What Is AWS GovCloud (US)?
AWS GovCloud (US) is a dedicated region of Amazon Web Services (AWS) designed to host sensitive data and regulated workloads. It’s a part of AWS’s secure cloud services, specifically tailored to meet the rigorous compliance and regulatory requirements of U.S. government agencies at the federal, state, and local levels, as well as contractors, educational institutions, and other U.S. customers.
The primary reason behind the creation of the GovCloud was to enable these agencies and institutions to move sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements. AWS GovCloud (US) provides the same reliable, scalable, and cost-effective infrastructure as other AWS services, but with the additional security and compliance controls that align with government standards.
One of the key features of GovCloud is its geographical and logical isolation from other AWS regions, providing an environment where data can be stored and processed solely within the United States. This is particularly important for organizations that are bound by U.S. data sovereignty requirements.
In this article:
Where Is the AWS GovCloud Service Located?
The AWS GovCloud service is located within the United States. There are currently two GovCloud regions: GovCloud (US-West) and GovCloud (US-East). Each region operates independently, with multiple Availability Zones, to offer a high level of security, compliance, and data locality.
The existence of two separate regions, on different coasts of the US, enhances redundancy and disaster recovery capabilities. If one region experiences an outage, the other can continue to function, thus ensuring uninterrupted service. This geographic distribution also helps to reduce latency for local users and accommodate the data residency requirements of various government agencies.
Although the service is physically based within the United States, it’s important to note that AWS GovCloud (US) can be accessed by vetted U.S. entities, wherever they may be located globally. However, root account owners and all IAM users who have access to GovCloud must be U.S. Persons (as defined by the Department of State).
Related content: Read our guide to AWS cloud security
Do the AWS GovCloud Regions have a FedRAMP JAB P-ATO?
Yes, both AWS GovCloud regions hold a Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) at the High baseline under the Federal Risk and Authorization Management Program (FedRAMP). FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
Obtaining a FedRAMP JAB P-ATO is a significant achievement, as it indicates that a cloud service provider (CSP) has met the most stringent security requirements set forth by the U.S. government. This approval signifies that AWS GovCloud (US) has met the rigorous security and compliance standards necessary to handle the government’s most sensitive, unclassified data.
Which Other Compliance Standards Does AWS GovCloud Support?
At the time of this writing, according to AWS GovCloud documentation, the service supports the following additional compliance standards mandated by the U.S. government:
- Department of Justice (DOJ) Criminal Justice Information Systems (CJIS) Security Policy
- U.S. International Traffic in Arms Regulations (ITAR)
- Export Administration Regulations (EAR)
- Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) for Impact Levels 2, 4 and 5
- Federal Information Processing Standard (FIPS) Publication 140-2
- Internal Revenue Service (IRS) Publication 1075
How Does AWS GovCloud (US) Compare to Standard AWS Regions?
While both AWS GovCloud (US) and standard AWS regions offer a broad suite of cloud services, there are several key differences:
- Compliance and regulatory standards: GovCloud adheres to stringent compliance standards including ITAR, FedRAMP High, DoD SRG, CJIS, and HIPAA.
- U.S. data sovereignty: In GovCloud regions, all data processing and storage must occur within the United States. This is not a requirement for standard AWS regions, which can operate internationally.
- Strict access control: Only U.S. entities that pass a screening process can have access to GovCloud. Root account owners and all IAM users must be U.S. Persons. In contrast, standard AWS regions do not have such restrictions.
Despite these differences, both AWS GovCloud (US) and standard AWS regions offer the same elastically scalable, reliable cloud infrastructure. They both provide a range of cloud services, including computing power, storage options, networking, and databases, tailored to meet different needs. Note that only a subset of AWS services is available through GovCloud.
AWS GovCloud vs. Azure Government
Both AWS GovCloud and Azure Government provide a range of cloud services specifically designed for government agencies.
Azure Government, a part of Microsoft’s Azure cloud, offers a physically isolated instance of Microsoft Azure for the use of U.S. government agencies and their partners. Azure Government meets compliance standards, including FedRAMP High, IRS 1075, DoD L4, and CJIS. Azure Government offers more than 100 services, including AI, analytics, and IoT, all backed by a 99.95% uptime SLA.
There are several key differences between AWS GovCloud and Azure Government:
- AWS has a more extensive range of cloud services offered through GovCloud, compared to Azure Government.
- AWS GovCloud has been in the market longer than Azure Government and currently has more customers.
- Each of the services offers advantages to customers already using their respective ecosystem. Organizations currently invested in AWS will find it easier to work with GovCloud, while organizations using Microsoft technology might prefer Azure.
- The two services have different pricing structures. Both offer pricing calculators you can use to estimate your costs for different scenarios.
AWS GovCloud vs. Google Distributed Cloud Hosted (GDCH)
Google Distributed Cloud Hosted (GDCH) is Google’s infrastructure solution for government users. It takes a different approach to AWS GovCloud, providing a private cloud solution that government users can host on their own premises.
GDCH is designed for organizations that require specific data residency, sovereignty, operational continuity, or modernization needs. It provides access to Google Cloud services and scalability through the Google Anthos hybrid cloud solution.