AWS Public Sector Blog

Advancing the defense system lifecycle with digital engineering on AWS

Advancing the defense system lifecycle with digital engineering on AWS

Please note that the following post is intended for informational purposes only. The approach detailed below may not be suitable for all organizations and/or compliance programs. It is important to evaluate this potential solution against the compliance needs of your organization and any applicable regulatory obligations you may have.

The United States (US) Department of War (DoW) is embarking on a transformative journey through digital engineering. Their aim is to improve decision-making, accelerate delivery, and enhance collaboration throughout a system’s lifecycle. To implement this approach, they are working with Amazon Web Services (AWS), which provides secure, high performance computing (HPC), scalable storage, and advanced networking to support modeling, simulation, and the computational demands of digital engineering at scale. AWS offers specialized HPC instances, petabyte-scale storage, and low-latency networking to run complex simulations, iterate on digital models, and maintain authoritative sources of truth throughout a system’s lifecycle.

The DoW Digital Engineering Strategy defines digital engineering as “an integrated digital approach that uses authoritative sources of system data and models as a continuum across disciplines to support lifecycle activities from concept through disposal.” Digital engineering modernizes traditional engineering by using three foundational technologies: model-based systems engineering (MBSE), digital threads, and digital twins. These technologies create a single source of truth across all functional disciplines. The field is now extended to incorporate artificial intelligence and machine learning (AI/ML), data analytics, and augmented reality (AR) and virtual reality (VR), all linked through digital threads. This integrated approach delivers a comprehensive mission and program solution built on consistent source systems and data, eliminating fragmented, siloed implementations that hinder enterprise-wide scalability and interoperability.

AWS provides infrastructure that enables mission and program teams to build and manage their own digital engineering environments with secure, scalable computing resources and tools. This resource supplier relationship delivers value through cost efficiency, simplified management, reliable failover, and streamlined infrastructure operations. With AWS, organizations can rapidly validate MBSE models, build and maintain digital twins, and connect data through a unified digital thread across the entire program lifecycle. These capabilities accelerate system delivery to the field while reducing total lifecycle costs.

In this post, we provide a detailed walkthrough for building a secure and scalable digital engineering environment on AWS.

Solution overview

The reference architecture for our digital engineering solution presents a comprehensive cloud infrastructure designed for workloads with robust security and networking requirements. The architecture is organized into several key accounts and virtual private clouds (VPCs), each serving specific functions. It incorporates security best practices through multiple layers of network segmentation, dedicated security services, and separate accounts for different functions. The solution architecture shown in the following diagram provides the blueprint for our entire implementation approach. The diagram shows some enterprise shared services tools (directory services, single sign-on, collaboration tools, license servers, and package and container repositories) in the shared services account, network security capabilities including next-generation firewall and intrusion detection and prevention systems in the network account, and virtual desktop infrastructure for modeling, computational analysis, and simulation software in the end users and desktops account, and digital engineering workloads requiring parallel clustering, HPC, and AI/ML and analytics in the digital engineering workload account.

Architecture diagram for baseline infrastructure for digital engineering on AWS GovCloud (US). The architecture is detailed in the text.

Figure 1: Baseline infrastructure for digital engineering on AWS GovCloud (US)

To help defense and regulated organizations successfully implement this architecture, we’ve developed a methodical approach that breaks down the implementation into three strategic phases. Each phase builds upon the previous one, ensuring a robust and compliant foundation while progressively adding digital engineering capabilities:

  1. Building a foundational blueprint
  2. Extending the blueprint for digital engineering
  3. Tailoring the blueprint for mission outcomes

Building a foundational blueprint

AWS workloads for DoW customers require appropriate security authorization and compliance certification. AWS GovCloud (US) integrate security from the ground up, providing controls and services that protect sensitive workloads at scale with minimal operational overhead. Through our extensive experience hosting the DoW workload, we’ve developed proven architectures and solutions to accelerate customer adoption journey.

The Landing Zone Accelerator (LZA) is a pre-built and widely adopted AWS solution for managing and governing multi-account environments with highly regulated workloads and complex compliance requirements. The LZA provides the foundation to support MBSE, digital threads, and digital twins. Our approach uses the AWS Prescriptive Guidance: Secure Cloud Computing Architecture (SCCA) on AWS for US Department of Defense as the foundation for creating an Impact Level 4 (IL4) and Impact Level (IL5) compliant cloud infrastructure.

Let’s walk through the key components of this foundational architecture:

  1. AWS GovCloud (US) Regions fulfill the US government’s specific regulatory and compliance requirements.
  2. Direct connectivity to the on-premises networks is achieved through AWS Direct Connect and virtual private gateway associations.
  3. The management account is the privileged account providing AWS administrative and organizational tools such as AWS Organizations.
  4. The audit account features centralized security and compliance monitoring tools.
  5. The log archive provides immutable storage for centralized log aggregation. AWS delivers the underlying storage infrastructure with strong durability and retention capabilities.
  6. The network account consists of security and network services providing network perimeter protection while using AWS Transit Gateway, which acts as a hub to control network routing.
  7. The shared services account serves your enterprise identity management, licensing, software package management, container repositories, collaboration tools, and more.

This architecture is shown in the following diagram.

Diagram for secure cloud computing architecture on AWS for the department of defense. The architecture is explained in detail in the text.

Figure 2: SCCA for US DoD reference architecture on AWS

With this secure, compliant foundation established, we can now extend the architecture with specialized capabilities tailored specifically for digital engineering workloads.

Extending the blueprint for digital engineering

With the secure SCCA foundation in place, we now add three specialized accounts essential for a complete digital engineering environment:

  • Shared services account – Extending to include data and model repositories
  • End users account – Delivers virtual desktop experiences
  • Digital engineering workload account – Hosts modeling and simulation environments

The account separation by function is critical because it enforces least privilege access, isolates workload risks from infrastructure services, and enables independent scaling and compliance controls for each function.

Shared services account

The shared services account plays a crucial role in streamlining operations and maintaining consistency across an organization’s AWS infrastructure while providing the flexibility of extending their existing infrastructures and investment.

This centralized hub offers three types of tools:

  1. Collaboration – Enterprise engineering and product teams require integrated suites of tools for efficient collaboration, including source code repositories, container registries, product lifecycle management systems, and model repositories—all deployed following guidance for secure collaboration on AWS. These tools are deployed on AWS compute and managed service resources, providing scalability and reliability.
  2. License management – Managing software licenses across multiple departments, projects, and accounts can be a complex and costly challenge. AWS License Manager helps organizations manage software licenses in AWS and on-premises environments, reducing the risk of noncompliance and fine-tuning costs. For vendor-specific licensing needs, enterprises can also consider third-party solutions to complement their license management strategy.
  3. Identity and access management – The shared services account centralizes AWS Identity and Access Management (IAM) for AWS resources and supports integration with corporate identity providers. Organizations can use their existing Active Directory, Lightweight Directory Access Protocol (LDAP) services, or AWS Directory Service for user authentication. This centralized approach provides consistent access control across the AWS environment.

The following figure illustrates the detailed architecture for the shared services account.

Diagram of the architecture for the shared services account. The account architecture is explained in the text.

Figure 3: Shared services account for collaboration

End users account

The end users account provides virtual desktop infrastructure (VDI) that delivers role-based secure access to digital engineering tools and resources. With VDI, users can access powerful computing resources and specialized applications from any location while maintaining strict security controls. With account separation, VDI resources connect securely to cross-account services such as the shared services account without giving users direct access to the underlying infrastructure.

The end users account provides two virtual desktop capabilities

  • Amazon WorkSpaces provides fully managed virtual desktop solutions, including application streaming so users can access applications through a web browser, and Desktop as a Service (DaaS) for provisioning virtual Windows or Amazon Linux desktops—all without managing complex on-premises VDI infrastructure.
  • Research and Engineering Studio (RES) orchestrates secure virtual desktop environments through a seamless web portal where users can access Windows and Linux desktops for scientific research, product design, engineering simulations, and data analysis using their existing corporate credentials.

The following diagram illustrates the detailed architecture for the end users account.

Architecture diagram for end users account. The architecture is detailed in the text.

Figure 4: End users account for virtual desktop experiences

Digital engineering workload account

The digital engineering workload account functions as the dedicated environment for transforming physical systems into virtual models. This account provides digital engineering capabilities to optimize design and enhance decision-making, using integrated data architecture to support engineering, logistics, testing, and manufacturing operations while converting raw data into engineering insights, simulations, and actionable results through multiple processing layers.

Let’s examine each processing layer in detail:

  • Data ingestion handles the collection and transfer of data from multiple sources into the cloud environment, supporting both real-time streaming and batch processing.
  • Workflow orchestration coordinates and automates the complex data processing tasks, providing efficient and reliable execution of data pipelines.
  • Data storage refers to repositories where data has been ingested, processed, and stored for organizational use, such as databases, data lakes, or data warehouses. These storage systems maintain information in specific formats optimized for defined organizational functions or processes.
  • Compute clusters enable high-performance processing for intensive computational tasks and simulations.
  • Data lake (destination of data) is a centralized repository that stores all types of data (structured, semi-structured, and unstructured) from multiple data sources in its original format, enabling consolidated access for various analytical needs and future processing.
  • AI/ML and analytics transforms data into actionable insights through AI capabilities such as natural language processing (NLP), computer vision, and deep learning and ML techniques such as predictive modeling, pattern recognition, classification, and regression.

The following diagram illustrates the detailed architecture for the digital engineering workload environment.

Architecture diagram for digital engineering workload. The architecture is detailed in the text.

Figure 5: Workload account reference architecture

This integrated architecture supports digital engineering practices by enabling data-driven decision-making throughout the system lifecycle. AWS Transit Gateway connects the three accounts, making it possible for users to authenticate through shared services, ability to access virtual desktops in the end users account, and execute workloads that process data and run simulations in the digital engineering workload account.

Tailoring the blueprint for mission outcomes

With the secure foundation and specialized accounts deployed, organizations can now implement flexible mission-specific workflows. Let’s explore how these digital engineering capabilities work together in a practical application that enables real-time predictive maintenance for in-service vehicles.

Here’s how the workflow operates:

1. Data ingestion

2. Workflow management

  • AWS Step Functions orchestrates the end-to-end workflow, including extract, transform, and load (ETL) pipelines of sensor data, model validation steps for predictive algorithms, and analytics processes for fleet-wide analysis.
  • AWS Lambda executes discrete processing tasks such as data transformation of raw sensor readings, setup of simulation parameters for different scenarios, and validation checks for maintenance prediction models
  • Amazon EventBridge schedules regular ETL jobs for historical data analysis and triggers real-time analysis based on incoming sensor data.

3. Simulation processing

  • AWS Batch executes large-scale fleet simulations, including mission scenarios, deployment schedules, and resupply schedules.
  • Amazon EMR and Amazon Elastic Compute Cloud (Amazon EC2) process vast amounts of design data for performance analysis and develop optimal deployment strategies or maintenance intervals.

4. Data Lake architecture

  • Amazon S3 serves as the central repository and authoritative source of truth for the system digital twin data, including complete historical records of operational data, maintenance logs, configuration, parts lists, and design specifications.
  • AWS Glue Data Catalog enables efficient discovery and preparation of data for various analytics tasks, such as comparing performance across other models in the same weapon system class or analyzing maintenance patterns.

5. Predictive analytics

  • Amazon SageMaker deploys ML models for:
    • Prediction of equipment failure in advance of incidents such as failure of the gear box, propulsion system, or dynamic components.
    • Anomaly detection in sensor readings, which could indicate incidents or equipment malfunctions.
    • Optimization of maintenance scheduling to reduce unscheduled downtime, automatically adjust inspection intervals, and logically group maintenance tasks.
  • Amazon Quick Sight delivers real-time dashboards for both operational personnel (such as commanding officers managing weapon system maintenance and supply) and decision-makers (such as fleet commanders managing overall fleet readiness).

The following figure illustrates the architecture for a mission-specific workflow (predictive maintenance).

Diagram illustrating the architecture for a workflow for predictive maintenance for a department of war vehicle. The workflow is explained in the text.

Figure 6: Predictive maintenance workflow for a DoW in-service vehicle

Conclusion

Digital engineering on AWS transforms the defense system lifecycle through seamless integration, scalability, and innovation, serving as a blueprint for digital transformation success. This post demonstrates the process of building a comprehensive digital engineering environment on AWS, from establishing a secure foundation with Landing Zone Accelerator and SCCA compliance frameworks to extending the architecture with specialized accounts for collaboration, virtual desktop experiences, and workload management.

Backed by AWS Global Infrastructure, robust compliance programs, advanced AI/ML capabilities, and HPC resources, organizations can design, develop, test, and sustain next‑generation defense systems within a fully secure DoW-compliant digital ecosystem. The breadth of AWS service, combined with the expertise of the AWS Partner Network (APN), enables rapid deployment of secure, scalable solutions that reduce costs and shorten development cycles.

As the defense landscape evolves, AWS remains dedicated to supporting your digital engineering transformation. To get started, contact your AWS account team to develop a tailored implementation plan for your organization.

Learn more about digital engineering on AWS

Jenifer Wang

Jenifer Wang

Jenifer is a senior solution acceleration engineer at AWS, specializing in developing solutions for Department of Defense customers across land, sea, air, and space domains. With extensive experience in digital engineering, application development, and solutions architecture, Jenifer helps defense organizations leverage AWS services to enhance their mission capabilities and operational efficiency.

Todd Balazs

Todd Balazs

Todd Balazs is a Principal Business Development Manager at AWS, leading go-to-market activities for AWS classified regions serving Department of War (DoW) customers. Drawing on over 36 years of service in the DoW as a former Senior Executive Service (SES) member, he held progressively senior leadership roles—on major weapon systems that include F/A-18, E-2D, V-22, and Marine One. This acquisition background positions Todd to bridge the gap between mission requirements and cloud technology solutions, enabling AWS to deliver secure, mission-critical capabilities to national security customers.

NagaBharathi Challa

NagaBharathi Challa

NagaBharathi is a capture solutions architect at AWS. She provides technical guidance and plays a crucial role in responding to procurement requests and other customer inquiries. With extensive experience working with federal customers, she crafts compelling technical solutions that address customer needs and showcase the capabilities of the AWS Cloud.