Security - Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US)


When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This Shared Responsibility Model helps reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. For more information about security on AWS, visit AWS Cloud Security.

IAM users and roles

The AWS Identity and Access Management (IAM) users and roles created in this solution are designed as a starting point to provide full administrative access into the environment. Do not use these IAM users and roles in an operational or production environment. We recommend you develop and deploy IAM roles as applicable for your mission needs.

Security groups

The security groups created in this solution are designed to control and isolate network traffic between the applications deployed into the mission application accounts, and also with external users and clients. We recommend that you review the security groups and further restrict access as needed once the deployment is up and running.

AWS Key Management Service(AWS KMS) Customer Master Keys (CMK)

This solution creates Customer Master Keys (CMKs) in the deployed AWS accounts. Some keys are pre-configured to encrypt resources such as Amazon Simple Storage Service (Amazon S3) buckets and AWS CloudTrail trails. The keys are also intended to be used for other data-at-rest encryption needs, such as the encryption of Amazon Elastic Block Store (Amazon EBS) volumes. You are responsible for rotation of these CMKs. For more information, review the AWS Key Management Service documentation.