Government agencies, especially in the intelligence community, need a strategic approach when it comes to deploying cloud security services. Understand your options with this overview of AWS government security offerings, including AWS GovCloud and AWS Secret Region.
Article Security June 7, 2019

Amazon Cloud Security Services: AWS GovCloud, AWS Secret Region, and AWS Top Secret Region

AWS Government Security Offerings

Why Public Institutions Need Cloud Security Services

Not all organizations share the same security concerns in the cloud. While consumers add pressure to retailers (both brick & mortar and online) and social media platforms to protect sensitive data, government agencies—especially those that are part of the intelligence community—must take a more strategic approach when it comes to implementing cloud security services.

The Chief Information Officer of the CIA readily admits that his department has not historically been able to keep pace with innovations in the tech industry as a whole. One of the challenges is the slow-moving nature of government procurement. More importantly, however, agencies that handle classified government documents were openly concerned about data security and compliance in the public cloud.


How to Deploy Cloud Security Services

Amazon Machine Image

One way for security-conscious organizations to take advantage of the cloud—and especially all of the Software as a Service (SaaS) options that operate in the cloud—is to deploy SaaS services on an Amazon Machine Image (AMI). Using an AMI allows institutions to take advantage of all the applications on the Amazon Marketplace while maintaining complete control of the environment.

For many government agencies, using an AMI isn’t enough. To address the concerns government agencies have related to cloud security services, AWS has specific regions that are only available to public sector customers. Let’s take a look at how these regions work, who can access them, and how they are different from the standard AWS regions.


Find AWS regions near you on our interactive map at


AWS Services for Government Agencies

Amazon Security Solutions for Public Sector Cloud

  • AWS GovCloud
  • AWS Top Secret Region
  • AWS Secret Region

There are three special AWS regions designed exclusively for publicly funded establishments. AWS GovCloud Region, which became available in 2011, was the first government-specific cloud region introduced to the market. Followed by AWS Top Secret Region, which launched in 2014, and AWS Secret Region, in 2017.


AWS GovCloud

As the first AWS Region specifically launched for public sector customers, AWS GovCloud offers more security safeguards than those available in a standard AWS region. Here are some of the differences:

  • Before a customer is allowed to provision resources in AWS GovCloud, AWS verifies that the customer is a U.S.-based entity that is either a government organization or a government contractor.
  • AWS GovCloud endpoints are accessible from the public internet, but only to AWS GovCloud customers.
  • AWS GovCloud credentials cannot be used to sign in to standard AWS regions, and standard AWS credentials cannot be used to sign in to AWS GovCloud.
  • The sign-in process is also different. While the standard AWS Management Console is accessed with an email address and password, AWS GovCloud requires logging in with your IAM username.

Learn more about the high-level differences between AWS GovCloud (US) Regions and standard AWS Regions in the AWS GovCloud User Guide.


In addition to these safeguards, only vetted U.S. citizens have physical and login access to the AWS GovCloud region. Still, GovCloud cannot guarantee total data security. While its servers are physically isolated and kept much more secure than the standard regions, AWS GovCloud is still part of the public internet and is theoretically publicly accessible.


AWS Top Secret Region

AWS also has an air-gapped region called the AWS Top Secret Region. After Amazon signed a multi-year, $600 million contract with the U.S. Central Intelligence Agency in 2013, it launched AWS Top Secret Region in 2014 to meet the needs of the intelligence community.

AWS Top Secret Region differs from GovCloud and the Secret Region introduced three years later in the following ways:

  • AWS Top Secret Region is not part of the public internet, but is air-gapped from the internet, providing maximum security.
  • Top Secret Region was built by AWS but is hosted on-premise at the CIA.
  • Top Secret Region is accessible only to the 17 agencies that are considered intelligence agencies.

The AWS Top Secret Region is a private cloud the CIA built on three locations (to provide three availability zones) using AWS technology and expertise. This arrangement gave the intelligence community a way to leverage the power of the cloud without running any security risks. In this case, having a completely air-gapped cloud that is not accessible from the public internet is the only option.


Read more about how the government benefits from public cloud adoption here.


AWS Secret Region

The newest AWS service for government agencies, AWS Secret Region, launched in 2017 and  expanded Amazon’s ability to serve the public sector at all federal classification levels. According to Amazon, the AWS Secret Region can operate workloads up to the Secret U.S. security classification level.

Unlike the Top Secret Region, AWS Secret Region is not hosted on-premise at the CIA and therefore is interpreted as slightly more vulnerable than the intelligence community’s Top Secret Region. However, it’s still separate from the public internet. Most importantly, it can be used by any government agency rather than exclusively by the intelligence community.


For more information about who can access the AWS Secret Region, see this Amazon announcement.


AWS Secret Region uses some of the same tools as the Top Secret Region and bridges the gap between the unclassified AWS GovCloud region and the intelligence-only Top Secret Region. According to the CIA’s CIO, Secret Region benefits the intelligence community too, because it makes it easier to collaborate with other agencies outside the intelligence community whose information is classified, but not Top Secret.


How to Buy AWS Government Services

Purchasing resources in any of the public sector-only regions isn’t like setting up an AWS account in the standard regions. They all have to go through AWS’s public sector sales and require vetting of the organization and contact individuals to ensure they are eligible to use the AWS region in question.


Want to learn more about purchasing AWS government and education cloud services? See our article, “Buying Government and Education Cloud Services Direct or With a Partner.”  


Unlike other cloud management platforms, only CloudCheckr is available as an AMI. Just as importantly, it is the only cloud monitoring platform authorized to run in the in AWS Secret Region. Even in the Secret Region, continuous security monitoring and auto-healing are essential to ensure your environment is as secure as possible at all times.



Follow these links to learn more about how CloudCheckr works with public sector companies in the GovCloud and Secret Region.

Subscribe to our Blog
Sign up now to get more great content.

Related Resources

Learn how CloudCheckr can help you optimize and automate your cloud.

Are You Subscribed to the Check List?


The CloudCheckr Newsletter

Our Best Articles and Insights Direct to Your Inbox




Get What You Need to Succeed—Download our White Papers



Your Role in the Shared Responsibility Model
A Guide to Understanding and Taking Control




Free Webinars Await—See What's Next



Defend Your Clouds

Make Your IT Team Your Strongest Security Asset