© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Quinn Verfaillie, Solutions Architect, AWS

June 20, 2016

AWS GovCloud (US) and the EnterpriseA Discussion on Best Practices for Enterprise Adoption and Migration

Best Practices Topics

Getting Started with AWS GovCloud (US)Setting Up Your AWS GovCloud (US) EnvironmentSecuring Sensitive ResourcesMigrating to and Operating in AWS GovCloud (US)

Getting Started withAWS GovCloud (US)

Onboarding into AWS GovCloud (US)

• AWS GovCloud (US) supports an IAM user model• An Administrator IAM user is created during the Onboarding

process

AWS Management Console AWS CLI AWS SDK

Billing Management in AWS GovCloud (US)

Standard AWS accounts have a 1:1 relationship with AWS GovCloud (US) accountsAll AWS GovCloud (US) usage and activity is reported to the AWS Standard account for billing purposes

1

1

1-to-1 relationship between standard AWS account and AWS GovCloud account

Standard AWS Account

AWS GovCloud Account

*Standard account is granted access to the AWS GovCloud region

Securing the Whole Account

The AWS Standard account is just as important to secure and manage as the GovCloud account

• The AWS Standard account Root/IAM users are the only ones who can:

Pay Bills Contact AWS Support Submit PenetrationTesting Requests

Setting up yourAWS GovCloud (US) Environment

Setting Up Resources in AWS GovCloud (US)

AWS Direct Connect

• Set up from within the AWS Management Console

• ITAR workloads must use a VPN tunnel in conjunction with AWS Direct Connect

Amazon Virtual Private Cloud

• Provision VPN connectivity• Able to separate VPCs by project

requirements• Can be used to connect to VPCs in

other regions

Managing User Access

• Use least privilege for tasks when possible• Assign virtual MFA to all users associated with the

account• Create permissions groups based on type of access

needed

Protecting Account Access

Consider provisioning a “break glass” user into your AWS GovCloud (US) environment

Securing Sensitive Resources

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability ZonesEdge Locations

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer contentCu

stom

ers

AWS Shared Responsibility Model

Customers are responsible for their security and compliance IN the cloud

AWS is responsible for the security OFthe cloud

Securing your AWS GovCloud (US) Environment

AWS Key Management

Service

AWS CloudTrail AWS Config AWS Identity and Access

Management

These services are available for account securitylogging, encryption, and authentication

GovCloud is all about “Compliance in the Cloud”

FIPS 140-2 in AWS GovCloud (US)

• Most services in AWS GovCloud (US) have FIPS 140-2 validated HTTPS endpoints

• We continue to assess and add additional FIPS endpoints for new services that launch in the AWS GovCloud (US) region

• A full list of endpoints can be found in the AWS GovCloud (US) documentation

• http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-endpoints.html

Maintaining ITAR Compliance

Places to put ITAR data• Amazon EBS Volumes• Amazon RDS storage

Places NOT to put ITAR data• Service metadata• Names• Descriptions

More information about the ITAR boundary for services can be found here: http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-itar.html

Migrating to and Operating inAWS GovCloud (US)

Migrating Data and Workloads to GovCloud

From outside of AWS• VPN/Direct Connect for secure connections to AWS• AWS Import/Export Snowball for larger amounts of data• VM Import for instances from on-premises

From within another AWS Region• Partners available for the transfer of AMIs• VPN connectivity between VPCs

Using a Hybrid-Region Approach

Amazon Route 53 Amazon CloudFront Amazon Simple Email Service

Customers can leverage services outside of the AWS GovCloud (US) region when necessary

Interacting with Multiple Accounts

• Cross account policies are available in AWS GovCloud (US)• This functionality works from one AWS GovCloud (US) account

to another AWS GovCloud (US) account• AWS Support plans/cases are managed from the AWS

Standard account

Utilizing a Growing Partner Ecosystem

Robust set of partners with GovCloud expertise and offerings

Consulting/SI Technology

Announced today: AWS GovCloud (US) Skills Program

Learn more about AWS GovCloud (US)AWS GovCloud (US) webpage

https://aws.amazon.com/govcloud-us/

AWS GovCloud (US) User Guidehttp://docs.aws.amazon.com/govcloud-us/latest/UserGuide/welcome.html

AWS GovCloud (US) Skills Partner Programhttps://aws.amazon.com/govcloud-us/partners/

Quinn VerfaillieWorldwide Public Sector

Solutions Architectvquinn@amazon.com

Keith BrooksAWS GovCloud (US)

Sr. Business Development Managerbrookskl@amazon.com

Q&A

Thank You!