS, and HIPAA – by running on a dedicated U.S. platform of hardware, network, and software, that are maintained by U.S. citizens only and provide customers with the ability to access the regions through FIPS 140-2 service endpoints.

GovCloud is available to federal government contractors and organizations in regulated industries, and is used by educational institutions.

For companies, government entities, and other organizations that do not have the manpower, capital, or other resources to host applications and digital workloads on their own, the AWS GovCloud offering provides the necessary compliant hosting infrastructure in the cloud. Quickly satisfy compliance requirements, such as CMMC Levels 1 through 3, without the overhead and risk of managing a data center on your own [Read our perspective on the state of CMMC here]. GovCloud offers all of this capability along with the traditional benefits of cloud scale and speed. Get started with Oxalis AWS GovCloud services.The services available with AWS GovCloud do differ from the services available with the public cloud offering of AWS, though AWS strives constantly to narrow the gap. For standard workload requirements, application hosting, or storage needs, services residing on Amazon’s sovereign cloud are more than sufficient, compliant, and safe to use; if there are specific services you need in GovCloud, AWS provides a guide to the service differences. Continue reading our AWS GovCloud User Guide to decide if this platform is right for you.

Can I Trust the AWS GovCloud Services?

Well, that’s a good question. The answer is “Yes”. You can trust in the AWS Govcloud Services.

The Department of Homeland Security, U.S. Army, and countless government and intelligence agencies are all landing mission critical workloads on this infrastructure. 

However, please note, AWS GovCloud is just a platform. Without a trusted partner or in-house knowledge of this advanced technology, you can quickly get yourself into trouble. Data exposures, compromised services and systems, or worse have all happened when organizations do not develop, deploy, or maintain well architected and operated cloud solutions. 

Advantages of Moving to the Cloud

If you are thinking about moving to the cloud, chances are you have considered these main advantages. For those who are still evaluating, here are the primary advantages of moving your workloads to the cloud in a generic sense:

• Elasticity – Using auto-scaling and load balancing, only use resources according to your demand.
• Cost Savings – Only pay for the computing power, storage, and resources that you use! The AWS cloud also has no long-term contracts or up-front commitments.
• Flexibility – You choose the system, programming language, and services that are right for your business.

AWS GovCloud (US) offers all of these advantages, with the addition of high security and compliance.

Thinking about migrating to the Cloud? Check out our post detailing out 5 Considerations for your AWS Cloud Migration Strategy.

Amazon GovCloud, Summarized:

• GovCloud is a compliant hosting infrastructure in an isolated section of Amazon’s AWS cloud.
• GovCloud is equipped to handle all categories of Controlled Unclassified Information (CUI) data and government-oriented, publicly available data.
• GovCloud restricts physical and logical administrative access to US citizens, and can run workloads that contain all categories of CUI data.
• AWS only allows vetted US citizens with access controls to administer the GovCloud Region, and the AWS GovCloud sovereign cloud is completely isolated from Amazon.com.
• Even though AWS does manage access controls for GovCloud, each business is responsible for controlling their own content.

Do you have questions about moving to the Cloud? Do you think AWS GovCloud is the right move for your business, or do you want to learn more? Oxalis provides AWS Govcloud Services that can help you scale your efforts.

What are the benefits of AWS GovCloud?

There are many benefits of Amazon’s AWS as a cloud platform. For people unfamiliar with what AWS offers, here is a quick run down of the most common AWS Cloud services and why they matter:

Amazon Elastic Cloud Compute (EC2)	AWS Elastic Cloud Compute (EC2), one of the basic building blocks of any AWS cloud solution, provides dynamic and scalable compute capacity. EC2 is available in pay-as-you-go plans or discounted long-term contracts. Business Example: EC2 can be used for dedicated hosting of applications, software and websites on the cloud. Dynamic and scalable compute capabilities make EC2 a key solution for a growing application or application
Amazon Simple Storage Service (S3)	The second key building block of an AWS cloud solution, S3 provides secure data storage on the cloud. S3 storage is accessible from any system connected to the internet and correctly authenticated into your AWS configuration. Business Example: Permission-based file storage, accessible from anywhere by individuals or applications with the appropriate credentials.
Amazon Aurora and Amazon DynamoDB	Amazon Aurora and DynamoDB are the final core building blocks of the AWS cloud solution, offering relational and nonrelational database capabilities, respectively. Amazon Aurora is a relational database built for your cloud services and is compatible with both MySQL and PostgreSQL. Amazon DynamoDB is the NoSQL parallel to Amazon Aurora. Business Example: Cost-effective open source database solution for your cloud applications and environments.
AWS Lambda	Similar to EC2, AWS Lambda offers compute capacity in the cloud, but executes serverlessly. Lambda comes at a small premium, but lets you run code without managing EC2s or incurring the ongoing costs of a dedicated instance. AWS Lambda will handle all administrative tasks, including server and system maintenance, capacity provisioning and scaling, and code monitoring and logging. Business Example: Background tasks are best suited for AWS Lambda, where persistent server environments are not necessary and workloads are small, sporadic, or hard to predict.
Amazon ELB	Distribute incoming application traffic using an Amazon ELB (Elastic Load Balancing). ELB can function across availability zones and services including EC2 instances, containers, IP addresses, Lambda functions, and virtual appliances.
Amazon VPC	Amazon’s virtual private network solution, isolated within the AWS GovCloud. Defined per your requirements and specifications, including private IP address range, subnets, route tables, and network gateways. Business Example: Deploy a VPC and ELB to logically isolate production back-end services from public entry point.
Amazon Workspaces	Secure, persistent, and managed cloud desktop virtualization services. Accessible from supported devices. Business Example: Virtual Desktop Infrastructure is a standard security practice for organizations desiring to centralize their workforce within compliant and secure desktop infrastructure. Amazon Workspaces is the AWS GovCloud-available solution to meet this need
Simple Email Service (SES)	Recently added to the Amazon GovCloud (US) suite, SES is an email service for your AWS GovCloud (US) services.
Redshift	Redshift is a data warehouse service in the cloud. Capable of managing petabytes of data, Redshift is the AWS solution for acquiring new insights for your business.
CloudWatch	CloudWatch is AWS’s resource monitor service that can be used to collect and track metrics relevant for your applications and resources. Business Example: Set up alarms to alert your administrators during an unauthorized access attempt to your AWS Console. Tie these alarms to a slack channel for quick and distributed alerting.  An overview of a reference implementation can be found below:

AWS works constantly to improve their service offerings. Examples of recently announced GovCloud improvements include:

• Adding Amazon SageMaker Studio to AWS GovCloud (US) Regions: SageMaker Studio is an integrated development environment (IDE) that provides a single web-based visual interface where you can quickly upload data, use notebooks on a wide range of instance types, train and tune models, run experiments, and collaborate seamlessly within your organization.
• Adding AWS CodePipeline to AWS GovCloud (US-East): CodePipeline automates the build, test, and deploy phases of your release process when there is a code change, based on the release model you define.
• Adding AWS Directory Service support for smart card authentication in AWS GovCloud (US-East) Region: Use Common Access Card (CAC) and Personal Identity Verification (PIV) smart cards to authenticate users into Amazon WorkSpaces through your self-managed Active Directory (AD) and AWS Directory Service AD Connector.

A full list of AWS GovCloud services can be found on the product details page: AWS GovCloud (US) Product Details – Amazon Web Services.

How do AWS GovCloud (US)’s Services Differ from Standard AWS’s?

AWS GovCloud vs AWS. Compliant vs. General Purpose. Premium vs Bargain. How do these two AWS tiers stack up against each other and is GovCloud worth it?

The good news is that both products provide agencies and businesses with a complete infrastructure web services platform in the cloud. This includes all of the above-mentioned compute, analytics, networking, monitoring, and storage services. If you need compliance, though, standard AWS can’t help you, since its data may be stored outside the continental U.S. and managed by non-US citizens, and AWS GovCloud (US) endpoints are only accessible to AWS GovCloud (US) customers. Similarly, FIPS 140-2 compliant endpoints are also available exclusively for AWS GovCloud (US) Regions.

It’s important to note that while most AWS services are available in GovCloud, there are often limitations, missing features, and restrictions to GovCloud services – due to the challenges of meeting compliance requirements. AWS provides a complete list of these differences, so do your homework. Here are a few examples:

1. EC2: Instances must be launched in an Amazon Virtual Private Cloud.
2. S3: The features S3 Transfer Acceleration, S3 Replication Time Control (S3 RTC), S3 Storage Lens are unavailable.
3. AWS Trusted Advisor: Not all checks are supported in GovCloud.
4. Amazon Cognito: Not all features are supported in GovCloud.

What Regulatory and Compliance Requirements can be Satisfied by AWS GovCloud (US)?

AWS GovCloud (US) is designed to meet the most stringent regulatory and compliance requirements encountered by U.S. Government agencies and contractors. Below is a list of some of these frameworks supported by AWS GovCloud (US):

• International Traffic in Arms Regulations (ITAR) – ITAR controls the export of sensitive defense and military data, information, and technology.
• Defense Federal Acquisition Regulation Supplement (DFARS) – DFARS is actually supported by the standard AWS cloud as well as GovCloud. This regulation applies to the safeguarding of DoD data, which includes data in the cloud.
• The Federal Risk and Authorization Management Program (FedRAMP) – A Federal Government program that provides standardized security assessment and authorization criteria, as well as continuous monitoring for cloud products and services.
• Department of Defense (DoD) Cloud Computing Security Requirements Guide (DOD SRG) – Standardizes the security assessment and authorization process for sensitive Defense Department data and systems operating in the cloud.
• Cybersecurity Maturity Model Certification (CMMC) – The DoD’s comprehensive cybersecurity program to protect sensitive information.
• Criminal Justice Information Services (CJIS) – Governs the security of criminal justice information services for federal and state and local law enforcement.
• IRS-1075 – Applies to the protection of federal tax information.
• FIPS 140-2, which specifies cryptographic security requirements to protect sensitive U.S. government information.
• Health Insurance Portability and Accountability Act (HIPAA) – Protects the processing and storage of health information.
• General Data Protection Regulation (GDPR) – Protects European Union (EU) individuals’ fundamental right to privacy and the protection of personal data.

AWS provides a full list of compliance certifications, attestations, regulations, alignments, and frameworks that are satisfied by GovCloud. It is important to note here that AWS GovCloud provides the infrastructure and design to enable customers to meet these regulatory requirements, but ultimately the implementation of cloud services within AWS GovCloud requires careful and intentional management to ensure security and compliance. 

What are the Pros and Cons of AWS GovCloud versus Azure Government or regular AWS?

An entire article could be dedicated to this comparison, but for the sake of this blog we will keep it short. Amazon AWS and Microsoft Azure make up the largest public cloud services. Each company has made significant investment in security for their standard tier cloud infrastructure and extended that into full Government compliance with the AWS GovCloud and Azure Government offerings.

A few considerations to take into account:

1. AWS has been around longer. Launched in 2006 with the standard cloud offering, AWS was the first to offer Government-level compliant cloud services.
2. AWS features quick-start guides, helping you configure your instances to the tightest compliance requirements, such as HIPAA and CMMC.
3. Both solutions offer Secret and Top Secret regions, to meet the unique security needs of the Intelligence Community (IC) –  Azure Secret and Top Secret and AWS Secret and Top Secret

Need help deciding? The choice can be difficult, but Oxalis is experienced in both Azure Government and AWS GovCloud. Reach out to our experts for assistance with evaluating the cloud migration dilemma. Get help with Govcloud Services.

Who Can Use AWS GovCloud (US)? What Requirements Do I Have to Meet In Order to Use AWS GovCloud (US)?

All U.S. persons can request access to AWS GovCloud (US) resources, but access is subject to approval. Access is restricted to customers who:

1. Are U.S. persons.
2. Not subject to export restrictions.
3. Who comply with US export control laws and regulations, including the International Traffic in Arms Regulations (ITAR).

Government entities are required to sign a customer agreement and an agreement specific to AWS GovCloud (US) in order to access AWS GovCloud (US) resources.

Interested in applying for access to AWS GovCloud? Oxalis has experience applying, deploying, and managing multiple AWS GovCloud instances internally as well as for our customers. Reach out for a fit consultation to determine if AWS GovCloud (US) is the right solution for your needs. Our U.S.-based team of experts can help you navigate the application process.

Once you’ve determined that AWS GovCloud (US) is the right solution for you, qualified customers can request access to from the AWS Management Console of a standard AWS account, by contacting an AWS business representative, or by reaching out to Oxalis for assistance.

What does AWS GovCloud Pricing Look Like? What Does Amazon Web Service Hosting Cost?

The AWS offerings within standard and GovCloud are vast and flexible. For the purposes of this quick comparison, we will focus on relative costs of the major compute and storage offerings of AWS Govcloud vs AWS. AWS is the standard for cloud-based offerings and can be taken as a benchmark when calculating the impact of moving to a compliant cloud like AWS GovCloud. 

Note: Cloud compute and storage prices are constantly in flux so please consult the AWS calculator for the most up-to-date pricing: https://calculator.aws. The numbers included below are up-to-date as of August 2021.

Before diving into the numbers, let’s have a look at the AWS compute tiers to better understand what options are available and begin to decipher Amazon’s naming conventions. EC2 offers the most customization and the options can often be overwhelming when reviewed for the first time. Read on to learn the framework. Contact us to learn more about AWS Govcloud Services.

An Intro to EC2 Tiers

Amazon groups EC2 compute options into tiers, which offer varying optimization balances to maximize your EC2 purchase. These tiers are differentiated by an alphanumeric ID representing the ratio of Memory, vCPU, Network Performance, and Storage provided to each instance. Each tier is cost-optimized for that particular ratio. You can use the AWS calculator to determine the appropriate tier based on a particular memory or vCPU requirement, or you can select a specific tier via the Advanced Estimate option.

The EC2 Families

To better understand the AWS offerings, we can group the tiers into five families:

1. General Purpose
   • T3, T3a, T2 Instance Types are configured for the lowest price general purpose computing. 
   • These are your standard current-generation instances for a majority of your application support needs.
2. Compute Optimized
   • The C5, C5n, and C4 instance types offer the lowest price per CPU ratio of the instance types.
3. Memory Optimized
   • The R6g, R5, R5a, R5n, R4, X1e, and X1 instance types are memory optimized with standard network performance for a more affordable option than the Accelerated Computing family.
4. Accelerated Computing
   • P3, P2, Inf1, G4, G3, and F1 feature accelerated computing with high Network Performance ratings and enormous Memory options.
5. Storage Optimized
   • The I3, I3en, D2, and H1 families make up the storage optimized instances, featuring dedicated SSD storage instead of the standard EBS storage option.

AWS Pricing Compared to AWS GovCloud (US)

Note: Cloud compute and storage prices are constantly in flux so please consult the AWS calculator for the most up-to-date pricing: https://calculator.aws. The numbers included below are up-to-date as of  August 2021.

You likely have a number of questions when it comes to AWS GovCloud pricing:

• How much more expensive is AWS GovCloud (US)?
• How much does a standard selection of AWS GovCloud (US) services cost when compared to AWS Standard? 
• How much does AWS GovCloud (US) cost per hour? Per month? How does that pricing change when reserved in an annual subscription?

Below we provide a few examples of the pricing breakdown for standard AWS options, along with the percent difference between GovCloud and standard AWS cloud. Get the conversation started about Govcloud Services.

Services Analyzed:

1. S3 – Storage
2. EC2 – Compute
3. Lambda – Serverless Compute
4. Application ELB – Load Balancing
5. CloudWatch – Logging
6. VPC Nat Gateway – Gateway and VPC

Pricing Assumptions:

• Using AWS GovCloud West and US West (Oregon) regions for GovCloud and AWS Standard estimates, respectively.
• 1 year cost estimate is for 100% upfront payment

1 – S3 Standard Storage Costs per Month

2 – EC2 Hourly Compute Costs per Hour (On-Demand and 1 Year Reserved)

Example Specifications

*EBS = Elastic Block Store: either SDD or HDD-based high-performance block storage

Cost Comparison

3 – Lambda – Serverless Compute Costs Per Month

AWS Lambda starts to become more cost-effective than standard EC2 when running small workloads at most one quarter of the time (when compared to an always-on compute load). Interestingly enough, there does not appear to be a premium on running Lambda functions on AWS GovCloud (US) at this time.

*Assuming each execution runs for either 0.5 or 1 second, distributed over 1 month.

4 – Application ELB – Load Balancing Fixed Costs Per Month*

*Estimate does not include LCU usage charges

5 – CloudWatch – Logging Costs Per Month

6 – VPC and NAT Gateway Costs Per Month

Pricing Analysis Summary

Increased compliance and security comes at an increased cost. Approximately 25% greater cost.

As expected, our calculations show that AWS GovCloud (US) is more expensive than standard, approximately 10% to 70% increase in cost, depending on the service. Some key takeaways:

• Certain services, such as CloudWatch, did not experience a significant price change (7-8%) when upgraded to an AWS GovCloud (US) datacenter deployment while Lambda services did not increase in price at all.
• Storage was the most significant increase in price at an average of 69% increase
• Compute resources fell within the average with a 18% – 26% increase in price for computing.

Calculating your migration costs and need help? Reach out to our team of experts to evaluate your cloud migration landscape and anticipated costs. We can help you set up the cost calculator and find the solution(s) that meet your specific needs. Ready to learn more about GovCloud services?

How do you Implement AWS GovCloud?

So you’ve decided AWS GovCloud is the right solution for your needs. How do you go about purchasing a license and getting started with configuration? The first step is to sign up for the service, which can be done manually or through a solution provider such as Oxalis.

Interested in contacting a Govcloud services provider? Learn more about Us.

Sign Up

• Option 1 – Create an AWS GovCloud (US) account through a Solution Provider. 
  • Recommended for organizations who don’t yet know what AWS services they will need, or those who are interested in optimizing their AWS GovCloud procurement and resource allocation.
• Option 2 – Create an AWS GovCloud (US) from a standalone AWS account.
  • To do this, create or log into your AWS standard account and navigate to the “My Account” page at the top of the Console
  • At the bottom of the “My fAccount” page, there will be a GovCloud (US) section. If you do not see this section, ensure you logged in with the root credentials otherwise, create a support ticket. Click “Sign up for AWS GovCloud (US).”
  • This will navigate you to the AWS GovCloud (US) Sign Up Portal where it will ask you to accept the AWS GovCloud (US) legal agreement and provide additional information, so we can verify your eligibility for an AWS GovCloud (US) account.

• Option 3 – Create an AWS GovCloud (US) with AWS Organizations. 
  • AWS Organizations allows your organization to create and manage a set of accounts across regions and partitions.
  • For more information on AWS Organizations, visit https://aws.amazon.com/organizations/.

Account Linking

Since AWS GovCloud (US) accounts are associated with standard AWS accounts for billing, service, and support purposes, customers are required to have an existing standard account before signing up for an AWS GovCloud (US) account. It is recommended to create a new AWS account that will only be used solely for AWS GovCloud sign up and billing to ensure your standard AWS workloads will not be affected when transferring or closing GovCloud accounts.

Onboarding

There are a few steps required to onboard your AWS GovCloud account, which are outlined here:

• Sign in to your account.
• Create an alias for your account.
• Create and download access keys.
• Verify AWS CloudTrail is Enabled.

Configuration

At this step, we recommend configuring a few console items to secure your account before allocating any AWS services or migrating data to the cloud:

• Configure the AWS CLI
• Create an IAM User to Access the Console
• Configure Audit Logging
• Enable Multi-Factor Authentication (MFA) for IAM users
• Sign Up for AWS GovCloud (US) Customer Support

Allocation

Last but not least, you will need to procure the AWS services that your organization needs for the cloud. Below is an example of what a final implementation may look like for a moderately-sized application on AWS GovCloud (US):

The EC2 instances allocated for this application are deployed on T3 and T2 instance types for the general purpose, long-running, burstable workloads of the application:

What does success look like?

HR and compliance company Mineral needed to get their primary revenue generating application to the cloud fast. The business was about to scale dramatically and something needed to be done to set the stage for the uptime, expansion, and partnerships coming quickly. Oxalis was engaged to assess, architect, and migrate Mineral’s monolith code base to AWS services and resilient cloud architecture so that the business could proceed with revenue generating partnerships.

Previous efforts had failed and something needed to be done.

Find out more by reading our AWS Migration case study with Mineral

How Oxalis Can Help with AWS Govcloud Services

Oxalis offers various services for AWS GovCloud including:

• Cloud Architecture Design
• Cloud Infrastructure Implementation
• Serverless Architecture
• Cloud Migration
• Cost Optimization

Thinking about migrating to the Cloud? Check out our post detailing out 5 Considerations for your AWS Cloud Migration Strategy.

Do you think AWS GovCloud is the right move for your business, or do you want to learn more? Enter your information below to contact one of our experts to start the conversation today, or learn more about our Amazon Govcloud services.

Need more Info? Check out our AWS GovCloud Services User Guide

Here is what our AWS GovCloud user guide includes:

• Overview of AWS GovCloud Services with related ITAR boundaries.
• Instructions on signing up for and setting up AWS GovCloud.
• Differences between standard AWS regions vs. GovCloud.
• A brief usage and troubleshooting guide.

Recommended blog posts

• Mineral Migration to AWS Case Study
• 5 Considerations For Your AWS Cloud Migration Strategy