![Page 1: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Quinn Verfaillie, Solutions Architect, AWS
June 20, 2016
AWS GovCloud (US) and the EnterpriseA Discussion on Best Practices for Enterprise Adoption and Migration
![Page 2: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/2.jpg)
Best Practices Topics
Getting Started with AWS GovCloud (US)Setting Up Your AWS GovCloud (US) EnvironmentSecuring Sensitive ResourcesMigrating to and Operating in AWS GovCloud (US)
![Page 3: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/3.jpg)
Getting Started withAWS GovCloud (US)
![Page 4: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/4.jpg)
Onboarding into AWS GovCloud (US)
• AWS GovCloud (US) supports an IAM user model• An Administrator IAM user is created during the Onboarding
process
AWS Management Console AWS CLI AWS SDK
![Page 5: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/5.jpg)
Billing Management in AWS GovCloud (US)
Standard AWS accounts have a 1:1 relationship with AWS GovCloud (US) accountsAll AWS GovCloud (US) usage and activity is reported to the AWS Standard account for billing purposes
1
1
1-to-1 relationship between standard AWS account and AWS GovCloud account
Standard AWS Account
AWS GovCloud Account
*Standard account is granted access to the AWS GovCloud region
![Page 6: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/6.jpg)
Securing the Whole Account
The AWS Standard account is just as important to secure and manage as the GovCloud account
• The AWS Standard account Root/IAM users are the only ones who can:
Pay Bills Contact AWS Support Submit PenetrationTesting Requests
![Page 7: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/7.jpg)
Setting up yourAWS GovCloud (US) Environment
![Page 8: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/8.jpg)
Setting Up Resources in AWS GovCloud (US)
AWS Direct Connect
• Set up from within the AWS Management Console
• ITAR workloads must use a VPN tunnel in conjunction with AWS Direct Connect
Amazon Virtual Private Cloud
• Provision VPN connectivity• Able to separate VPCs by project
requirements• Can be used to connect to VPCs in
other regions
![Page 9: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/9.jpg)
Managing User Access
• Use least privilege for tasks when possible• Assign virtual MFA to all users associated with the
account• Create permissions groups based on type of access
needed
![Page 10: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/10.jpg)
Protecting Account Access
Consider provisioning a “break glass” user into your AWS GovCloud (US) environment
![Page 11: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/11.jpg)
Securing Sensitive Resources
![Page 12: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/12.jpg)
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer contentCu
stom
ers
AWS Shared Responsibility Model
Customers are responsible for their security and compliance IN the cloud
AWS is responsible for the security OFthe cloud
![Page 13: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/13.jpg)
Securing your AWS GovCloud (US) Environment
AWS Key Management
Service
AWS CloudTrail AWS Config AWS Identity and Access
Management
These services are available for account securitylogging, encryption, and authentication
![Page 14: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/14.jpg)
GovCloud is all about “Compliance in the Cloud”
![Page 15: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/15.jpg)
FIPS 140-2 in AWS GovCloud (US)
• Most services in AWS GovCloud (US) have FIPS 140-2 validated HTTPS endpoints
• We continue to assess and add additional FIPS endpoints for new services that launch in the AWS GovCloud (US) region
• A full list of endpoints can be found in the AWS GovCloud (US) documentation
• http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-endpoints.html
![Page 16: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/16.jpg)
Maintaining ITAR Compliance
Places to put ITAR data• Amazon EBS Volumes• Amazon RDS storage
Places NOT to put ITAR data• Service metadata• Names• Descriptions
More information about the ITAR boundary for services can be found here: http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-itar.html
![Page 17: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/17.jpg)
Migrating to and Operating inAWS GovCloud (US)
![Page 18: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/18.jpg)
Migrating Data and Workloads to GovCloud
From outside of AWS• VPN/Direct Connect for secure connections to AWS• AWS Import/Export Snowball for larger amounts of data• VM Import for instances from on-premises
From within another AWS Region• Partners available for the transfer of AMIs• VPN connectivity between VPCs
![Page 19: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/19.jpg)
Using a Hybrid-Region Approach
Amazon Route 53 Amazon CloudFront Amazon Simple Email Service
Customers can leverage services outside of the AWS GovCloud (US) region when necessary
![Page 20: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/20.jpg)
Interacting with Multiple Accounts
• Cross account policies are available in AWS GovCloud (US)• This functionality works from one AWS GovCloud (US) account
to another AWS GovCloud (US) account• AWS Support plans/cases are managed from the AWS
Standard account
![Page 21: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/21.jpg)
Utilizing a Growing Partner Ecosystem
Robust set of partners with GovCloud expertise and offerings
Consulting/SI Technology
Announced today: AWS GovCloud (US) Skills Program
![Page 22: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/22.jpg)
Learn more about AWS GovCloud (US)AWS GovCloud (US) webpage
https://aws.amazon.com/govcloud-us/
AWS GovCloud (US) User Guidehttp://docs.aws.amazon.com/govcloud-us/latest/UserGuide/welcome.html
AWS GovCloud (US) Skills Partner Programhttps://aws.amazon.com/govcloud-us/partners/
Quinn VerfaillieWorldwide Public Sector
Solutions [email protected]
Keith BrooksAWS GovCloud (US)
Sr. Business Development [email protected]
![Page 23: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/23.jpg)
Q&A
![Page 24: AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016](https://reader035.vdocument.in/reader035/viewer/2022070517/58d186701a28ab29318b4fcd/html5/thumbnails/24.jpg)
Thank You!