I was on a client engagement recently where they wanted a multi-account structure in the AWS GovCloud, with the ability to deploy additional production application accounts easily. Naturally, we would have went with AWS Control/Tower and Landing Zone, but at the time of this writing, those products are not supported in the GovCloud. Given that we didn’t have enough hours allocated to write this infrastructure ourselves, it would have been nice to have something we could use specific to the GovCloud, while ensuring that applications deployed into it had the sufficient encryption and logging capabilities built-in.
Enter the Department of Defense (DoD) Compliant Framework. Essentially, it’s a product that is deployed inside of your commercial master AWS account within an organization, and it creates logging, networking, and shared services AWS accounts in addition to deploying some core services (GuardDuty, Config, Cloudtrail, etc) inside those accounts. It’s a quick and easy way to get started with the AWS GovCloud at an organizational level, and enabled you to obtain compliance if you are running high-level government projects requiring these compliances. Thus, essentially providing Multi-Account Landing Zone (MALZ) functionality for the GovCloud.
This product is written using AWS’s Cloud Development Kit (CDK), which is a wrapper around Cloudformation templates that makes them much easier to write, manage, and deploy. Deploying it was fairly simple when following their implementation guide. For my engagement, the 3 accounts (logging, shared services, and networking) were already part of my organization, so I had to make slight modifications to one of the lambda functions to get it to work completely. So before using, ensure these accounts haven’t been created yet unless you know how to debug and code Lambda functions!
Thanks for reading, I feel this is a good product from Amazon that I hope gets more visibility. The GovCloud can be frustrating to work with at times, but this greatly improves the experience.
References & More Info
- Official AWS Doc on Solution: https://aws.amazon.com/solutions/implementations/compliant-framework-for-federal-and-dod-workloads-in-aws-govcloud-us/
- Blog Article: https://aws.amazon.com/about-aws/whats-new/2020/12/introducing-compliant-framework-federal-dod-workloads-aws-govcloud-us/
- Implementation Guide: https://docs.aws.amazon.com/solutions/latest/compliant-framework-for-federal-and-dod-workloads-in-aws-govcloud-us/welcome.html
- Implementation Guide (PDF): https://docs.aws.amazon.com/solutions/latest/compliant-framework-for-federal-and-dod-workloads-in-aws-govcloud-us/compliant-framework-for-federal-and-dod-workloads-in-aws-govcloud-us.pdf#welcome
- Github: https://github.com/awslabs/compliant-framework-for-federal-and-dod-workloads-in-aws-govcloud-us