Architecture overview - Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US)

Architecture overview

Deploying this solution builds the following environment in the AWS Cloud.


        Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US) solution - architectural overview

Figure 1: Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US) architecture on AWS

The AWS CloudFormation template deploys an AWS Step Functions that runs a series of tasks that deploy the solution. These tasks are implemented as AWS Lambda functions (used to initialize AWS Organizations and create AWS GovCloud (US) accounts) and an AWS CodeBuild project that is used to orchestrate the deployment of the solution into the newly-created AWS accounts. Additionally, an Amazon Simple Notification Service (Amazon SNS) topic is created to track the deployment status of this solution.

Note

AWS CloudFormation resources are created from AWS Cloud Development Kit (AWS CDK) components.

AWS Step Functions (Commercial Central account)

The AWS Step Functions runs the following steps:

  1. An Amazon SNS subscription is created using the email address that was provided during template launch. You must accept the subscription notification email that is sent to the supplied notification email.

  2. An Amazon Lambda function verifies that the AWS access key and secret access key for AWS GovCloud (US) is valid from the values stored in AWS Systems Manager Parameter Store. The AWS CodeBuild project uses the API keys to run subsequent deployment steps. Refer to Prerequisites for additional instructions.

  3. AWS Organizations is enabled in both the Commercial and AWS GovCloud (US) partitions. The Commercial Central account is designated as the AWS Organizations Management account for each partition. Refer to AWS Organizations for more information.

  4. The Logging, Management services, and Transit accounts are created using the CreateGovCloudAccount API and are added to the appropriate organizational unit (OU) within AWS Organizations.

  5. An AWS CodeBuild project runs to deploy the AWS GovCloud (US) resources.

  6. An email is sent to the registered Amazon SNS subscription to notify you of the deployment results.

AWS CodeBuild (Commercial Central account)

After the AWS CodeBuild project launches from the Commercial Central account using the AWS GovCloud (US) CLI API keys stored within AWS Systems Manager Parameter Store, the following steps run in the AWS GovCloud (US) accounts:

  1. The following AWS CodeCommit repositories are created and populated into the Central account:

    • compliant-framework-central-pipeline

    • compliant-framework-central-core

    • compliant-framework-transit-core

    • compliant-framework-management-services-core

    • compliant-framework-security-baseline

    Refer to Solution components for more details about the purpose of each CodeCommit repository.

  2. Environment parameters for each of the accounts are initialized and configured into AWS Systems Manager Parameter Store.

    Note

    This solution uses AWS Systems Manager Parameter Store to store all input parameters that define the solution, and store all the output values for generated resources. You can extend the Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US) by using these values as inputs when deploying your own solutions or other products. Refer to AWS Systems Manager Parameter Store in the AWS Systems Manager User Guide for ways you can reference Systems Manager parameters in your scripts, commands, automation, documents, and configuration workflows.

  3. The CDK is initialized by bootstrapping the Central account and deploying the cross-account support stacks into the Logging, Transit, and Management services accounts.

  4. CDK deploys the following two AWS CodePipeline pipelines:

    • compliant-framework-core-pipeline

    • compliant-framework-environment-pipeline

  5. The pipelines are configured to utilize the CodeCommit repositories as input triggers to deploy this solution into the AWS GovCloud (US) accounts.

AWS CodePipeline - Core pipeline (AWS GovCloud (US) Central account)

The compliant-framework-core-pipeline pipeline is invoked whenever changes are made to the core-pipeline GitHub branch of the compliant-framework-central-core CodeCommit repository.

When invoked, the pipeline runs the following tasks in the AWS GovCloud (US) accounts:

  1. The Logging account is initialized.

  2. The Central account is initialized.

    • CloudTrail is enabled.

    • AWS Config is enabled and the Central account is configured to aggregate AWS Config information from all solution accounts.

    • Security Hub is enabled and the Central account is configured to aggregate Security Hub findings from all solution accounts.

    • GuardDuty is enabled.

AWS CodePipeline - Environment pipeline (AWS GovCloud (US) Central account)

The compliant-framework-environment-pipeline pipeline is invoked whenever changes are made to the environment-pipeline GitHub branch of the following AWS CodeCommit repositories:

  • compliant-framework-transit-core

  • compliant-framework-management-services-core

  • compliant-framework-security-baseline

When invoked, the pipeline runs the following tasks in the AWS GovCloud (US) accounts:

  1. The Organizations OUs are configured for the environment, and the Transit and Management services accounts are moved into the environment OU.

  2. Amazon S3 buckets are created and used to consolidate all environment account logs (for example, logs and data generated by AWS Config, CloudTrail, and Amazon VPC Flow Logs).

    Note

    These S3 buckets can also be configured to store operating system (OS) and application logs. They are intended to help you meet compliance requirements specific to log aggregation.

  3. The S3 buckets are shared with the Organizations OU and configured with AWS KMS CMKs. Replication is also enabled to forward all objects to the consolidated logs S3 bucket in the Logging account.

  4. The Transit account is initialized and networking resources are created. These resources include the Firewall VPC, AWS Transit Gateway and related AWS Transit Gateway route tables, and AWS Transit Gateway VPN attachments that can be used when configuring a Next Generation Firewall appliance.

  5. The Management services account is initialized. The management services, directory, and external access VPCs are created and attached to the AWS Transit Gateway created in the Transit account.

  6. The CloudTrail, AWS Config, Security Hub, and GuardDuty services are enabled using an AWS CloudFormation StackSets that is configured to apply to the Organizations OU.

The solution’s infrastructure is suitable for migrating, building, and deploying applications and capabilities in the AWS Cloud. This includes web-based application servers, database servers, or workloads running on Amazon Elastic Compute Cloud (Amazon EC2). These workloads are hosted in mission application accounts, which are logically separated enclaves that allow for data and access segregation between different mission owners.

The infrastructure also includes key shared services, including boundary protection (for example, Next Generation Firewalls (NGFW) and gateways such as AWS VPN endpoints and AWS Direct Connect gateways) and workload management (for example, endpoint protection, vulnerability scanning and management, centralized identity management, and directory services).

For more details about each of the accounts, refer to Solution components.