AWS GovCloud (US) is two regions — us-gov-west-1 (Oregon) and us-gov-east-1 (Virginia) — with restricted service access, US-person operating requirements, and separate API endpoints from commercial AWS. Selecting GovCloud as the deployment target satisfies one FedRAMP requirement: geographic isolation of data to US soil. It satisfies no other FedRAMP requirement. FedRAMP authorization requires implementing NIST SP 800-53 Rev 5 controls across the full application stack — and the controls that are the customer's responsibility (not inherited from AWS) number over 325 for the Moderate baseline and over 400 for High. This article covers the GovCloud-specific architectural patterns that matter for FedRAMP authorization, not the general AWS security best practices that apply everywhere.
AWS Landing Zone for GovCloud
AWS Control Tower is not available in GovCloud. The Landing Zone Accelerator for GovCloud (available on GitHub at aws-solutions/landing-zone-accelerator-on-aws) is the AWS-provided alternative — a CloudFormation-based solution that deploys the account vending machine, security baseline, and networking baseline required for a FedRAMP-aligned multi-account architecture. The Landing Zone Accelerator implements: AWS Organizations with SCP guardrails that enforce GovCloud boundaries, centralized logging to a dedicated log archive account with S3 Object Lock for WORM retention, AWS Security Hub with NIST 800-53 standard enabled, AWS Config with conformance packs aligned to NIST 800-53, and VPC architecture with defined ingress/egress points.
The critical gap in Landing Zone Accelerator: it implements the infrastructure baseline, not the application control baseline. NIST 800-53 control families AC (Access Control), AU (Audit and Accountability), IA (Identification and Authentication), SC (System and Communications Protection), and SI (System and Information Integrity) require application-level implementations that the Landing Zone Accelerator does not provide. These are the controls that examiners and 3PAOs evaluate most closely during FedRAMP initial authorization and continuous monitoring.
The boundary between AWS GovCloud inherited controls and customer-responsible controls is defined in the AWS FedRAMP Customer Responsibility Matrix (CRM), available in the AWS GovCloud FedRAMP authorization package on the FedRAMP Marketplace. Before designing your application security architecture, obtain the CRM and map every NIST 800-53 Rev 5 control to either "inherited" or "customer" responsibility. For High baseline, over 60% of controls are customer responsibility.
Security Hub Configuration for FedRAMP
AWS Security Hub in GovCloud supports the NIST SP 800-53 security standard, which maps Security Hub findings to NIST 800-53 Rev 4 controls (Rev 5 mapping is in progress as of 2025). Enable the NIST 800-53 standard in Security Hub and configure finding aggregation to the centralized security account. Critical configuration: Security Hub findings must flow to a SIEM (Splunk, OpenSearch, or equivalent) with a documented incident response workflow. FedRAMP continuous monitoring requires that security findings be triaged and remediated within defined timelines — typically Critical findings within 15 days, High within 30 days, per NIST SP 800-137.
CloudTrail for FedRAMP Audit Logging
FedRAMP NIST 800-53 Rev 5 AU-2 (Audit Events) and AU-3 (Content of Audit Records) require specific audit event categories and record content. Configure CloudTrail with: management events for all regions, data events for S3 (object-level logging) and Lambda, and CloudTrail Insights for anomaly detection. Route CloudTrail logs to the log archive account S3 bucket with Object Lock (WORM) configured for the retention period required by your FedRAMP authorization (minimum 3 years for FedRAMP, longer if your underlying regulation requires it). CloudTrail log integrity validation (SHA-256 hash chain) must be enabled — this satisfies AU-9 (Protection of Audit Information).
- Enable GuardDuty in all GovCloud accounts with 30-day threat intelligence retention — GuardDuty findings satisfy FedRAMP SI-3 (Malicious Code Protection) and SI-4 (Information System Monitoring) partially
- Configure AWS Config with the GovCloud-specific managed rules for FedRAMP — nist-800-53-rev-5 conformance pack — and ensure Config recording covers all resource types
- Implement AWS IAM Identity Center (formerly SSO) for human access to GovCloud accounts — individual IAM users without MFA are a finding in virtually every FedRAMP assessment
- Configure VPC Flow Logs for all GovCloud VPCs with log retention to the centralized S3 archive — required for SC-7 (Boundary Protection) and AU-12 (Audit Record Generation)
- Deploy AWS Macie in GovCloud to automate CUI discovery in S3 — Macie satisfies the automated data classification requirement of AC-16 (Security Attributes) and reduces manual CUI inventory burden
The engineering behind this article is available as a service.
We have done this work — not advised on it, not reviewed documentation about it. If the problem in this article is your problem, the first call is with a senior engineer who has solved it.