AWS GovCloud (US) or standard? Selecting the right AWS partition

There are many options to consider when deploying workloads onto Amazon Web Services (AWS). AWS has over 200 fully featured services offered across 26 Regions over six continents. With so many choices, it’s understandable for public sector organizations and businesses to have questions about what AWS features are right for their missions.

This blog post explores the options US public sector customers and their business partners should evaluate when selecting an AWS partition. We discuss the differences between AWS GovCloud (US) and the AWS standard partition and how to decide which partition may be the best match for your organization’s security, compliance, and availability needs.

Regions and partitions—explained

An AWS Region is a physical location around the world where AWS clusters data centers. Each group of one or more discrete data centers forms an Availability Zone (AZ). Each AWS Region consists of multiple, isolated, and physically separate AZs within a geographic area. There are currently 26 AWS Regions and 84 AZs around the world with announced plans for eight more Regions and an additional 24 AZs. These 26 Regions are also distributed across partitions for users to choose from, which include the standard AWS partition and AWS GovCloud (US). But what exactly is an AWS partition?

An AWS partition logically and physically separates groups of AWS Regions. This provides data, network, and machine isolation from AWS Regions in other AWS partitions. Two AWS partitions – AWS GovCloud (US) and the standard AWS partition – create logical network isolation with separate credentialed access between the AWS GovCloud (US) and standard AWS regions. This means partitions include one or more Regions, but an AWS Region exists only within one partition; an AWS Region cannot be a part of two partitions (Figure 1).

Figure 1. AWS partition and Region groupings.

There are multiple partitions for customers to use based on the required US Government security classification. Workloads processing unclassified or official data can use both the AWS GovCloud (US) and standard partition. AWS also offers additional partitions accredited to operate workloads at the Secret and Top Secret (TS) US security classification levels, but these are out of scope for this blog. Visit the AWS Cloud Computing for Defense hub and the Cloud Computing for the US Intelligence Community hub to learn more about operating workloads at Secret and above security classification.

Recommendation: We recommend deploying workloads that require multiple Regions to be kept within a single partition to reduce compliance, operational, and technical challenges. However, there are limited use cases such as with AWS Direct Connect or Amazon CloudFront where integration of services across multiple partitions can be used to meet specific objectives. AWS customers should reach out to their AWS solutions architect (SA) for more details.

Understanding the AWS GovCloud (US) partition

The AWS GovCloud (US) partition – made up of AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions and services – is an isolated cloud environment where accounts are only granted to US persons working for US Organizations. Because AWS does not have visibility into what customers are uploading to our network, all customer data within AWS GovCloud (US) is treated as regulated. We do this by maintaining the Regions solely with US citizens in US locations. This practice provides customers access to AWS services that can help them comply with various regulations, such as International Traffic in Arms Regulation (ITAR) and Export Administration Regulations (EAR). You can learn more about this in our compliance webinar series on safeguarding export-controlled data and unclassified data with AWS GovCloud (US).

Recommendation: We recommend workloads that are processing or hosting US export-controlled data – data that cannot be transferred, released, or disclosed to foreign countries or foreign nationals without exemption or exception – to be hosted within the AWS GovCloud (US) partition. AWS GovCloud (US) is the recommended partition for customers who want or require a US-persons-only environment, as AWS GovCloud (US) is administered exclusively by US citizens.

While there are additional benefits to hosting workloads in AWS GovCloud (US), there are more variables to consider when choosing between AWS GovCloud (US) and the standard AWS partition. Let’s dive deeper into the details.

Secure your data in a compliant manner

Security is our top priority at AWS. AWS GovCloud (US) offers the same high level of security as standard AWS Regions, supporting existing AWS security controls and certifications. The AWS GovCloud (US) partition does add additional compliance certifications on top of those. These two Regions are Provisionally Authorized To Operate (P-ATO) at the Federal Risk and Authorization Management Program (FedRAMP) High impact level and have received Department of Defense (DoD) Cloud Computing Security Requirements Guidelines (SRG) Impact Levels (IL) 2, 4, and 5 Provisional Authorization (PA) for hosting the most sensitive unclassified workloads.

Additionally, the four US Regions in the standard partition have also received FedRAMP P-ATO at Moderate impact level and currently support US government workloads. Check the AWS Services in Scope Compliance Program page to make sure the desired services meet the applicable compliance framework and levels required for your workloads. Customers can reduce risks and effort to acquire a signed ATO by only using the AWS services that have been granted a FedRAMP P-ATO or DoD PA at the appropriate impact level required.

Recommendation: We recommend customers use the AWS GovCloud (US) partition for workloads requiring FedRAMP High P-ATO or DOD IL4 and 5 PA services. For workloads requiring only FedRAMP Moderate P-ATO or DoD IL2 PA services, either partition may be used.

There are other policies and regulations that may apply to data and systems that are slated for the cloud beyond FedRAMP and DoD CC SRG, such as Defense Federal Acquisition Regulation Supplement (DFARS), DoD Cybersecurity Maturity Model Certification(CMMC), and Criminal Justice Information Services (CJIS) Security Policy. Within these, there can be underlying requirements when processing and storing Controlled Unclassified Information (CUI). When dealing with data that is applicable to these regulations and policies, careful consideration is needed when choosing which AWS partition is most appropriate.

Recommendation: Because an organization’s security compliance requirements may evolve due to regulations and policy changes, as well as future business opportunities, we recommend customers use the AWS GovCloud (US) partition to help meet CJIS, CMMC, and DFARS policies and definitions. This is because AWS GovCloud (US) was specifically designed to help meet US government security and compliance for all unclassified data sets including CUI. However, there may be specific scenarios where you may be eligible to use either partition to meet your organization’s specific requirements. Customers should reach out to their AWS SAs for support.

Consider service availability needed for innovation

AWS has over 200 fully featured services available for organizations to digitally transform and accelerate innovation. But to take advantage of these, workloads must be deployed in the Regions that have the desired services generally available. Our general policy is to deliver AWS services, features, and instance types to all AWS Regions within 12 months of becoming generally available based on a variety of factors such as customer demand, latency, data sovereignty and other factors.

Recommendation: Always check the AWS GovCloud (US) user guide and AWS Regional Services List to check for service availability and feature parity. We recommend the AWS standard partition to customers who do not have a specific requirement met by AWS GovCloud (US) to enable access to the most AWS service offerings.

Go confidently with transparent data residency

Since AWS GovCloud (US) has no international Regions or edge services, choosing the AWS GovCloud (US) partition is a manageable way to help meet data residency storage and processing requirements for US government workloads. However, this is not the only way to enforce data residency. Customers can use the four US Regions in the standard partition to help achieve US data residency; however, this adds an additional customer specific responsibility. Customers can implement controls in the standard partition to prevent storing and processing data outside of specific US-based Regions through AWS Control Tower data residency guardrails or the creation of service control policies. Regardless of which partition is used, data accessibility controls—which include global accessibility—are a customer specific responsibility.

Recommendation: You can use either partition to achieve data residency objectives. However, there is an additional customer specific responsibility to enforce this within the standard partition.

AWS GovCloud (US) or standard? How to select the appropriate AWS partition

As we’ve described, there are multiple variables to consider when choosing the right partition for your needs. Below is a decision tree to help guide your selection:

*Requirement defined as a specific reference to AWS GovCloud (US) (or any variation thereof) by name directly to include partition, Regions, or services.

AWS recommends documenting your security, compliance, operational, and business requirements first, then evaluating partitions prior to deploying and configuring AWS Regional services. Not evaluating first may compromise your compliance requirements, increase your costs, or delay project timelines.

Learn more about AWS GovCloud (US) and AWS for government

Do you have questions about which cloud partition is right for your organization? Unsure of whether you have a legal or compliance requirement (e.g. DFARS, CJIS, CMMC, HIPAA) that may require use of AWS GovCloud (US)? Reach out to the AWS US Government Security Compliance Team for help. You can also engage with the ATO on AWS Partners to help navigate, automate, and accelerate building compliant workloads on AWS. For more information about how you can meet data residency requirements with AWS, download the AWS Data Residency whitepaper.

Read related stories about AWS for government:

• The Goldilocks zone for disaster recovery, business continuity planning, and disaster preparedness
• Six best practices for government leaders to plan for success with digital ID
• Delivering better Medicaid services (and happier teams) with the AWS Cloud
• Cloud security design considerations for state and local government
• Fighting fraud and improper payments in real-time at the scale of federal expenditures

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.

Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.