AWS Public Sector Blog

Securely onboarding countries to the AWS Cloud

AWS branded background design with text overlay that says "Securely onboarding countries to the AWS Cloud"

In an increasingly digital world, governments and public sector entities are seeking secure and efficient ways to use cloud technologies. As we’ve innovated and expanded the Amazon Web Services (AWS) Cloud, we continue to prioritize making sure customers are in control and able to meet their national regulatory requirements. In addition to the existing breadth and depth of security capabilities, we are investing in an ambitious roadmap of security features, including data residency, granular access restriction, encryption, and resilience. In this post, I share how we at AWS are collaborating with national cyber regulators and other public sector entities to enable secure adoption of the AWS Cloud across countries’ public sectors. I use the success stories of the Netherlands and Spain to highlight what a successful country journey to AWS looks like.

Step 1: Establishing relationships with the cyber regulators

The process of onboarding a country to AWS begins with establishing a relationship with the national or sectoral cybersecurity regulator. This crucial first step aims at identifying key stakeholders and relevant country-specific compliance requirements. This step seeks to identify and remove potential regulatory blockers for using cloud technologies in the country’s public sector.

Step 2: Compliance mapping and enablement

After the initial relationships are established and the compliance landscape understood, we dive deeper into regulatory requirements. The objective of this step is to determine how the country’s regulatory requirements can be met in the context of the shared responsibility model:

  • AWS responsibility “Security of the Cloud” – AWS is responsible for protecting the infrastructure that runs all the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. AWS third-party audit attestation documents are used to determine inherited controls and what required controls may be remaining for customers to implement in their environment.
  • Customer responsibility “Security in the Cloud” – Customer responsibility is determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. Definition of the security controls on the customer side of the responsibility model is based on the AWS security best practices, such as AWS Security Reference Architecture or AWS Well-Architected Framework.

The outcome of this step is a mapping that defines how each applicable compliance requirement is met by AWS operated controls and customer-operated ones.

Step 3: Foundational setup of a secure landing zone

After the compliance mappings are completed and the controls defined, the next step aims at creating a landing zone that implements the controls on the customer side of the responsibility model. A landing zone is a well-architected, multi-account AWS environment that is scalable and secure. A landing zone provides the central architecture and guardrails in a foundational cloud environment. This is a starting point from which an organization can quickly launch and deploy workloads and applications with confidence in their security and infrastructure environment.

AWS built the Landing Zone Accelerator (LZA) solution to significantly reduce the time it takes for customers to set up a landing zone designed to align with compliance goals in highly regulated industries. LZA helps customers deploy a cloud foundation that is architected to align with AWS best practices and multiple global compliance frameworks. Using LZA on AWS, customers with highly regulated workloads and complex compliance requirements can better manage and govern their multi-account environment. For example, sample LZA configurations that meet different sectoral requirements can be found on the AWS GitHub repository.

The outcome of this step is the LZA configuration template that implements technical controls driven by the country’s regulatory and compliance requirements.

Step 4: Workload migration

The LZA template configured in Step 3 is used to instantiate the landing zone in the customer environment. At that point in time, the environment is ready to start migrating workloads to AWS or building cloud-based workloads. The AWS migration framework can be used to accelerate a secure migration process.

Note that some of the controls identified in Step 2 need to be implemented at the workload level, and they need to be addressed as part of the workload migration. Although AWS Professional Services and AWS Partner Network assist in this process, it’s crucial to note that customers remain responsible for demonstrating their compliance with relevant requirements.

Success stories

The described approach was used in both the Netherlands and Spain, and the following briefly describes each country’s journey to success.

The Netherlands

The Baseline Informatiebeveiliging Overheid (BIO) framework is an information security framework that the four layers of the Dutch public sector are required to adhere to. This means that it’s mandatory for the Dutch central government, all provinces, municipalities, and regional water authorities to be compliant with the BIO framework.

To support AWS customers in demonstrating their compliance with the BIO framework, AWS developed a Landing Zone for the BIO framework. This Landing Zone for the BIO framework is a preconfigured AWS environment that includes a subset of the technical requirements of the BIO framework. It’s a helpful tool that provides a starting point from which customers can further build their own AWS environment.

For more information regarding the Landing Zone for the BIO framework, see the AWS Reference Guide for Dutch BIO Framework and BIO Theme-elaboration Cloud Services in AWS Artifact, and this AWS Security Blog post.

Spain

The Spanish National Cryptologic Center (CCN) has published a new STIC guide (CCN-STIC-887 Anexo A), which provides a comprehensive template and supporting artifacts for implementing landing zones that comply with Spain’s National Security Framework (ENS) Royal Decree 311/2022 using the Landing Zone Accelerator on AWS. Spain’s ENS establishes a common framework of basic principles and requirements of security for Spanish public sector organizations and their service providers, including supply chain providers.

If you’re looking for support in designing, building, and operating a landing zone, AWS Professional Services, AWS Managed Services, and the Amazon Partner Network can help.

If you’d like to find out more, please contact the AWS Public Sector team.