AWS GovCloud to Secure Sensitive Workloads

| | |

Meet AWS GovCloud

AWS GovCloud is not a service. AWS GovCloud actually refers to two AWS Regions.

AWS is the leading cloud services provider with millions of applications deployed on their infrastructure by enterprises around the world. AWS offers a wide range of security options so CISOs and end users can be confident that their infrastructure is secure. However, if you are hosting sensitive workloads such as Controlled Unclassified Information (CUI), Personally Identifiable Information (PII), sensitive medical information, financial data, law enforcement data, or any other type of sensitive information, you may want extra protection and separation from the standard cloud.

  • us-gov-east-1
  • us-gov-west-1

These regions are physically separate data centers and have logical network isolation from all other AWS Regions. To meet specific requirements, these regions are logically and physically run by U.S. citizens. 

A selection of the security compliance requirements supported by AWS GovCloud:


Differences between AWS Commercial and AWS GovCloud (US)

After meeting the requirements (U.S. entity and GovCloud specific credentials managed by U.S. Person) your company can sign up for an AWS GovCloud (US) account and get console access just like a standard AWS Account. But be warned, there are several differences between AWS GovCloud (US)  and a standard AWS Account. 

  • Route 53 – Route 53 is not available in AWS GovCloud (US) regions. You must setup your DNS in a standard AWS Account then create routes to your resources in GovCloud

  • Cloudfront – AWS GovCloud (US) is not integrated into CloudFront, so you must use a standard AWS account to create your distribution.

  • Service Endpoints – To access AWS GovCloud (US) by using the command line interface or by using the APIs, use the AWS GovCloud (US) region endpoints.

For example, the AWS SNS FIPS 140-2 Compliant endpoint: 


  • VPC Endpoints – For private connections from your VPC to AWS Services note the differences with VPC Endpoints. For example with DynamoDB:

  • ARN Differences – Note the differences in partition and region for ARNs
    • arn:aws-us-gov:iam::123456789012:username
    • arn:aws-us-gov:ec2:us-gov-west-1:001234567890:instance/*
    • arn:aws-us-gov:s3:::my_bucket_/*
  • Note: Both Terraform and CloudFormation have support to make iam ARNs be dynamic.

To follow is a diagram showing a multi-region web application in AWS GovCloud (US) and a standard AWS Account. This infrastructure consists of two EC2 Instances, two RDS Instances (primary and read replica), and two Elastic Load Balancers with certificates from AWS Certificate Manager. In the standard AWS Account, we have Route 53 and CloudFront, which is forwarding traffic to the Elastic Load Balancers with matching certificates from AWS Certificate Manager to the AWS GovCloud (US) Account. 

Caveat Emptor

Please be aware that not all features in all AWS services are supported. You may find some services may not be up to date with a standard AWS account, but keep in mind that AWS is always enabling features over time. Please review the documentation thoroughly before making the commitment to move your infrastructure to AWS GovCloud (US). Foghorn is fluent in GovCloud and can help design a compliant architecture that meets your organization’s regulatory needs today, tomorrow and for generations to come. Speak with one of experts today!