Design considerations - Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US)

Design considerations

Planning

To ensure a successful deployment of this solution, you must make several key design decisions prior to deployment.

AWS accounts and email addresses

Initial deployment creates several AWS accounts. To create these accounts, you must provide unique email addresses in the AWS CloudFormation template. The following table provides a way to track the email addresses used, as well as their corresponding AWS account IDs.

Note

If you would like to use existing AWS accounts, you must enter the email addresses representing those accounts into the AWS CloudFormation template parameters during deployment. If these accounts are part of an existing AWS Organizations organizational unit (OU) that has been defined in the Central account, you must move all member accounts to the root Organization OU and verify that any resources you have added to the accounts have been removed. Refer to Uninstall the solution for more information on reverting your accounts to an uninstalled state.

Account role Email address AWS account ID
Central TBD TBD
Logging TBD TBD
Management services TBD TBD
Transit TBD TBD

AWS Organizations

This solution creates a customizable AWS Organizations organization as defined in Figure 2. We recommend that you create any future mission application accounts underneath the Environment Tenants OU.


          AWS Organizations structure

Figure 2: AWS Organizations structure

Account limit increases

The initial limit for number of accounts in an Organizations is four, which is sufficient to deploy this solution. However, to support the creation of new mission application accounts, request a Quota Limit Increase from the account that the solution is being launched in. For more information, refer to Quotas for AWS Organizations. Request quota increases through the AWS Organizations console.

Data classification

This solution can be deployed across many AWS Regions, but selection of a deployment Region is dependent upon the workloads to be hosted. It also requires a thorough understanding of the classification of the data that is to be stored and processed within the environment.

U.S. Department of Defense data classified at Impact Level 2 can be hosted in an AWS Region that has been accredited to host data at that classification level. At the time of publication, these Regions include:

  • US East (N. Virginia)

  • US East (Ohio)

  • US West (N. California)

  • US West (Oregon)

  • AWS GovCloud (US-West)

  • AWS GovCloud (US-East)

If the data is classified at Impact Level 4 or Impact Level 5, you must deploy the solution into a Region that is accredited to host data at that level. At the time of publication, these Regions are:

  • AWS GovCloud (US-West)

  • AWS GovCloud (US-East)

For more details, review the following information:

Management services and transit services

This solution provides a network topology and infrastructure to support many of the compliance requirements mandated by U.S. Federal agencies and the DoD. However, there are cases where additional shared services and transit services are needed to meet workload-specific compliance requirements.

The following table outlines some common functions and AWS services that help you meet additional security and compliance requirements. In addition to the listed alternatives, you can find additional open-source solutions.

Function AWS service Alternatives

Next Generation Firewall (NGFW)


Web Application Firewall (WAF)

AWS WAF

AWS Partner Network

AWS Marketplace

Endpoint protection

Vulnerability management and scanning

Amazon Inspector

AWS Partner Network

AWS Marketplace

Identity management and federation

AWS Identity and Access Management (IAM)

AWS Directory Service

AWS Single Sign-On

AWS Partner Network

AWS Marketplace

Centralized logging, log analysis, and auditing

Amazon CloudWatch

Amazon Elasticsearch Service

AWS Partner Network

AWS Marketplace