aws govcloud (us) and the enterprise | aws public sector summit 2016
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Quinn Verfaillie, Solutions Architect, AWS
June 20, 2016
AWS GovCloud (US) and the EnterpriseA Discussion on Best Practices for Enterprise Adoption and Migration
Best Practices Topics
Getting Started with AWS GovCloud (US)Setting Up Your AWS GovCloud (US) EnvironmentSecuring Sensitive ResourcesMigrating to and Operating in AWS GovCloud (US)
Getting Started withAWS GovCloud (US)
Onboarding into AWS GovCloud (US)
• AWS GovCloud (US) supports an IAM user model• An Administrator IAM user is created during the Onboarding
process
AWS Management Console AWS CLI AWS SDK
Billing Management in AWS GovCloud (US)
Standard AWS accounts have a 1:1 relationship with AWS GovCloud (US) accountsAll AWS GovCloud (US) usage and activity is reported to the AWS Standard account for billing purposes
1
1
1-to-1 relationship between standard AWS account and AWS GovCloud account
Standard AWS Account
AWS GovCloud Account
*Standard account is granted access to the AWS GovCloud region
Securing the Whole Account
The AWS Standard account is just as important to secure and manage as the GovCloud account
• The AWS Standard account Root/IAM users are the only ones who can:
Pay Bills Contact AWS Support Submit PenetrationTesting Requests
Setting up yourAWS GovCloud (US) Environment
Setting Up Resources in AWS GovCloud (US)
AWS Direct Connect
• Set up from within the AWS Management Console
• ITAR workloads must use a VPN tunnel in conjunction with AWS Direct Connect
Amazon Virtual Private Cloud
• Provision VPN connectivity• Able to separate VPCs by project
requirements• Can be used to connect to VPCs in
other regions
Managing User Access
• Use least privilege for tasks when possible• Assign virtual MFA to all users associated with the
account• Create permissions groups based on type of access
needed
Protecting Account Access
Consider provisioning a “break glass” user into your AWS GovCloud (US) environment
Securing Sensitive Resources
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer contentCu
stom
ers
AWS Shared Responsibility Model
Customers are responsible for their security and compliance IN the cloud
AWS is responsible for the security OFthe cloud
Securing your AWS GovCloud (US) Environment
AWS Key Management
Service
AWS CloudTrail AWS Config AWS Identity and Access
Management
These services are available for account securitylogging, encryption, and authentication
GovCloud is all about “Compliance in the Cloud”
FIPS 140-2 in AWS GovCloud (US)
• Most services in AWS GovCloud (US) have FIPS 140-2 validated HTTPS endpoints
• We continue to assess and add additional FIPS endpoints for new services that launch in the AWS GovCloud (US) region
• A full list of endpoints can be found in the AWS GovCloud (US) documentation
• http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-endpoints.html
Maintaining ITAR Compliance
Places to put ITAR data• Amazon EBS Volumes• Amazon RDS storage
Places NOT to put ITAR data• Service metadata• Names• Descriptions
More information about the ITAR boundary for services can be found here: http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-itar.html
Migrating to and Operating inAWS GovCloud (US)
Migrating Data and Workloads to GovCloud
From outside of AWS• VPN/Direct Connect for secure connections to AWS• AWS Import/Export Snowball for larger amounts of data• VM Import for instances from on-premises
From within another AWS Region• Partners available for the transfer of AMIs• VPN connectivity between VPCs
Using a Hybrid-Region Approach
Amazon Route 53 Amazon CloudFront Amazon Simple Email Service
Customers can leverage services outside of the AWS GovCloud (US) region when necessary
Interacting with Multiple Accounts
• Cross account policies are available in AWS GovCloud (US)• This functionality works from one AWS GovCloud (US) account
to another AWS GovCloud (US) account• AWS Support plans/cases are managed from the AWS
Standard account
Utilizing a Growing Partner Ecosystem
Robust set of partners with GovCloud expertise and offerings
Consulting/SI Technology
Announced today: AWS GovCloud (US) Skills Program
Learn more about AWS GovCloud (US)AWS GovCloud (US) webpage
https://aws.amazon.com/govcloud-us/
AWS GovCloud (US) User Guidehttp://docs.aws.amazon.com/govcloud-us/latest/UserGuide/welcome.html
AWS GovCloud (US) Skills Partner Programhttps://aws.amazon.com/govcloud-us/partners/
Quinn VerfaillieWorldwide Public Sector
Solutions [email protected]
Keith BrooksAWS GovCloud (US)
Sr. Business Development [email protected]
Q&A
Thank You!