The AWS GovCloud (United States) region supports United States International Traffic in Arms Regulations (ITAR) compliance. As a part of managing a comprehensive ITAR compliance program, companies subject to ITAR export regulations must control unintended exports by restricting access to protected data to US Persons and restricting physical location of that data to the US. AWS GovCloud (United States) provides an environment physically located in the US and where access by AWS Personnel is limited to US Persons, thereby allowing qualified companies to transmit, process, and store protected articles and data subject to ITAR restrictions. The AWS GovCloud (United States) environment has been audited by an independent third-party to validate that proper controls are in place to support customer export compliance programs.
What is ITAR?
International Traffic in Arms Regulations (ITAR) controls the export of defense-related articles and states that no non-US person can have physical or logical access to the articles stored in the ITAR environment.
ITAR United States Munitions List (USML) covered materials include equipment, components, materials, software, technical information that can only be shared with U.S. Persons absent special authorization or exemption. US Persons are individuals who are US Greencard holders or US citizens.
How do ITAR requirements apply in the cloud?
ITAR compliance in the cloud focuses on ensuring that information considered technical data is not inadvertently distributed to foreign persons or foreign nations. In order for data to be subject to ITAR, an IT workload or type of data has to be deemed an export according to the US Munitions List (USML).
How does AWS support customers who are subject to ITAR export regulations?
AWS provides customers with the option to store their data in AWS GovCloud (US) managed solely by US Persons on US soil. AWS GovCloud (US) is Amazon’s isolated cloud region where accounts are only granted to US Persons working for US organizations.
Since AWS does not have any visibility into or knowledge of what customers are uploading onto its network, including whether or not that data is deemed subject to ITAR regulations, all customer data within the GovCloud region is treated as ITAR data.
How does AWS GovCloud (US) provide assurance to customers that it meets ITAR requirements?
There is no formal ITAR Certification. AWS GovCloud (US) is continuously audited by an accredited Federal Risk Authorization Management Program (FedRAMP) independent third party assessor (3PAO) and has been issued a FedRAMP High Joint Authorization Board (JAB) Provisional Authority-to-Operate (P-ATO). The Chief Information Officers (CIO) from the US Department of Defense, Department of Homeland Security and General Services Administration represent the JAB.
How does the AWS Shared Responsibility apply when Customers are transmitting, processing and storing data subject to ITAR regulations on AWS?
AWS is responsible for logical and physical compliance of the cloud infrastructure and core services offered. Customers are responsible for their own on-premises IT infrastructure, applications and systems. As mentioned above, the AWS GovCloud FedRAMP High JAB P-ATO attest to the controls in place within AWS GovCloud (US) to ensure AWS supports customers building ITAR compliant systems on AWS. This facilitates a customer’s management of their own security compliance obligations while processing and storing data in AWS GovCloud (US). Below are some examples:
Safeguard Sensitive Data: Protect sensitive unclassified data with server side encryption in Amazon S3; store and manage security keys with AWS CloudHSM or use our one-click AWS Key Management Service (KMS).
Improve Cloud Visibility: Audit access and use of sensitive data in Amazon CloudTrail— our API logging service, managed and operated by US Persons.
Strengthen Identity Management: Limit access to sensitive data by individual, time, location, and restrict which API calls that users are able to make with identity federation, easy key rotation, and other powerful access control testing tools that are available.