Until the recent Public Sector AWS Summit in Washington, D.C., I’d gone my entire career without ever having to log into an AWS GovCloud account.
I learned that many of you folks are, in fact, forced to use GovCloud. Moreover, I learned that you probably shouldn’t, for a few very good reasons. But first, for those of you who’ve not had the pleasure of creating a GovCloud account, let’s start from the beginning.
What is GovCloud?
AWS GovCloud consists today of two AWS regions designed to allow U.S. government agencies and customers to move sensitive workloads into the cloud. It checks a whole bunch of compliance checkboxes for things like ITAR, which governs weapons sales abroad, and CJIS controls around criminal justice data. Its marketing team makes a big deal of GovCloud being staffed and run by U.S. citizens on U.S. soil — foolproof all-American security, to be sure. (In their defense, a number of its tenant workloads mandate this.)
So that’s what GovCloud is, and it’s extremely likely that you should not use it.
Don’t use GovCloud
“Don’t use GovCloud” is not actually me waving my arms and screaming about a product being terrible — it’s AWS’s own guidance. To be fair, the AWS Public Sector Blog actually says something more akin to “it depends” if you’re trying to decide whether to use GovCloud. But the blog post’s embedded flow chart (which can be viewed in the Wayback Machine if AWS updates it after this gets published) is very clear: “Here are a bunch of requirements. If you don’t have any of these requirements, use the standard commercial AWS regions.” I agree with this advice! You’ll unlock better capabilities at a lower price if you can use a standard AWS commercial region.
Services, features, and services that are features with an ambitious product owner are slow to come to GovCloud; it’s not exactly bleeding edge. I’ve often said that, one day, when the cloud’s technology outpaces me and moves beyond my technical comfort levels, I’ll go work on GovCloud. It’ll be like time-traveling back a decade, during which time I can reskill for whatever the next chapter of my career holds. (This is only half in jest.)
If you’re using GovCloud, you might be misusing GovCloud
One of the case studies for GovCloud is the state of Kansas’ driver’s license renewal system, managed by PayIt. It’s a near certainty that there is no regulatory requirement for that data to exist within GovCloud.
In fact, the case study in question features this quote from PayIt’s chief client officer, “We developed the PayIt solution natively in AWS GovCloud as part of our core strategy. We knew it would significantly differentiate us in the marketplace.” I’m sorry … competition? For the DMV? I would like to sign up for whatever the competing offering is immediately, please.
I get that this guy is with the contractor and not the government itself, but the entire case study blurs that line magnificently. Also: In what universe is “we’re hosted in GovCloud” a selling point to anybody? It means more red tape, not better security.
GovCloud is defined by its constraints
It’s worth examining just why GovCloud isn’t at feature parity with AWS’s commercial regions. From what I can tell, it’s not that AWS is somehow surprised at this point by any of the government’s requirements around what it takes to run a service there. That leaves the obvious and acceptable reason as the culprit for delays: It takes the government time to do anything.
Note that slower rollouts are exactly what you want from governments most of the time. “I wrote it last night, so it’s probably fine, off to production with it” isn’t the way you generally want to run the country’s court systems. The trade-off is being stuck in the past in some regards.
YubiKeys are a prime example of this. You can’t use YubiKeys in GovCloud to authenticate as a user, but you can in the commercial regions. Part of me wonders whether it was governmental requirements that made YubiKey support come to AWS so embarrassingly late. After all, every employee at AWS has had a YubiKey hanging out of their laptop for many years, and the company’s unofficial slogan is “Work Hard. Have Fun. Make Hicccccctrjltunjldjvbgdtirrllbcgdhltdgddnetuih,” due to the unintentional YubiKey presses that abound throughout Amazon’s various chat platforms internally.
Amazon clearly knew what a YubiKey was. But the government version of a YubiKey is likely an upgrade of an Enterprise YubiKey — that is to say, a 50-pound hardened device with a 6-minute bootup sequence and an interface that’s reminiscent of the 1980s. These things take time, and we should probably not blame AWS for the oftentimes sad state of GovCloud’s feature support.
Update: While this blog post was going through editing, AWS started allowing FIDO2 keys, but I was unable to get it to work. In theory I might be able to fix that by requiring a PIN for the Yubikey, but I’m loath to try it lest I blow apart my ability to log into basically everything else I use this key for.
But Corey, some of us have to use GovCloud …
I am nothing if not here for the audience, so it’s time for me to hold my nose and go for a swim in this morass, though it’s not fit nor allowed for use for most of humankind. Stay tuned for GovCloud Part 2, when I use the service to stand up something and see how it treats me.