AWS GovCloud(US) is an isolated AWS region that is designed to host sensitive data and regulated workloads in the AWS cloud. Basically, it helps customers to support their government compliance requirements (currently only in the US). Compliance requirements related to FISMA, fedRAMP, DoD, etc of the US.
FedRAMP stands for the “Federal Risk and Authorization Management Program”.
DoD stands for the “Department of Defense”.
FISMA stands for “Federal Information Security Management”.
These all are the standardized security assessment and authorization for cloud products and services used by U.S. federal agencies and the companies authorized by the US agencies.
You can run workloads that contain all categories of Controlled Unclassified Information (CUI) data and government-oriented, publicly available data in GovCloud (US).
Difference between AWS standard region v/s AWS GovCloud(US) region
During the signup process from standard account to AWS GovCloud account, each account holder or customer is reviewed by the AWS to determine whether they are a U.S entity ( such as a government body, contracting company, or educational organization).
But in a standard AWS account, you only need to verify your email and phone number to access to AWS account.
Gov-Cloud uses endpoints that are specific to Gov-Cloud (US) and are publicly available from the Internet but are accessible only to Gov Cloud (US) customers. For example, if you are in a region other than the US then you can’t access the endpoint of AWS Gov-Cloud(US).
GovCloud can only be accessed through Gov Cloud credentials ( gov cloud (US) account access key and IAM user credentials), not with the standard AWS cloud credentials and vice versa. The credentials are provided separately by the AWS when you successfully signup and reviewed for the Gov Cloud(US) region.
4. Management Console for the AWS GovCloud (US) Region
You only sign in to the AWS GovCloud (US) console by using an IAM username and password.
Basically, after Gov-Cloud account verification is done by the AWS team you will get an IAM username and password.
This is different from the AWS standard account where you can log in using your account credentials (email and password) just after creating the account.
Services under AWS Gov Cloud (US) regions might have different capabilities compared to services in the standard region.
For example, in Gov Cloud (US), there is no default VPC available for use as it is by default available in a standard account.
So, for deploying any resource in Gov-Cloud you should first create your custom VPC then deploy your resources in that VPC.
Why AWS GovCloud (US)?
- It helps to meet the Security and Compliance requirements of the government.
- GovCloud uses server-side encryption in S3 to protect sensitive unclassified sensitive data.
- It strengthens identity management by limiting access to sensitive data by individual, time, and location.
- It also protects accounts and workloads by securing your AWS accounts with continuous security monitoring using Amazon Guard Duty.
GovCloud (US) Billing and Payment
All the billing and payment-related activities of Gov Cloud are managed through a standard AWS account. When we signup for the Gov Cloud account, then it is associated with the standard AWS account.
We can see the account activity and usage report of the Gov Cloud account by login into the standard AWS account which is basically linked to the Gov Cloud account.
Billing and payment information are not available through the GovCloud (US) region management console.
The following diagram outlines the relationship between Gov Cloud (US) and standard AWS account:-
ARNs in GovCloud Region
Amazon Resource Names (ARNs) uniquely identify AWS resources. The ARNs in GovCloud region is different from the standard region.
ARNs for standard region begins with:
ARNs in GovCloud region begins with:
How does AWS EC2 differ for GovCloud (US)
There is a difference in every service between the GovCloud region and standard region. As all the services in GovCloud should follow Government compliance. So the basic difference in AWS EC2 in both regions are:
- We can not migrate AMI copy and snapshot copy from AWS standard region to Gov Cloud region and vice versa.
- Gov Cloud is totally isolated from the standard regions.
- Use SSL (HTTPS) when you make calls to the service in Gov Cloud (US) Regions. In other AWS Regions, you can use both, HTTP or HTTPS.
So AWS GovCloud(US) region is the region that consists of all the services which basically follow the compliance requirement of the government. Also, there are lot many differences between standard AWS cloud and Gov Cloud(US) on the basis of services, endpoints, etc.