Building an Isolated Enclave for CUI Workloads in AWS GovCloud (US)
Author: Leonard Esere, Senior Cloud Security Architect
Date: April 2026
Organization: Aeolitech
Abstract
Amazon Web Services GovCloud (US) provides two physically and logically isolated regions—US-East and US-West—operated exclusively by US persons and authorized at the FedRAMP High baseline and DoD Impact Levels 4 and 5. For Defense Industrial Base (DIB) contractors, GovCloud offers a compelling platform for hosting Controlled Unclassified Information (CUI) workloads, particularly for organizations with mature DevSecOps pipelines, containerized workloads, or contracts requiring IL4/IL5 separation across multiple programs. This whitepaper presents a comprehensive CUI enclave design for AWS GovCloud, covering region selection, isolation architecture, IAM Identity Center configuration, Control Tower landing zones, encryption with customer-managed KMS keys, logging and audit pipelines, and threat detection using Security Hub, GuardDuty, and Macie. The paper also compares the tradeoffs between whole-tenant GovCloud and purpose-scoped CUI enclaves within a larger GovCloud organization.
Table of Contents
1. AWS GovCloud (US): Region Overview and Isolation Model
2. Compliance Authorizations and FedRAMP High Baseline
3. Enclave vs. Whole-Tenant GovCloud: Architecture Tradeoffs
4. Control Tower Landing Zone for CUI
5. VPC Design for CUI Enclaves
6. Identity and Access Management: IAM Identity Center
7. Encryption Architecture: KMS with Customer-Managed CMKs
8. Logging and Audit: CloudTrail, S3 Object Lock, and SIEM
9. Threat Detection and Data Discovery
10. Security Hub: Continuous Compliance Monitoring
11. Mapping to NIST 800-171 and CMMC Level 2
12. About the Author
13. References
1. AWS GovCloud (US): Region Overview and Isolation Model
AWS GovCloud (US) consists of two regions:
- us-gov-west-1 (AWS GovCloud US-West) — located in the western United States, the older and more service-complete of the two regions
- us-gov-east-1 (AWS GovCloud US-East) — located in the eastern United States, launched in 2018 to provide geographic redundancy and additional capacity
Both regions are:
- Physically and logically isolated from AWS commercial regions
- Accessible only to US citizens and US nationals who agree to the GovCloud participation requirements
- Operated by US persons on US soil
- Connected to the public internet and via AWS Direct Connect from approved facilities
- Subject to export compliance reviews for any customer using the regions
Cross-region data replication between US-East and US-West is supported and encouraged for high-availability CUI workloads. Data remains within the AWS GovCloud partition; no CUI data transits commercial AWS infrastructure. This is a key distinction from multi-region strategies in commercial AWS.
AWS GovCloud partition isolation: GovCloud accounts exist in a separate AWS partition (aws-us-gov) from commercial AWS (aws). Amazon Resource Names (ARNs) reflect this partition distinction. IAM policies, S3 bucket policies, and Service Control Policies (SCPs) written for commercial accounts cannot be directly copied to GovCloud—partition names must be updated. This is a common migration pitfall.
Service availability: Not all commercial AWS services are available in GovCloud. As of 2026, approximately 150+ services are available in GovCloud compared to 200+ in commercial regions. Services critical for CUI workloads—EC2, ECS, EKS, RDS, S3, VPC, IAM, KMS, CloudTrail, CloudWatch, Config, Security Hub, GuardDuty, Macie, Control Tower, Systems Manager, Secrets Manager, and WAF—are available in both GovCloud regions.
2. Compliance Authorizations and FedRAMP High Baseline
AWS GovCloud (US) holds the following compliance authorizations relevant to DIB contractors:
| Framework | Level/Designation | Notes |
|---|---|---|
| FedRAMP | High (P-ATO) | Authorized by FedRAMP JAB; both US-East and US-West |
| DoD SRG | Impact Level 2, 4, 5 | IL5 PA issued by DISA |
| ITAR | Compliant | GovCloud restricts access to US persons |
| CJIS | Security Policy compliant | Available with appropriate agreement |
| IRS 1075 | Compliant | Federal Tax Information (FTI) |
| HIPAA | BAA available | Healthcare workloads |
| DFARS 252.204-7012 | Supported | CUI workloads, requires customer configuration |
FedRAMP High vs. CMMC: FedRAMP High authorization means AWS GovCloud has been assessed against NIST SP 800-53 Rev 5 High baseline by a FedRAMP-recognized Third-Party Assessment Organization (3PAO). CMMC Level 2 is based on NIST SP 800-171 Rev 2 (110 controls), which maps to a subset of NIST 800-53. GovCloud's FedRAMP High authorization means many controls are inherited at the infrastructure layer—but contractors must still configure, implement, and document their portion of the shared responsibility.
DoD IL5 configuration: In GovCloud US-East and US-West (non-DoD regions), some services require additional configuration for IL5 workloads. The DoD-exclusive us-gov-east-1 zone (reserved for DoD entities) provides IL5 by default. Most defense contractors—who are not DoD entities—use standard GovCloud regions with explicit IL5 configuration. DISA's Cloud Computing SRG provides detailed IL5 configuration guidance for each AWS service.
3. Enclave vs. Whole-Tenant GovCloud: Architecture Tradeoffs
Two primary architectural patterns exist for CUI in GovCloud:
Pattern A: Whole-Tenant GovCloud
The entire AWS organization is created in GovCloud. All accounts—production, development, sandbox, logging, security tooling—exist within the aws-us-gov partition.
Advantages:
- Simpler compliance scoping: entire tenant is within the compliance boundary
- No cross-partition networking or identity federation complexity
- All guardrails applied uniformly
- Easier to demonstrate CMMC boundary to assessors
Disadvantages:
- Higher cost: GovCloud services are ~10-30% more expensive than commercial equivalents
- Reduced service availability for non-CUI development workloads
- Slower feature release cadence vs. commercial AWS
- Developer experience friction for teams accustomed to commercial tooling
Pattern B: CUI Enclave Within a Hybrid Organization
A dedicated AWS GovCloud organization hosts CUI workloads, while a separate commercial AWS organization handles non-CUI development, testing, and non-sensitive operations. Identity federation connects both.
Advantages:
- Cost optimization: non-CUI workloads run on commercial AWS at lower cost
- Full commercial service access for development teams
- Faster iteration in non-regulated environments
Disadvantages:
- Complex identity federation (two IAM Identity Center instances, SAML federation)
- Strict data boundary controls needed to prevent CUI from bleeding into commercial environment
- More complex compliance scoping and evidence collection
- Cross-partition networking risks if not carefully architected
Recommendation: For contractors where CUI workloads represent the majority of operations, Pattern A (Whole-Tenant) is preferred for assessment simplicity. For larger organizations with significant non-defense commercial operations, Pattern B with rigorous data boundary controls is viable. This whitepaper focuses on Pattern A with best-practice enclave segmentation within a GovCloud organization.
4. Control Tower Landing Zone for CUI
AWS Control Tower in GovCloud (US) provides the automated landing zone framework. Due to GovCloud partition restrictions, the setup procedure differs from commercial AWS:
Pre-requisites:
1. A commercial AWS account serving as the billing/management account
2. Two pre-created GovCloud accounts for Log Archive and Audit purposes
3. AWS Organizations enabled in the GovCloud partition with all features enabled
Account factory structure for CUI:
`
Management Account (GovCloud)
├── Security OU
│ ├── Log Archive Account (centralized S3 log bucket, Object Lock)
│ └── Security Tooling Account (Security Hub, GuardDuty, Macie, Config)
├── Infrastructure OU
│ └── Network Account (Transit Gateway, Direct Connect, VPC sharing)
├── CUI Workloads OU
│ ├── CUI-Production Account (production CUI applications)
│ ├── CUI-Staging Account (pre-production with full controls)
│ └── CUI-DevTest Account (development, same GovCloud boundary)
└── Non-CUI OU
└── Corporate Tools Account (HR, finance tools, no CUI data)
`
Service Control Policies (SCPs): SCPs are the enforcement layer at the organizational level. Key SCPs for CUI enclaves:
`json
// SCP: Restrict to GovCloud regions only
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyOutsideGovCloudRegions",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-gov-west-1",
"us-gov-east-1"
]
}
}
}
]
}
`
`json
// SCP: Require encryption for S3 buckets (supports NIST 800-171 3.13.16)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyUnencryptedS3Puts",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"s3:x-amz-server-side-encryption": [
"aws:kms",
"AES256"
]
}
}
}
]
}
`
AWS Config: Enabled across all accounts with a delegated administrator in the Security Tooling account. AWS Config aggregates resource configuration history and change tracking. Custom Config rules enforce CUI-specific requirements: no public S3 buckets, no unencrypted EBS volumes, required security group rules, CloudTrail enabled in all regions, root account MFA enabled.
AWS Audit Manager: Pre-built assessment frameworks for NIST 800-53 Rev 5 and FedRAMP High are available in GovCloud. Audit Manager continuously collects evidence against these frameworks—a significant advantage for CMMC assessment preparation. Evidence includes Config rule evaluations, CloudTrail API calls, and Security Hub findings, automatically timestamped and organized by control.
5. VPC Design for CUI Enclaves
Each CUI workload account receives a dedicated VPC (Virtual Private Cloud) with purpose-designed subnets:
VPC CIDR allocation example: 10.20.0.0/16 for CUI-Production
`
VPC: 10.20.0.0/16 (CUI-Production, us-gov-east-1)
├── Public Subnets (no CUI data permitted)
│ ├── 10.20.0.0/24 (AZ-A) — ALB ingress tier only
│ └── 10.20.1.0/24 (AZ-B) — ALB ingress tier only
├── Private App Subnets
│ ├── 10.20.10.0/24 (AZ-A) — Application tier
│ └── 10.20.11.0/24 (AZ-B) — Application tier
├── Private Data Subnets
│ ├── 10.20.20.0/24 (AZ-A) — RDS, ElastiCache, EFS
│ └── 10.20.21.0/24 (AZ-B) — RDS, ElastiCache, EFS
└── Management Subnets
├── 10.20.30.0/24 (AZ-A) — Systems Manager endpoints, Bastion
└── 10.20.31.0/24 (AZ-B) — Systems Manager endpoints
`
Internet access: No public IPs on application or data tier. Internet-bound traffic from private subnets routes through a NAT Gateway in the public subnet—NAT Gateway egress is minimized and ideally eliminated for pure CUI enclaves. VPC Endpoints (Gateway type for S3, DynamoDB; Interface type for all other services) eliminate the need for NAT Gateway traffic to reach AWS services.
Transit Gateway: The Network Account hosts an AWS Transit Gateway shared across CUI accounts via AWS Resource Access Manager (RAM). Route tables on the Transit Gateway enforce:
- CUI accounts cannot route to non-CUI (Corporate) accounts
- All internet-destined traffic routes to a central Inspection VPC running AWS Network Firewall
- Direct Connect (or Site-to-Site VPN) terminates on the Transit Gateway for on-premises connectivity
AWS Network Firewall (central Inspection VPC):
`
Inspection VPC: 10.10.0.0/16 (Network Account)
├── Firewall Endpoints (AZ-A, AZ-B)
└── Management Subnets
`
AWS Network Firewall provides stateful deep packet inspection, IDPS rules (Suricata-compatible), domain filtering, and TLS inspection. All east-west and north-south traffic transits the firewall. Firewall logs (flow, alert) are delivered to the central S3 log bucket in the Log Archive account with Object Lock enabled.
Security Groups: Follow a least-privilege posture. No 0.0.0.0/0 inbound rules. Application security groups reference the ALB security group as source, not IP ranges. Data tier security groups reference only the application tier security group.
VPC Flow Logs: Enabled on all VPCs with ALL traffic capture (not just REJECT). Delivered to CloudWatch Logs and forwarded to the central S3 log bucket with Object Lock retention.
6. Identity and Access Management: IAM Identity Center
IAM Identity Center in GovCloud (US) (formerly AWS SSO) provides centralized workforce identity management for the GovCloud organization. It is logically separated from any commercial IAM Identity Center instance.
Directory integration: IAM Identity Center can integrate with:
- An AWS-managed directory (simplest, but limited)
- AWS Directory Service (Managed Microsoft AD) — recommended for organizations with Windows environments
- An external identity provider via SAML 2.0 and SCIM (e.g., Okta, Ping Identity, Microsoft Entra ID Government) — recommended for organizations already using Entra ID GCC High
Permission sets for CUI accounts:
| Permission Set | Linked AWS Managed Policy / Inline | Target Accounts |
|---|---|---|
| CUIAdmin | AdministratorAccess | CUI accounts (restricted, PIM-equivalent activation required) |
| CUIDeveloper | PowerUserAccess minus IAM/KMS mutations | CUI-DevTest only |
| CUIReadOnly | ReadOnlyAccess | All CUI accounts |
| SecurityAuditor | SecurityAudit | All accounts |
| BillingViewer | Billing | Management account |
Customer-managed KMS for Identity Center: As of October 2025, IAM Identity Center supports customer-managed KMS keys for encrypting identity data at rest. For CUI environments requiring key lifecycle auditability, configure a CMK in the GovCloud KMS service:
`json
// KMS Key Policy for IAM Identity Center CMK
{
"Sid": "Allow_IdentityCenter_to_use_the_KMS_key",
"Effect": "Allow",
"Principal": {
"Service": [
"sso.amazonaws.com",
"identitystore.amazonaws.com"
]
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "
}
}
}
`
MFA enforcement: IAM Identity Center MFA policy is set to Required for all users. Supported MFA types: TOTP authenticator apps (Authy, Google Authenticator) and FIDO2/WebAuthn hardware security keys. For administrators and privileged permission sets, FIDO2 keys (YubiKey) are strongly recommended to satisfy phishing-resistant MFA for NIST 800-171 3.5.3.
Root account controls: AWS GovCloud management account root credentials are secured with:
- Hardware MFA (physical token)
- Root credentials stored offline in sealed physical envelope
- Root access alert in CloudTrail → CloudWatch Events → SNS → ISSO notification
- SCP denying root actions on all non-management accounts
7. Encryption Architecture: KMS with Customer-Managed CMKs
AWS KMS in GovCloud uses FIPS 140-2 Level 3 validated HSMs for all key operations. GovCloud KMS endpoints enforce FIPS 140-2 cryptographic standards by default—this is enforced at the endpoint level, unlike commercial AWS where FIPS endpoints are optional.
Key hierarchy for CUI enclaves:
| Key Purpose | Key Alias | Scope | Rotation |
|---|---|---|---|
| CUI S3 Data | alias/cui-s3-data | CUI-Production account | Annual (automatic) |
| CUI EBS Volumes | alias/cui-ebs | CUI-Production account | Annual (automatic) |
| CUI RDS | alias/cui-rds | CUI-Production account | Annual (automatic) |
| CUI Secrets Manager | alias/cui-secrets | All CUI accounts | Annual (automatic) |
| Log Archive S3 | alias/logarchive-s3 | Log Archive account | Annual (automatic) |
| IAM Identity Center | alias/identitycenter-cmk | Management account | Annual (manual) |
Key policies follow least-privilege: The kms:* wildcard is never used. Key administrators (a dedicated IAM role in the Security Tooling account) can manage key metadata but cannot perform cryptographic operations. Workload roles receive only kms:GenerateDataKey, kms:Decrypt, and kms:DescribeKey for their specific key alias.
Envelope encryption pattern: AWS services (S3, EBS, RDS, Secrets Manager) use envelope encryption—a data encryption key (DEK) encrypted by the CMK protects each object. The CMK never leaves the HSM. CloudTrail logs every kms:Decrypt and kms:GenerateDataKey call with principal ARN, timestamp, and source IP, providing a complete audit trail for CUI data access.
Secrets Manager integration: All application credentials, database passwords, and API keys are stored in AWS Secrets Manager encrypted with the cui-secrets CMK. Applications retrieve secrets via IAM role-based access—no hard-coded credentials. Secrets are rotated automatically by Lambda functions on 30-day schedules.
8. Logging and Audit: CloudTrail, S3 Object Lock, and SIEM
CloudTrail multi-region organization trail: A single organization-level CloudTrail trail captures all management events and data events across all GovCloud accounts and both regions. Configuration:
`
Trail Name: org-cui-trail
S3 Bucket: s3://govcloud-logarchive-[account-id]/cloudtrail/
S3 Prefix: AWSLogs/
Encryption: SSE-KMS (alias/logarchive-s3)
Log File Validation: Enabled
Include Management Events: All (Read + Write)
Data Events: S3 (All buckets, Read + Write), Lambda (All functions)
Insight Events: Enabled (detect unusual API activity)
CloudWatch Logs: Enabled (30-day retention, then archive to S3)
`
S3 Object Lock (Log Archive bucket): The log archive S3 bucket has Object Lock enabled in Compliance Mode (not Governance Mode—Governance Mode allows administrators to override the lock, violating DFARS 7012(e) preservation requirements). Retention period: 90 days minimum (DFARS 7012 requirement), extended to 365 days for program-level audit requirements.
`
Bucket: s3://govcloud-logarchive-[account-id]
Object Lock: Enabled (Compliance Mode)
Default Retention: 90 days minimum
Versioning: Enabled
Encryption: SSE-KMS (alias/logarchive-s3)
Public Access: Blocked (all four Block Public Access settings)
Cross-Region Replication: To us-gov-west-1 (for resilience)
`
CloudWatch Logs Insights and Metric Filters: Key metric filters for CMMC-relevant events:
| Event | Metric Filter | Alarm |
|---|---|---|
| Root account login | $.userIdentity.type = Root | Immediate SNS → ISSO |
| Unauthorized API calls | $.errorCode = UnauthorizedAccess | >5 in 5 min |
| CloudTrail disabled | eventName = StopLogging | Immediate |
| KMS CMK deletion scheduled | eventName = ScheduleKeyDeletion | Immediate |
| MFA device deleted | eventName = DeleteVirtualMFADevice | Immediate |
| Security group wide-open | eventName = AuthorizeSecurityGroupIngress AND ipProtocol = -1 | Immediate |
SIEM integration: Logs are forwarded to the organization's SIEM (Splunk, Microsoft Sentinel, or an AWS-native option). For AWS-native SIEM, Amazon Security Lake (available in GovCloud) normalizes logs into OCSF format and stores them in a dedicated data lake, enabling efficient querying across CloudTrail, VPC Flow Logs, Route 53 Resolver Query Logs, and Security Hub findings.
9. Threat Detection and Data Discovery
Amazon GuardDuty: Enabled across all GovCloud accounts with delegated administration from the Security Tooling account. GuardDuty provides continuous threat detection by analyzing:
- CloudTrail management and data events
- VPC Flow Logs
- DNS query logs
- S3 data events (S3 Protection)
- EKS audit logs (EKS Protection) if Kubernetes workloads are present
- EC2 runtime monitoring (Runtime Protection)
- RDS and Aurora login events (RDS Protection)
GuardDuty findings in GovCloud are classified using the same finding types as commercial—Reconnaissance, Trojan, UnauthorizedAccess, etc. High-severity findings trigger an EventBridge rule → Lambda → Security Hub finding creation and automated response (e.g., auto-isolating EC2 instances via security group modification for cryptomining detections).
Amazon Macie: Macie is deployed in the CUI-Production account for sensitive data discovery. Macie scans S3 buckets for personally identifiable information (PII) and custom sensitive data patterns relevant to CUI:
Custom Macie data identifiers for CUI discovery:
`
Pattern: DoD Contract Numbers
Regex: [A-Z]{1,6}\-\d{2}\-[A-Z]\-\d{4}
Keywords: ["contract", "N00024", "FA8726", "W15QKN"]
Pattern: CAGE Codes
Regex: [0-9A-Z]{5}
Keywords: ["CAGE", "cage code", "commercial and government entity"]
Pattern: CUI Banner Markings
Regex: CUI\/\/(SP-ITAR|SP-EAR|EXPT|CTI)
Keywords: ["controlled unclassified", "CUI//"]
`
Macie findings are consolidated in Security Hub for unified visibility. Macie discovery jobs are scheduled weekly on all CUI S3 buckets, with real-time policy-based detection enabled for bucket-level configuration violations (public access enabled, encryption disabled, cross-account access changes).
10. Security Hub: Continuous Compliance Monitoring
Amazon Security Hub was made available in both GovCloud regions in March 2026, providing a unified security posture management console that aggregates findings from GuardDuty, Macie, Inspector, IAM Access Analyzer, Firewall Manager, and AWS Config.
Standards enabled in Security Hub:
| Standard | Relevance |
|---|---|
| AWS Foundational Security Best Practices | Broad security hygiene across services |
| NIST SP 800-53 Rev 5 | Maps to FedRAMP High; CMMC alignment available |
| CIS AWS Foundations Benchmark v3.0 | Hardening baseline for IAM, logging, networking |
Security Hub cross-account aggregation: A Security Hub aggregation region is configured in the Security Tooling account (designated as the delegated administrator). All member accounts auto-join via AWS Organizations integration. Findings from both us-gov-east-1 and us-gov-west-1 are aggregated into a single pane.
Automated response with Security Hub and EventBridge:
`python
import boto3
def handler(event, context):
finding = event['detail']['findings'][0]
resource_arn = finding['Resources'][0]['Id']
bucket_name = resource_arn.split(':::')[1]
s3 = boto3.client('s3')
s3.put_public_access_block(
Bucket=bucket_name,
PublicAccessBlockConfiguration={
'BlockPublicAcls': True,
'IgnorePublicAcls': True,
'BlockPublicPolicy': True,
'RestrictPublicBuckets': True
}
)
# Update finding status
securityhub = boto3.client('securityhub')
securityhub.batch_update_findings(
FindingIdentifiers=[{
'Id': finding['Id'],
'ProductArn': finding['ProductArn']
}],
Workflow={'Status': 'RESOLVED'},
Note={'Text': 'Auto-remediated by Lambda', 'UpdatedBy': 'SecurityAutomation'}
)
`
11. Mapping to NIST 800-171 and CMMC Level 2
AWS GovCloud's FedRAMP High authorization provides significant control inheritance for the underlying infrastructure. Contractors using GovCloud still own the implementation of controls at the application, configuration, and procedural layers.
| NIST 800-171 Domain | Key AWS Service | Implementation Notes |
|---|---|---|
| 3.1.1 Authorized Access | IAM Identity Center, IAM Policies | Permission sets, SCPs |
| 3.1.2 Transaction Control | IAM with condition keys | Resource-level policies |
| 3.1.3 Information Flow | Security Groups, NACLs, Network Firewall | Default-deny posture |
| 3.1.5 Least Privilege | IAM permission boundaries | Deny elevated actions by default |
| 3.1.6 Non-Privileged Accounts | Separate IAM Identity Center permission sets | Admin vs. standard users |
| 3.1.12 Remote Access | Systems Manager Session Manager | No public SSH/RDP; full session logging |
| 3.3.1 Audit Logging | CloudTrail organization trail | All mgmt + data events |
| 3.3.2 Log Review | Security Hub, CloudWatch | Automated alerting, daily review |
| 3.5.3 MFA | IAM Identity Center MFA policy | FIDO2 required for admins |
| 3.13.8 Encryption in Transit | FIPS endpoints, ACM TLS certs | TLS 1.2+ enforced |
| 3.13.10 Key Management | KMS with CMKs | Automated rotation, FIPS 140-2 L3 HSM |
| 3.13.16 Encryption at Rest | S3 SSE-KMS, EBS KMS, RDS KMS | CMKs for all CUI data |
| 3.14.1 Malware Protection | GuardDuty, Inspector | Runtime + vulnerability scanning |
| 3.14.6 Security Alerts | Security Hub, GuardDuty, CloudWatch | Automated alerting to ISSO |
Inherited vs. Shared Controls: AWS's FedRAMP High authorization package (available via AWS Artifact for authorized personnel) documents which controls are fully inherited. Physical security (PE family), personnel security (PS), and underlying infrastructure controls are fully inherited. Application-layer controls—access control policies, audit log review procedures, incident response procedures, configuration management—remain with the contractor.
About the Author
Leonard Esere is a Senior Cloud Security Architect at Aeolitech with deep expertise in AWS GovCloud architecture, FedRAMP assessment support, and CMMC compliance implementation for DIB contractors. He has supported security authorization activities at Los Alamos National Laboratory (LANL), contributed to MITRE ATT&CK-based threat modeling for DoD program offices, and holds active DoD clearance credentials. Leonard holds certifications including CISSP, AWS Certified Solutions Architect – Professional, and AWS Certified Security – Specialty.
References
1. AWS. AWS GovCloud (US) Overview. https://aws.amazon.com/govcloud-us/
2. AWS. AWS GovCloud (US) User Guide. https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/
3. AWS. AWS Control Tower in AWS GovCloud (US). https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-controltower.html
4. AWS. IAM Identity Center in AWS GovCloud (US). https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-sso.html
5. AWS. AWS Security Hub in AWS GovCloud (US). https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-ashv2.html
6. AWS. IAM Identity Center Customer-Managed KMS Keys. https://aws.amazon.com/about-aws/whats-new/2025/09/aws-iam-identity-center-organization-customer-managed-kms-keys-encryption-at-rest/
7. NIST. Special Publication 800-171 Rev. 2: Protecting CUI in Nonfederal Systems. https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
8. FedRAMP. AWS GovCloud Authorization Package. https://marketplace.fedramp.gov/
9. DISA. DoD Cloud Computing Security Requirements Guide v1 r4. https://public.cyber.mil/dccs/
10. DoD. DFARS 252.204-7012. https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting
11. AWS. IAM Identity Center Blog: Patterns for GovCloud and Commercial Access. https://aws.amazon.com/blogs/publicsector/iam-identity-center-aws-environments-spanning-govcloud-us-standard-regions/
12. NIST. Special Publication 800-53 Rev. 5: Security and Privacy Controls. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Call to Action
Aeolitech provides AWS GovCloud architecture design, enclave implementation, and CMMC Level 2 assessment preparation for defense contractors. Our team has hands-on experience architecting CUI enclaves for LANL-adjacent programs and DoD prime contractor supply chains. Contact us for a GovCloud CUI Readiness Assessment—a structured evaluation of your current AWS posture against all 110 NIST SP 800-171 controls with a prioritized remediation roadmap.
© 2026 Aeolitech. All rights reserved. This document is provided for informational purposes. Specific AWS service availability and pricing should be verified at https://aws.amazon.com/govcloud-us/ as services and pricing change frequently.