AWS Public Sector Blog

Allies can share data and technologies and remain compliant with international regulations using AWS

AWS branded background design with text overlay that says "Allies can share data and technologies and remain compliant with international regulations using AWS"

National security and defense depend upon close collaboration between international allies. These allies want to use each other’s capabilities, which include data and technologies. To protect sensitive data and promote robust cybersecurity frameworks, organizations must consider one another’s compliance requirements. One such requirement is the United States International Traffic in Arms Regulations (ITAR), which restricts and controls the export of defense and military-related technologies in order to safeguard US national security. Here, we explain how Trusted Secure Enclaves (TSE) on Amazon Web Services (AWS) allows non-US national organizations, who want to use the most modern and innovative technology to deliver defense and security missions using the cloud, to do this and be compliant.

ITAR was drafted in the context of on-premises IT systems, before the full power and potential of cloud technology emerged. However, Trusted Secure Enclaves allows national organizations to use the cloud to support ITAR data.

In March 2020, amendments to ITAR clarified that it isn’t an export, reexport, retransfer, or temporary import (or other controlled event) to send, take, or store outside the United States technical data that with these parameters:

  • Unclassified
  • Secured using end-to-end encryption using FIPS 140-2 compliant algorithms, to a minimum of AES 128-bit security strength and a comparable strength of NIST 800-57, part 1, revision 4, encryption
  • Cloud services providers or third parties can’t have access to the decryption keys
  • Data isn’t intentionally sent to a person in or stored in a country proscribed in §126.1
  • Data not sent from a country proscribed in §126.1.

These safeguards might be met simply under the AWS shared responsibility model with the customer. In the shared responsibility model, AWS manages and controls the components from the virtualization layer down to the physical security of the facilities in which the services operate, and AWS customers are responsible for building secure applications. We provide a wide variety of best practices documents, encryption tools, and other guidance our customers can use in delivering application and architectural level security measures. In addition, AWS Partners offer hundreds of tools and features to help customers meet their security objectives, ranging from network security, configuration management, access control, and data encryption.

Trusted Secure Enclaves is one example of the guidance we offer. TSE offers an AWS managed open source solution designed to assist customers in meeting compliance and security requirements in use cases necessitating cloud environments, even those environments hosted outside of the US. We designed TSE reference architectures with our global national security, defense, law enforcement, and government customers to meet their strict security and compliance requirements as they access all the benefits of the cloud. With U.S. Department of State (DoS) modernized definitions surrounding an export and the position on using encryption as a mechanism for managing ITAR compliance, TSE-SE becomes a foundational building block to enable this use case.

Based on the AWS Security Reference Architecture, TSE deploys a multi-account AWS environment with preconfigured security controls. These can address centralized identity and access management, governance, data security, comprehensive logging, and network isolation in line with DoS guidance for protecting ITAR data. TSE allows quick setup and supports innovation in the cloud while meeting security requirements.

Technical controls can be implemented in a TSE environment to help defense contractors, military technology suppliers, aerospace manufacturers, and government-affiliated research institutions make sure they meet ITAR compliance requirements. These include:

  1. Encryption – To protect ITAR controlled data, it should be encrypted at rest using services such as AWS Key Management Service (AWS KMS) or AWS CloudHSM where customers control the encryption keys. They use modern AWS Nitro System based instances because data between Nitro instances is encrypted in transit by AWS. AWS Certificate Manager (ACM) can automatically renew and rotate transport layer certificates, which secure internet connections.
  2. Data location – With AWS, government entities can run sensitive workloads and store data within AWS Regions (physical locations where AWS clusters data centers) and Availability Zones (one or more discrete data centers within an AWS Region) of their choice. In this way, they have control over and knowledge about where their data is stored and processed.
  3. Access controls – Organizations choose an external identity provider for their users to authenticate with. The TSE-SE configuration comes with AWS IAM Identity Center, which uses authentication software that gives users seamless access to your service. Organizations can therefore centralize user management and authentication and benefit from the security and convenience of single sign-on capabilities.
  4. Data perimeter – Establishing a strong data perimeter is vital to achieving compliance. Data perimeters are established when you create a set of preventive guardrails to help make sure that only trusted identities are accessing trusted resources from expected networks. The AWS whitepaper Building a Data Perimeter on AWS explores the topic in depth and will extend to the existing patterns of TSE.
  5. Logging and monitoring – The TSE architecture requires that all logs, such as user activity, network traffic, and security events, are centralized in a dedicated log archive account. This makes sure that the logs are stored securely and can’t be tampered with, allowing for thorough auditing and investigation if needed.

Continual monitoring for suspicious activity and security issues is achieved through various Amazon services (for example, Amazon GuardDuty, AWS Security Hub, and AWS Config). These services analyze data sources and logs to give a comprehensive view of security posture.

Organizations therefore have full visibility of all activities across the whole AWS environment. This allows rapid detection and response to any security incident.

When government entities must be ITAR compliant to access the most modern, innovative technology to support their national security and defense missions, a TSE based AWS Well-Architected Framework can achieve their aims.

Read more