AWS Public Sector Blog

Hosting regulated U.S. State and Local Government Workloads in AWS

AWS Branded Background with text "Hosting regulated U.S. State and Local Government Workloads in AWS"

U.S. State and Local Government (SLG) organizations often have requirements to host regulated workloads with distinct compliance requirements. HAQM Web Services (AWS) provides U.S. SLG customers with an approach to meet compliance needs by using AWS GovCloud (US) regions or AWS U.S. commercial regions. You can find guidance on making this choice in this article.

In this post, we will explain how some U.S. SLG regulated workloads can be hosted in the AWS U.S. commercial regions. Information on hosting workloads in AWS GovCloud (US) is available on this webpage. Many U.S. SLG agencies such as public safety, health and human services, and revenue agencies can realize success running regulated workloads in AWS U.S. commercial regions.

While all AWS global regions are secure, it is important for U.S. SLG customers to evaluate the specific compliance needs of each distinct workload. In this context, compliance refers to adherence to the customer’s applicable regulatory standards.

U.S. SLG compliance on AWS

U.S. SLG customers can inherit AWS compliance controls to help satisfy compliance requirements for many different regulatory bodies. It is important to note that operating in a given AWS U.S. region does not automatically cause a specific customer workload to become compliant. AWS and customers work together using the AWS shared responsibility model which, among many benefits, provides customers a framework to inherit select AWS compliance controls, such as physical security.

AWS Artifact is a self-service audit artifact retrieval portal that provides customers with on-demand access to AWS’ compliance documentation and AWS agreements. Independent third-party attestation audits provide assurance that control activities are operating as intended. More specifically, AWS is audited against a variety of frameworks dependent on region and industry. The results of these reports are made available for all AWS customers through AWS Artifact, in the AWS console, at no cost.

U.S. SLG customers who are starting to adopt AWS, expanding their footprint on AWS, or planning to enhance an established AWS environment need to have a foundation on AWS for their cloud environment, keeping compliance at the forefront. One important aspect of this foundation is organizing the AWS environment following a multi-account strategy. AWS Organizations and an appropriate multi-account strategy are necessary elements of a security architecture. Properly separating workloads, teams, and functions provides the foundations for separation of duties and defense-in-depth strategies.

Security Reference Architecture for U.S. SLG Customers

The following diagram illustrates a typical AWS security reference architecture for a U.S. SLG customer. This architectural diagram shows the architecture for six accounts: the organization management account, accounts for security tooling, log archive, network, shared services, and application.

The security tooling account is dedicated to operating security services, monitoring AWS accounts, and automating security alerting and response. The log archive account is dedicated to ingesting and archiving all security-related logs and backups. The network account manages the gateway between the application and the broader internet. The shared services account supports the services that multiple applications and teams use to deliver their outcomes. The application account hosts the primary infrastructure and services to run and maintain an enterprise application.

Figure 1: Multi-account approach for meeting a typical compliance program.

Looking for compliance support for an AWS environment? AWS can help with compliance requirements for U.S. SLG customers. AWS Security Assurance Services can help with infrastructure and data integrity on AWS, covering frameworks such as Health Insurance Portability and Accountability Act (HIPAA), National Institute of Standards and Technology (NIST), Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Management Act (FISMA), and Criminal Justice Information Services (CJIS).

Security Insights for U.S. SLG Customers on AWS

With AWS, U.S. SLG customers manage the privacy controls of data and control how data is used, who has access to it, and how it’s encrypted. AWS enhances data security by making sure that data remains protected from any AWS operator access. This is achieved through the use of technologies such as the AWS Nitro System, which create isolated, secure environments for data processing. AWS Nitro is third-party attested and included in the service terms (#96) to maintain a service level agreement (SLA) that AWS personnel do not have access to data on the AWS Nitro System. AWS provides encryption for data at rest and in transmission as well. Sensitive data is protected from unauthorized access at all times, including during active use within the environment. AWS provides a comprehensive encryption strategy that meets the security, privacy, and compliance requirements of various U.S. SLG industries. With this approach, data remains secure and private, regardless of its state.

U.S. SLG customers can separate regulated workloads from nonregulated workloads, as shown in the following diagram. This architecture enables U.S. SLG customers to limit the compliance scope through network segmentation—for example, by using separate virtual local area networks (VLANs)—and apply necessary security controls to secure the regulated data such as implementing encryption in transit using Federal Information Processing Standard (FIPS) compliant IPSec VPN tunnels over AWS Direct Connect. Alternatively, the Application Load Balancer (ALB) and Network Load Balancer (NLB) also support TLS policies that use FIPS 140-3 certified cryptographic modules to protect sensitive information. Customers can also enable additional security controls such as implementing an inspection virtual private cloud (VPC) to centrally inspect the traffic entering and leaving the regulated environments. AWS also recommends implementing HAQM VPC Block Public Access (BPA) for VPCs hosting regulated data to restrict internet access.

Figure 2: Example of a redundant connectivity.

Industry specific guidance for U.S. SLG Customers

U.S. SLG customers have different compliance requirements. The following sections provides general guidance for organizations in justice and public safety, finance and administration, and health and human services.

Justice and public safety for U.S. SLG Customers

Justice and public safety (JPS) systems often store and process criminal justice information (CJI) and must meet the requirements of the CJIS Security Policy. You can read more about AWS and CJIS on this webpage. The Nitro Security Chip enables the most secure cloud platform with a minimized attack surface as virtualization and security functions are offloaded to dedicated hardware and software. Additionally, a locked down security model prohibits all administrative access, including that of HAQM employees—eliminating the possibility of human error and tampering.

The following image illustrates the CJIS Security Policy baseline requirements, which include:

  • Data isolation
  • Encryption at rest using AWS Key Management Service (AWS KMS) Customer Managed Keys (CMK)
  • Encryption in transit
  • Media device sanitization
  • Multi-factor authentication (MFA)

Figure 3: Baseline requirement for CJIS.

By removing access to customer data, the overall process is simplified, and the potential threat vectors for CJI are minimized. Innovations in FBI CJIS compliance allow agencies and their government technology partners to implement stringent, least-privilege access controls as required by the CJIS Security Policy. U.S. SLG customers maintain complete ownership and control over their sensitive CJIS data. These innovations also help preserve the critical chain of custody for digital evidence in the cloud by removing cloud provider personnel from impacting the cloud digital evidence chain of custody. The AWS Nitro System virtual compute instances operate on a locked down security model, prohibiting all interactive administrative access, including that of AWS employees, while AWS KMS provides customer-controlled symmetric encryption for data at rest.

Finance and administration guidance for U.S. SLG Customers

U.S. SLG customers such as revenue, labor, and child support agencies process Federal Tax Information (FTI), which falls under IRS Publication 1075 regulations. You can read more about AWS and IRS-1075 on this webpage. IRS -1075 is aligned to the NIST 800-53 Rev5 control set, with some additional requirements, including the IRS Safeguard Computer Security Evaluation Matrix (SCSEM). The IRS requires FedRAMP authorized services and recognizes AWS KMS and the AWS Nitro System to provide logical isolation of FTI in mixed tenancy environments, therefore no dedicated hosts are required.

The following image illustrates the baseline requirements for finance and administration, which include:

  • FedRAMP authorized services
  • Data isolation
  • Implement IRS SCSEMs
  • Encryption at rest and in transit
  • Exhibit 7 contract language
  • 45-day notification
  • Media device sanitization
  • MFA

Figure 4: Baseline requirements for finance and administration.

Additionally, for U.S. SLG customers to meet IRS 1075 compliance requirements for FTI data, AWS recommends the following best practices:

Health and human services guidance for U.S. SLG Customers

Health and human services (HHS) systems on AWS are designed to securely ingest, store, and process sensitive data, including personal identifiable information (PII), protected health information (PHI), and FTI. These systems demand stringent security and privacy controls, alongside adherence to specific regulatory compliance requirements such as HIPAA for PHI, Minimum Acceptable Risk Standards for Exchanges (MARS-E) for Affordable Care Act (ACA) administering entities, and IRS Publication 1075 for FTI processing. You can read more about AWS and HIPAA on this webpage. AWS provides a comprehensive suite of tools and services to facilitate compliance, including AWS Security Hub, AWS Config, and AWS CloudTrail, which automate the validation of compliance, transforming what are often manual, periodic activities in traditional data centers into routine, ongoing processes that significantly enhance the security posture of HHS workloads.

The following image illustrates the baseline requirements for HHS, which include:

Figure 5: Baseline requirements for HHS.

HHS workloads can be effectively isolated in dedicated accounts with data stored in U.S. Regions, using least privileged IAM policies, MFA, and FIPS encryption for data at rest and in transit. Logging and monitoring are streamlined through services such as AWS CloudTrail, AWS Config, HAQM GuardDuty, and AWS Security Hub, in order to adhere to IRS and HIPAA requirements. AWS helps U.S. SLG customers support HIPAA compliance that can be managed across several accounts by using Organizations, allowing covered entities and their business associates to securely process, store, and transmit PHI using HIPAA eligible services. Additionally, AWS Trusted Advisor provides checks to help customers maintain their security posture for regulated HHS workloads. HIPAA eligible services and FedRAMP compliant services are available in the AWS U.S. regions.

The following reference architecture highlights a web application that is processing and storing regulated data in an AWS U.S. region. It highlights using the FIPS 140-2 or 140-3 endpoints for encrypting data in transit, as well as configuring AWS KMS to encrypt data at rest. It also shows where services operate both inside and outside of the production VPC.

Figure 6: Reference architecture for a compliant workload.

Conclusion

AWS U.S. regions provide U.S. SLG customers with robust and versatile capability to meet compliance requirements. Through a comprehensive encryption strategy, AWS protects sensitive data, allowing U.S. SLG customer the choice of which AWS U.S. region best fits their unique mission.

The shared responsibility model of AWS, coupled with its extensive compliance programs and industry-specific guidance, empowers U.S. SLG customers to achieve and maintain compliance with a wide array of regulatory standards. Whether it’s for justice and public safety, finance and administration, or health and human services, AWS provides the necessary tools and services to secure workloads and data so that customers can choose the cloud environment that best fits their unique compliance needs. The advancements in AWS technologies—such as the Nitro System and AWS KMS—further enhance the security posture of public sector workloads, allowing for a more informed, compliance-driven approach to cloud selection.

U.S. SLG agencies across the country are using the power of AWS to unlock their data, improve the citizen experience, and deliver better outcomes. Learn how governments use AWS to innovate for their constituents, design engaging constituent experiences, and more by visiting the AWS Cloud for State and Local Governments hub.

TAGS: , , , , , , ,
Vignesh Srinivasan

Vignesh Srinivasan

Vignesh is a senior solutions architect at HAQM Web Services (AWS). He previously worked with the Centers for Medicare & Medicaid Services (CMS), including helping to implement the Federal Health Exchange as part of the Affordable Care Act. He was also on the team that fixed healthcare.gov and successfully migrated the system to AWS. He has a master’s degree from Rochester Institute of Technology and an MBA from the University of Maryland.

Doug Gartner

Doug Gartner

Doug assists strategic government technology customers to design and build their application architectures on HAQM Web Services (AWS). He has more than 15 years of software engineering experience and has supported the design and implementation of many large-scale software applications. His primary expertise lies in distributed computing and data engineering.

Sohaib Tahir

Sohaib Tahir

Sohaib is a principal solutions architect and technical leader at HAQM Web Services (AWS), where he partners with US state and local government agencies to modernize their critical financial and administrative systems. With over 15 years of technology and engineering expertise, he helps tax authorities, labor departments, retirement systems, and other government agencies transform their operations through cloud adoption. His work enables these organizations to better serve their constituents through more efficient, secure, and scalable digital solutions. Sohaib specializes in architecting cloud-native systems that help agencies streamline tax collection, enhance workforce services, manage pension programs, and optimize other essential government financial operations.