AWS GovCloud

Last modified on April 19, 2024

Introduction

AWS GovCloud provides a cloud environment that is operated by United States citizens and using servers that are physically located within the United States. GovCloud is a cloud platform that provides compliance with a variety of protocols that government entities or affiliated organizations may desire to meet.

StrongDM provides the option for organizations to deploy StrongDM using a version of our control plane that is running in GovCloud. This offering allows many government institutions to use StrongDM to manage and audit access to cloud infrastructure without compromising on their specific security policies.

The GovCloud-hosted version of StrongDM is similar in most respects to the standard offering, but this page provides information on the specific differences.

Differences from the Commercial Version

  • Connections between the GovCloud version of the control plane and the StrongDM client and nodes (gateways and relays) meet FIPS 140-3 standards.
  • Domain Name System Security Extensions (DNSSEC) are enabled.

Technical Implementation Differences

There are a few differences in the implementation and usage of a GovCloud StrongDM organization.

  • If you employ one or more of the StrongDM SDKs, review the SDK variations.
  • If you use StrongDM Docker containers (relay, client, rdpreplay) you need to use the gov- version of those containers available on the Download & Install page of the Admin UI or quay rather than the standard version.
  • Anywhere you use an app.strongdm.com URL in configuration for GovCloud deployments, such as for a SAML entity ID or SCIM connector, replace the app.strongdm.com portion of the value with app.strongdm-gov.com.

SDK variations

GovCloud organizations use the following format for client definition (or provider, for Terraform), which adds a parameter defining the host as api.strongdm-gov.com.

Go 

client, err := sdm.New(
	accessKey,
	secretKey,
	sdm.WithHost("api.strongdm-gov.com")
)

Python 

client = strongdm.Client(
	api_access_key,
	api_secret_key,
	'api.strongdm-gov.com:443'
)

Ruby 

client = SDM::Client.new(
	api_access_key, 
	api_secret_key,
	"api.strongdm-gov.com:443"
)

Java 

var opts = new ClientOptions();
opts = opts.WithHostAndPort("api.strongdm-gov.com", 443)
var client = new Client(apiAccessKey,apiSecretKey, opts);

Terraform 

provider "sdm" {
  api_access_key = var.SDM_API_ACCESS_KEY
  api_secret_key = var.SDM_API_SECRET_KEY
  host = "api.strongdm-gov.com:443"
}

Other Considerations

For further information about platform security at StrongDM that is not specific to GovCloud deployments, see the Platform Security page.