AWS Government Brief

Contents

• Accreditation
  • Federally Accredited AWS Regions
  • AWS Provided FedRAMP Compliance Docs
• AWS Global Infrastructure and Foundational Services Overview
  • Global Infrastructure
  • Networking
  • Compute
  • Storage
  • Application Services
  • Deployment, Administration, and Security Services

Links

• AWS
• AWS Whitepapers
• Products and Services
  • Networking
    • Virtual Private Cloud
      • VPC Documentation
      • Internet Gateways
      • Virtual Gateways
      • Route Tables
      • Customer Gateway
      • VPC Scenarios and Examples
      • VPC Visualization
    • Direct Connect
  • Compute
    • Elastic Compute Cloud (EC2)
      • Amazon Machine Image
      • Elastic Block Storage
      • Auto Scaling
      • Elastic Load Balancing
  • Storage
    • Object
      • AWS Simple Storage Service (S3)
      • AWS Glacier
    • NoSQL
      • AWS DynamoDB
      • Redshift
    • Relational Database Service
      • AWS Aurora
  • Application Services
    • CodeCommit
    • CodePipeline
    • CodeBuild
    • CodeDeploy
    • SDK Tools
      • AWS SDK for .NET
      • AWS Toolkit for Visual Studio
      • AWS CLI
      • AWS Tools for PowerShell
  • Deployment, Administration, and Security
    • AWS Security
    • Cloud Formation
    • Security by Design
    • AWS Config
    • Identity and Access Management
    • CloudWatch
    • CloudTrail
    • Key Management Service
    • CloudHSM (Hardware Security Module)
• AWS Federal
• AWS Compliance
• ATO
• AWS GovCloud
  • AWS GovCloud Products and Services

Presentations

• AWS YouTube Channel
• James Hamilton: Innovation at Scale Presentation re:Invent 2014
• A Day in the Life of a Billion Packets - Slides
• A Day in the Life of a Billion Packets - Presentation

Publications

• DISA - Cloud Security
  • DISA - Cloud Computing Security Requirements Guide
  • DISA - Secure Cloud Computing Architecture Functional Requirements Document
  • DISA - Cloud Connection Process Guide
• NIST SP 800-145 - Cloud Computing

Accreditation

Back to Top

Federally Accredited AWS Regions

DoD AWS Regions for IL2 and IL4

• GovCloud - IL4

  • Logical Network Isolation
  • Separate, Isolated credential database
  • CUI (Controlled Unclassified Information) including ITAR (International Traffic in Arms Regulations)
    • US only access and control
    • Authorized for SRG-2 and SRG-4
  • FIPS 140 validated hardware and cryptography
  • Services only deployed into region based on customer requirement

• East and West - IL2

• C2S Region: Joint Intelligence Community P-ATO - CNSSI-1253 Moderate

• US East and West: FedRamp A-ATO FIPS 199 Moderate / DoD PA DoD CC SRG L2

• US GovCloud: FedRAMP JAB P-ATO FIPS 199 High / DoD PA DoD CC SRG L4

AWS Provided FedRAMP Compliance Docs

Back to Top

• ATO
• Control Implementation Summary
• FIPS-199 Category
• Customer Responsibility Matrix
• System Security Plan
• Security Assessment Report

AWS Compliance Contact: [email protected]

AWS Global Infrastructure and Foundational Services Overview

Back to Top

AWS Stack
Deployment, Administration, and Security
Application Services
Compute - Storage - Database
Software Defined Networking
AWS Global Infrastructure

Global Infrastructure

Back to Top

• AWS Regions and Availability Zones - Amazon EC2 is hosted in multilpe locations world-wide. These locations are composed of regions and availability zones. Each region is a separate geographic area. Each region has multiple, isolated locations known as availability zones. Amazon EC2 provides you the ability to place resources, such as instances, and data in multiple locations. Resources aren't replicated across regions unless you do so specifically. Each availability zone is isolated, but the availability zones in a region are connected through low-latency links.
• James Hamilton: Innovation at Scale Presentation re:Invent 2014
• AWS Products and Services

GovCloud

• AWS GovCloud - An isolated AWS region designed to host sensitive data and regulated workloads in the cloud, helping customers support their U.S. government compliance requirements, including International Traffic in Arms Regulations (ITAR) and Federal Risk and Authorization management Program (FedRAMP). AWS GovCloud (US) is operated by employees who are vetted "U.S. Persons" and root accoutn holders of AWS accounts must confirm they are U.S. Persons before being granted access credentials to the region.
• AWS GovCloud Products and Services

Networking

Back to Top

• Virtual Private Cloud - Lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual network environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.
  • VPC Documentation
  • Internet Gateways - A horizontally scaled, redundant, and highly available VPC component that allows communication between instances of your VPC and the internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic. An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
  • Virtual Gateways - By default, instances that you launch into a VPC can't communicate with your own network. You can enable access to your network from your VPC by attaching a virtual private gateway to the VPC, creating a custom route table, and updating your security group rules.
  • Route Tables - Contains a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.
  • Customer Gateway - If you decide to use an Amazon VPC VPN connection that links your data center (or network) to your Amazon VPC, a customer gateway is the anchor on the private side of the connection. It can be a physical or software appliance. The anchor on the AWS side of the VPN connection is called a virtual private gateway.
  • VPC Scenarios and Examples
  • VPC Visualization
• Direct Connect - Makes it easy to establish a dedicated network connection from your premises to AWS. Using Direct Connect, you can establish private connectivity between AWS and your datacenter, office, or colocation environment. Using standard 802.1q VLANs, dedicated network connections can be established between your network and one of the AWS Direct Connect locations. This connection can be partitioned into multiple virtual interfaces. This allows you to use the same connection to access public resources such as objects stored in S3 using public IP address space, and private resources such as EC2 instances running within the VPC using private IP space, while maintaining network separation between the public and private environments.
• A Day in the Life of a Billion Packets - Slides
• A Day in the Life of a Billion Packets - Presentation

Compute

Back to Top

• Elastic Compute Cloud (EC2) - A web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers. EC2 presents a virtual computing environment, allowing you to use web service interfaces to launch instances with a variety of operating systems, load them with your custom application environment, manage your network's access permissions, and run your image using as many or few systems as you desire.
  • Amazon Machine Image - Provides the information required to launch an instance, which is a virtual server in the cloud. You specify an AMI when you launch an instance, and you can launch as many instances from the AMI as you need. You can also launch instances from as many different AMIs as you need.
  • Elastic Block Storage - Allows you to create storage volumes and attach them to EC2 instances. Once attached, you can create a file system on top of these volumes, run a database, or use them in any other way you would use block storage. EBS volumes are placed in a specific availability zone, where they are automatically replicated to protect you from the failure of a single component. Elastic Volumes is a feature of EBS that allows you to dynamically increase capacity, tune performance, and change the type of live volumes with no downtime or performance impact. This allows you to easily right-size your deployment and adapt to performance changes.
  • Auto Scaling - Helps you maintain application availability and allows you to scale your EC2 capacity up or down automatically according to conditions you defined. You can use Auto Scaling to help ensure that you are running your desired number of EC2 instances. Auto Scaling can also automatically increase the number of EC2 instances during demand spikes to maintain performance and decrease capacity during lulls to reduce costs. Auto Scaling is well suited both to applications that have stable demand patterns or that experience hourly, daily, or weekly variability in usage.
  • Elastic Load Balancing - Automatically distributes incoming application traffic across multiple EC2 instances. It enables you to achieve fault tolerance in your applications, seamlessly providing the required amount of load balancing capacity needed to route application traffic.

Storage

Back to Top

Object

• Simple Storage Service (S3) - Stores data as objects within resources called "buckets". You can store as many objects as you want within a bucket, and write, read, and delete objects in your bucket. Objects can be up to 5 terabytes in size. You can control access to the bucket, view access logs for the bucket and its objects, and choose the AWS region where the bucket is stored to optimize for latency, minimize costs, or address regulatory requirements.
• Glacier - A secure, durable, and extremely low-cost cloud storage service for data archiving and long-term backup.

NoSQL

NoSQL is a term used to describe high-performance, non-relational databases. NoSQL databases utilize a variety of data models, including document, graph, key-value, and columnar. NoSQL databases are widely recognized for ease of development, scalable performance, high availability, and resilience.

• DynamoDB - A fast, flexible NoSQL database service for all applications that need consistent, single-digit millisecond latency at any scale. It is a fully managed cloud database and supports both documetn and key-value store models.
• Redshift - A fast, fully managed, petabyte-scale columnar data warehouse that makes it simple and cost-effective to analyze all your data using your existing business intelligence tools.

Relational Database Service

Amazon RDS is a managed relational database service that provides you six familiar database engines to choose from:

• Amazon Aurora
• MySQL
• MariaDB
• Oracle
• Microsoft SQL Server
• PostgreSQL

This means that the code, applications, and tools you already use today with your existing databases can be used with Amazon RDS. Handles routine database tasks such as provisioning, patching, backup, recovery, failure detection, and repair.

• Aurora - A MySQL-compatible relational database engine that combines the speed and availability of high-end commercial databases with the simplicity and cost-effectiveness of open source databases. Provides up to five times better performance than MySQL with the security, availability, and reliability of a commercial database at one tenth the cost.

Application Services

Back to Top

• CodeCommit - A fully-managed source control service that makes it easy for companies to host secure and highly scalable private Git repositories. Eliminates the need to operate your own source control system or worry about scaling its infrastructure. You can use CodeCommit to securely store anything from source code to binaries, and it works seamlessly with existing Git tools.
• CodePipeline - a continuous integration and continuous delivery service for fast and reliable application and infrastructure updates. CodePipeline builds, tests, and deploys your code very time there is a code change, based on the release process models you define. This enables you to rapidly and reliably deliver features and updates. You can easily build out an end-to-end solution by using our pre-built plugins for popular third-party services like GitHub or integrating your own custom plugins into any stage of your release process.
• CodeBuild - A fully managed build service that compiles source code, runs tests, and produces software packages that are ready to deploy. With CodeBuild, you don't need to provision, manage, and scale your own build servers. CodeBuild scales continuously and processes multiple builds concurrently, so your builds are not left waiting in a queue. You can get started quickly by using prepackaged build environments, or create custom build environments that use your own build tools.
• CodeDeploy - A service that automates code deployments to any instance, including EC2 instnaces and instnaces running on-premises. Makes it easier for you to rapidly release new features, helps you avoid downtime during application deployment, and handles the complexity of updating your applications. You can use CodeDeploy to automate software deployments, eliminating the need for error-prone manual operations, and the service scales with your infrastructure so you can easily deploy to one instance or thousands.
• SDK Tools - Simplifies using AWS services in your applications with an API tailored to your programming language or platform.
  • AWS SDK for .NET - Provides .NET APIs for AWS services including S3, EC2, DynamoDB, and more. The SDK can be downloaded from NuGet or installed using the MSI package, which also includes the AWS Toolkit for Microsoft Visual Studio and the AWS Tools for Windows PowerShell.
  • AWS Toolkit for Visual Studio - An extensions for Microsoft Visual Studio that makes it easier for developers to develop, debug, and deploy .NET applications using AWS.
  • AWS CLI - A unified tool to manage your AWS services. You can control multiple AWS services from the command line and automate them through scripts.
  • AWS Tools for PowerShell - Lets developers and administrators manage their AWS services from the PowerShell scripting environment.

Deployment, Administration, and Security Services

Back to Top

• AWS Security
• CloudFormation - Gives developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fasion.
• Security by Design - A security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. Instead of relying on auditing security retroactively, Security by Design provides scurity control built in throughout the AWS IT management process. By utilizing Security by Design CloudFormation templates, security and compliance in the cloud can be made more efficient and expansive. Security by Design encompasses a four-phase approach for security and compliance at scale across multiple industries, standards, and security criteria. AWS Security By Design can be utilized when designing security and compliance capabilities for all phases of security by allowing the customer to design everything within the AWS customer environment: permissions, logging, trust relationships, encryption enforcement, mandating approved machine images, and more. Security by Design enables customers to automate the front end structure of an AWS account, reliably coding security and compliance into AWS accounts, making non-compliance of IT controls a thing of the past.
• AWS Config - A fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config. With AWS Config, you can discover existing and deleted AWS resources, determine your owverall compliance against rules, and dive into configuration details of a resource at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
• Identity and Access Management - Enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
• CloudWatch - A monitoring service for AWS cloud resources and applications you run on AWS. You can use Amazon CloudWatch to collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes in your AWS resources. CloudWatch can monitor AWS resources such as EC2 instances, DynamoDB tables, and RDS DB instances, as well as custom metrics generated by your applications and services, and any log files your applications generate. You can use CloudWatch to gain system-wide visibility into resource utilization, application performance, and operational health. You can use these insights to react and keep your application running smoothly.
• CloudTrail - A service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account, including API calls made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This history simplifies security analysis, resource change tracking, and troubleshooting.
• Key Management Service - A managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. KMS is integrated with several other AWS services to help you protect the data you store with these services. KMS is also integrated with CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
• CloudHSM (Hardware Security Module) - Helps you meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud. With CloudHSM, you control the encryption keys and cryptographic operations performed by the HSM.