Working in GovCloud
Many of our government clients will want to have at least their production infrastructure in AWS GovCloud, which is a set of AWS regions that are separate from commercial AWS regions, with a number of additional controls that allow them to conform to the higher security and compliance standards needed to meet federal guidelines like FedRAMP.
GovCloud Topics
General Considerations With GovCloud
Every GovCloud account must be attached to a corresponding account in commercial AWS (mostly for billing purposes). This has some impact on how you build AWS Organizations in GovCloud (see below).
Commercial AWS and GovCloud resources cannot interact directly in any way. This means that you cannot assume roles between the two or tie a commercial resource to a GovCloud resource unless using some publicly addressable method.
GovCloud accounts do not have a
root
user; they have an automatically created IAM user namedAdministrator
with full administrative privileges. For most purposes, you can think of this as operating the same way as theroot
user; however, it is still subject to restrictions you place on all IAM users. This means setting password expiration to a very short period (as is common in some of our commercial AWS environments) can lock you out of theAdministrator
user; since we can get console access via role assumption, we recommend setting the password expiration on the GovCloud org-root account to six months and instead treating this user as you would theroot
user in commercial AWS (ie, do not use it for anything other than bootstrapping or "break glass" cases).GovCloud resources use a different AWS partition; this is the second part of an ARN. So while an ARN for a commercial resource might look like this:
arn:aws:iam::123456789000:user/testuser
a GovCloud ARN will look like this:
arn:aws-us-gov:iam::123456789000:user/testuser
This means that any Terraform modules will need to take this into account; see the Terraform
aws_partition
data source for how to do this.Many AWS services are not available in GovCloud; some are available in one GovCloud region and not others. See the GovCloud Services in Scope and the AWS Region Table for more information.
Organization CloudTrails are not available in GovCloud. This means you cannot add
cloudtrail.amazonaws.com
as a service principal in your organization Terraform code.Your first GovCloud account will have a randomly-named S3 bucket called something like "cloudtrail-123456789abcedf", and all additional GovCloud accounts you create via the method described in this document will have a randomly-named CloudTrail and matching S3 bucket automatically created. We recommend replacing these resources with your own CloudTrail pointing to the AWS service logs bucket you create in the account.
It is not possible to enable CloudWatch Container Insights for an ECS cluster. Therefore, in
aws_ecs_cluster
Terraform resources, you cannot include asetting
configuration block withcontainerInsights
.For Amazon RDS, GovCloud does not support
backup
orread replica
events. Therefore event notifications and subscriptions are impossible for those events.As of 04/20, the most up-to-date CA cert identifier for RDS instances that is viable in GovCloud is
rds-ca-2017
rather thanrds-ca-2019
.Because GovCloud doesn't have a root account in the traditional sense (it's tied to a commerical root account), you cannot set
check_root_account_mfa_enabled
to true in Truss' AWS Config module.While Route53 is available in GovCloud, it is only available for private DNS, which limits its utility somewhat. You will need to create public DNS entries for your GovCloud environments in your commercial AWS environment.