AWS Security Blog
Nine additional AWS cloud service offerings authorized by DISA
September 9, 2021: Amazon Elasticsearch Service has been renamed to Amazon OpenSearch Service. See details.
I’m excited to share that the Defense Information Systems Agency (DISA) has authorized three additional Amazon Web Services (AWS) services at Impact Level (IL) 4 and IL 5 in the AWS GovCloud (US) Regions, as well as five additional AWS services and one feature at IL 6 in the AWS Secret Region, under the Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG). Together, these nine newly authorized AWS offerings give DoD mission owners additional capabilities in these areas:
- Processing of controlled unclassified information (CUI), including mission-critical workloads for unclassified National Security Systems in the AWS GovCloud (US) Regions.
- Processing of classified and mission-critical workloads for National Security Systems in the AWS Secret Region.
By using cloud services, the U.S. Government is better able to deliver necessary information and data to mission stakeholders.
With the additional three services authorized at IL 4 and IL 5, AWS now offers a total of 71 services and 17 features for the AWS GovCloud (US) Regions. And with the additional five services and one feature authorized at IL 6, AWS now offers a total of 37 services and 10 features for the AWS Secret Region. AWS remains the first and only commercial cloud service provider that is accredited to offer regions to serve government workloads across the unclassified, Secret, and Top Secret classifications.
Overview of newly authorized AWS services
The nine AWS offerings authorized by DISA provide the following capabilities.
| AWS Region |
Service and description |
| AWS GovCloud (US) Regions (IL 4 and 5) |
AWS Batch – Run hundreds of thousands of batch computing jobs on AWS and dynamically provision the optimal quantity and type of compute resources (for example, CPU or memory-optimized instances) based on the volume and specific resource requirements of the batch jobs submitted. |
| AWS GovCloud (US) Regions (IL 4 and 5) |
AWS Certificate Manager (ACM) – Provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and mission owner internal connected resources. ACM removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates. Mission owners can quickly request a certificate, deploy it on ACM-integrated AWS resources, such as Elastic Load Balancers, Amazon CloudFront distributions, and APIs on Amazon API Gateway, and let ACM handle certificate renewals. |
| AWS GovCloud (US) Regions (IL 4 and 5) |
AWS Storage Gateway – A cloud storage service that gives mission owners on-premises access to virtually unlimited cloud storage. Mission owners can use Storage Gateway to simplify storage management and reduce costs for key hybrid cloud storage use cases, including moving backups to the cloud, using on-premises file shares backed by cloud storage, and providing low-latency access to data in AWS for on-premises applications. |
| AWS Secret Region (IL 6) |
Amazon CloudWatch Logs – Monitor, store, and access log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS CloudTrail, Route 53, and other sources, and centralize the logs from all systems, applications, and AWS services in a single, highly scalable service. |
| AWS Secret Region (IL 6) |
Amazon Elasticsearch Service (Amazon ES) – A fully managed service that makes it easy for mission owners to deploy, secure, and run Elasticsearch cost-effectively at scale. Mission owners can build, monitor, and troubleshoot their applications by using the tools they love, at the scale they need. The service provides support for open source Elasticsearch APIs, managed Kibana, and integration with Logstash and other AWS services. |
| AWS Secret Region (IL 6) |
Amazon EMR – Set up, operate, and scale your big data environments by automating time-consuming tasks like provisioning capacity and tuning clusters. |
| AWS Secret Region (IL 6) |
Amazon EventBridge – Receive a near-real-time stream of system events that describe changes in AWS resources, and respond to operational changes by taking corrective action as necessary, sending messages to respond to the environment, activating functions, making changes, and capturing state information. |
| AWS Secret Region (IL 6) |
Amazon Route 53 – A highly available and scalable cloud Domain Name System (DNS) web service that is designed to give developers and businesses an extremely reliable and cost-effective way to route end users to internet applications. Route 53 is also fully compliant with IPv6. |
| AWS Secret Region (IL 6) |
VM Import/Export (a feature of Amazon EC2) – Import virtual machine images from the existing environment to Amazon EC2 instances and export them back to the on-premises environment. |
Why does authorization matter?
For Impact Levels 4 and 5, DISA’s authorization demonstrates that AWS effectively implemented more than 421 security controls by using applicable criteria from NIST SP 800-53 Revision 4, the US General Services Administration’s FedRAMP High baseline, and the DoD CC SRG.
For IL 6, AWS successfully completed an independent evaluation by members of the Intelligence Community (IC) and DISA that confirmed that AWS effectively implemented 859 security controls by using applicable criteria from NIST SP 800-53 Revision 4, the DoD CC SRG, and the Committee on National Security Systems Instruction No. 1253 at the Moderate Confidentiality, Moderate Integrity, and Moderate Availability impact levels in the AWS Secret Region. The AWS Secret Region is available to the Department of Defense on the AWS GSA IT Multiple Award Schedule.
To learn more about AWS solutions for DoD, see our Cloud Computing for Defense offerings. Follow the AWS Security Blog for future updates about our Services in Scope by Compliance Program. If you have feedback about this blog post, let us know in the Comments section below.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.