Solution components - Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US)

Solution components

Commercial accounts

Central account

The commercial Central account launches the Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US) solution through AWS CloudFormation and AWS Step Functions. This account is configured to be the AWS Organizations management account. An automated account provisioning capability is available within this account (implemented using AWS Service Catalog) and is used to provision new accounts in the organization.

Note

AWS GovCloud (US) accounts are associated with standard AWS accounts for billing, service, and support purposes. Customers must have an existing standard account before signing up for an AWS GovCloud (US) account. We recommend creating a new AWS account that will only be used for AWS GovCloud (US) signup and billing. A dedicated AWS account for the new AWS GovCloud (US) account enables you to transfer the AWS GovCloud (US) account to another party in the future and fully close the AWS GovCloud (US) accounts without affecting your other AWS workloads. For more information about the relationship between AWS standard accounts and AWS GovCloud (US) accounts, refer to the AWS Blog. For more information about Billing and Cost Management, refer to What is AWS Billing and Cost Management?

Logging account / Management services account / Transit account

The commercial Logging, Management services, and Transit accounts are created and invited into the commercial AWS Organizations organizational unit (OU) when the solution is deployed.

These accounts are only used for billing and support purposes and not otherwise utilized in this solution.

AWS GovCloud (US) accounts

This solution requires access to an AWS GovCloud (US) account. Refer to Signing Up for AWS GovCloud (US) for more information.

Central account

The Central account is the location of the AWS CodeCommit code repository for all Infrastructure as Code (IaC) artifacts that are utilized in this solution. An automated CI/CD pipeline (implemented using AWS CodePipeline) is used to deploy the solution from source repositories hosted in CodeCommit.

The Central account is the AWS Organizations root account in AWS GovCloud (US), and it is the parent container for all AWS GovCloud (US) accounts in the architecture. As the Organizations root, the Central account is enabled to aggregate compliance findings from GuardDuty, AWS Config, and AWS Security Hub, from all child accounts. The Central account contains the AWS Service Catalog portfolio for all of the other accounts, including the mission application accounts. This enables a centralized strategy for IT governance, allowing mission application owners to deploy approved products and services into tenant workload accounts.

Logging account

The Logging account provides a centralized, immutable location for various types of log data generated across the environment. Log data is collected primarily within Amazon Simple Storage Service (Amazon S3) buckets. This includes AWS CloudTrail, AWS Config, Amazon CloudWatch, Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, operating system and application logs, and any other logs that require consolidation, aggregation, and retention. File integrity is enabled for all log files, creating SHA-256 hashes for every delivered log file. By placing all of the logs into a single account, you can utilize the principle of least privilege, and delegate discrete permissions to for accessing data within this account, separate from the other AWS accounts. This helps ensure log integrity and fidelity.

Transit account

The Transit account provides a Transit VPC model which produces ingress and egress points for all traffic within the environment. In the DISA SCCA construct, this account corresponds to the DISA SCCA Virtual Data center Security Stack (VDSS) component.

The Transit account provides multiple options to extend an on-premises network. Terminating at a Next Generation Firewall (NGFW) appliance (deployed within the Firewall VPC), one or more AWS Direct Connect virtual interfaces can be utilized to provide a secure, private, low-latency connection from an existing on-premises data center. You can also create an IPsec VPN link between an on-premises network and an NGFW appliance within the Transit VPC. The VPN connection can also serve as a redundant communications path to back up the AWS Direct Connect link.

AWS Transit Gateway provides a centralized network hub that is used to interconnect the VPCs and NGFW appliances within this solution. Using Transit Gateway route tables, Border Gateway Protocol (BGP) dynamic routing, and the functionality provided by the NGFW appliance, you can control, monitor, and inspect all network traffic within the environment. Utilizing BGP dynamic routing reduces the need to manually manage route tables.

Management services account

The Management services account hosts all of the core services that are needed in operating and managing the environment. In the DISA SCCA construct, this account corresponds to the Virtual Data center Management Stack (VDMS) component.

By default, the workloads in this account are accessible by all the mission application workloads, and provide shared services including endpoint protection (for example, antivirus scanning), vulnerability management and scanning, centralized logging services (for example, syslog), centralized patch management services (for example, yum repositories or Microsoft Endpoint Configuration servers), and centralized identity management or directory services (such as AWS Managed Microsoft AD and Microsoft Active Directory Federation Services (ADFS)).

Mission application account

The mission application account provides a location for the deployment of end user-facing applications and services. Web application servers, databases, and other compute or data workloads are deployed in this account. By distributing these workloads within separate accounts, developers and administrators can have privileged access to their workloads without introducing risk to other mission applications, and without introducing risk to the Management services, Logging, or Transit accounts. This is implemented through the use of AWS OrganizationsService Control Policies (SCP), AWS Identity and Access Management (IAM) roles and policies, and centralized identity federation.

A mission application account is connected to the environment using AWS Transit Gateway attachments. Routes defined by the Transit Gateway only allow specific network traffic into and out of the mission application account. This allows the mission application workloads to access Management Services as required, and allows external clients and users access to only the specific endpoints in the mission application account as needed.

By segregating workloads into separate mission application accounts, you can implement granular security and cost controls, providing important guardrails that are required to maintain compliance. AWS services billing can be tracked and managed at the account level.

You can deploy additional mission application accounts using AWS Service Catalog functionality within the commercial Central account. You can create a mission application VPC using the product that is deployed in AWS Service Catalog within the AWS GovCloud (US) Central account.