AWS Security Blog

AWS Architecture and Security Recommendations for FedRAMP Compliance

Some of the most common compliance-related requests we receive from our customers are for reference architecture, a template for how to build your infrastructure in the cloud. These requests indicate how some people learn new concepts: reference architecture visualizations can help to clarify subject matter.

In order to clarify how you can use AWS functionality to meet the federal government’s security control requirements, we have published a whitepaper called AWS Architecture and Security Recommendations for FedRAMP Compliance. This whitepaper provides security recommendations for a variety of common use cases. It contains examples that can show you how to satisfy NIST controls by using a broad array of security functionality provided by AWS. If you are a federal customer, this reference architecture enables you to better understand how to accelerate your adoption of the cloud by building secure applications that also comply with federal agency guidelines.

The sample reference architecture contained in this whitepaper includes:

  • Baking AMIs
  • Bootstrapping
  • Cutting Over by Trickle Testing

AWS attained authorization under the FedRAMPSM program in 2013 for all domestic regions. As a result of this authorization, many federal customers have transitioned their applications to AWS to better position themselves to realize the benefits of the cloud.

We look forward to hearing how you are using the reference architecture and the ways we can improve it. Please contact us for questions about meeting your compliance requirements in the cloud.

Also, refer to these related links:


Chad Woolf

Chad joined Amazon in 2010 and built the AWS compliance functions from the ground up, including audit and certifications, privacy, contract compliance, control automation engineering and security process monitoring. Chad’s work also includes enabling public sector and regulated industry adoption of the AWS cloud, compliance with complex privacy regulations such as GDPR and operating a trade and product compliance team in conjunction with global region expansion. Prior to joining AWS, Chad spent 12 years with Ernst & Young as a Senior Manager working directly with Fortune 100 companies consulting on IT process, security, risk, and vendor management advisory work, as well as designing and deploying global security and assurance software solutions. Chad holds a Masters of Information Systems Management and a Bachelors of Accounting from Brigham Young University, Utah. Follow Chad on Twitter.