REGIONus-gov-west-1 · us-gov-east-1 BASELINEFIPS 140-3 · TLS 1.3 SCOPEIL2 · IL4 · IL5-ready

Federal cloud, built right the first time.

Multi-account AWS GovCloud landing zones with control inheritance, IaC-only operations, and a path to confidential compute. We build infrastructure that passes A&A on the first review.

$ scope_engagement → ← All practice areas

LANDING ZONEMulti-account org · LZA-aligned

IACTerraform · 100% of prod

DRIFTDetected · auto-PR'd

NETWORKTransit Gateway · IPv6 dual-stack

RPO / RTO≤ 5 min · ≤ 15 min

$ cat architecture.txt

Reference architecture.

// multi-account org, centralized everything

// AWS Organizations layout · Stagg federal landing zone

AWS Organization (root) SCPs · OUs

Denies destructive actions org-wide Owns the inheritance chain

log-archive audit

CloudTrail · CloudWatch Athena queries S3 Object Lock (WORM)

security findings

GuardDuty · Security Hub Config conformance packs Macie · IAM Analyzer

network hub

Transit Gateway Route 53 Resolver IPAM · Network Firewall

shared services tools

ECR · Artifact mirror Vault · KMS · HSM Bastion / SSO

workload · × N OUs spokes

prod / stage / dev Inherit guardrails — can't disable TGW-attached spoke VPCs

Inheritance: SCPs from root · Config rules from security · routes from network Workload accounts cannot disable the guardrails the org delegates them

$ ls capabilities/cloud/

What we build.

// six core capabilities

Landing zones

org-level

LZA-aligned multi-account org. SCPs deny destructive actions in prod. Centralized logging account is the only place CloudTrail and Config write to.

Org-wide CloudTrail · log-archive S3 with Object Lock (WORM)
AWS Config conformance packs (FedRAMP Moderate / NIST 800-53)
GuardDuty + Security Hub findings aggregated to security account
Service Catalog products for vetted, pre-approved patterns

Infrastructure as code

terraform

100% of prod is Terraform. No click-ops. State in S3 + DynamoDB lock per account. Module library is internal-only — never github.com/... direct refs.

OpenTofu-compatible · pinned providers · checksum-verified
tflint + checkov + tfsec + terraform-compliance in CI
Drift detection runs hourly · auto-opens MR with the diff
Atlantis-style PR-driven applies behind manual approval gate

Network architecture

hub-and-spoke

Transit Gateway hub in the network account. Workload VPCs attach as spokes. No public IPs in prod unless explicitly approved. VPC endpoints for every supported service.

IPv6 dual-stack from day one · no NAT tax for outbound
Route 53 Resolver rules + IPAM for non-overlapping CIDRs
FIPS 140-3 VPC endpoints · TLS 1.3 minimum
AWS Network Firewall with managed Suricata rule groups

Identity & access

least-priv

IAM Identity Center as the front door. Permission sets are Terraform-managed. No long-lived access keys in prod — period. Break-glass roles require ticket + dual-approval.

STS session limits + ABAC tags scoped to OU
SCPs deny iam:CreateAccessKey in workload accounts
Access Analyzer findings tracked as POA&Ms automatically
Federation to GitLab CI via OIDC · no static deploy keys

Resilience & DR

multi-region

Active-active where the workload supports it, warm-standby where it doesn't. Backup vaults locked with vault-lock. Restore is tested quarterly with a real game-day, not a runbook.

AWS Backup org policy · cross-region copy · vault-lock immutability
RDS / Aurora global cluster · 1-min RPO across regions
Route 53 ARC for traffic shifting · health-check first failover
Chaos engineering with aws-fis on a schedule

≤ 5 mRPO target

≤ 15 mRTO target

Qrestore tested

Confidential compute

future-ready

Nitro Enclaves for workloads that need attested, isolated execution — KMS key material never leaves the enclave. Foundation for FedRAMP High + IL5 trajectories.

Nitro Enclaves with KMS attestation-based grants
EC2 with NitroTPM + UEFI Secure Boot for cleared baselines
Outposts & Snowball Edge for tactical / disconnected scope
Wavelength + Local Zones evaluated for edge AI inference

$ cat stack.json

The stack we operate.

// real tools, no buzzwords

★ most popular · industry standard ● available · production-ready → coming · trial / assess

Cloud5 · gov + commercial

AWS GovCloud (US) AWS Commercial Azure Gov Outposts Snowball Edge

IaC5 · prod = 100%

Terraform 1.9+ OpenTofu Packer CDK (TS) CloudFormation

Org & governance5

Organizations · SCPs Control Tower Service Catalog Config Conformance Packs Audit Manager

Networking6 · hub-and-spoke

Transit Gateway PrivateLink Network Firewall Route 53 Resolver IPAM · IPv6 Global Accelerator

Identity5 · PIV-capable

IAM Identity Center Keycloak (RHBK) Okta GovCloud SAML · OIDC PIV / CAC

Data & storage6

Aurora (PG / MySQL) S3 · Object Lock RDS DynamoDB EFS · FSx Aurora DSQL

Compute6

EKS Lambda ECS Fargate EC2 · Nitro Nitro Enclaves Graviton4

Observability5

CloudWatch Grafana (AMG) Prometheus (AMP) OpenTelemetry X-Ray

$ radar --quarter Q2

What's on the tech radar.

// where we're investing

Adopt

in prod now

IPv6 dual-stackNo more NAT tax · cleaner outbound posture
OIDC federation to CIZero static keys in GitLab
S3 Object Lock WORMImmutable audit logs
FIPS 140-3 endpointsCipher-suite hygiene by default

Trial

piloting · select workloads

Nitro EnclavesAttested, isolated execution for crypto
Aurora DSQLActive-active SQL across regions
EKS Pod IdentityIRSA without the boilerplate
Karpenter on Graviton40% cost cut on stateless tier

Assess

watching · not yet GA

Bedrock GovCloudWhen + which models hit ATO
Post-quantum KMSHybrid key wrap migration path
Confidential containersEKS + AMD SEV-SNP
Wavelength edge zonesTactical-edge inference

$ stagg --scope cloud

Cleared work. Real architecture.

Free consultation. Tell us the program, the boundary, and where you are in the A&A process. We'll come back with an architecture and a fixed quote.

$ get_quote → ← All practice areas

// direct comms

email[email protected]

phone(801) 917-4617

responsewithin 24 hours

formatfree consultation