Archie Gunasekara, a staff software engineer at Slack, and Andrew Martin, a staff software engineer at Slack, recently shared lessons learned from building GovSlack, an instance of Slack running in the AWS GovCloud region. They shared the challenges of adapting to unsupported services, creating accounts, and isolating accounts.
As described by AWS, the GovCloud US region is an “[isolated] region of AWS dedicated to hosting sensitive data and regulated workloads in the cloud.” Gunasekara and Martin note that one of the first challenges is that “only US persons will be allowed access to the production environment” as this is a core requirement of FedRAMP High. AWS also requires that only U.S. persons manage and have access to root account keys, Infoq wrote on the topic.
To simplify their Slack setup, Gunasekara and Martin describe an approach to creating “GovDev” and “GovProd” accounts. While the “GovProd” account is locked to US persons only, the “GovDev” account is more free as it does not contain end-user data. This allows development teams to deploy and test their applications in the GovCloud environment before handing them over to the GovSlack team to deploy to the more restricted “GovProd” account.
AWS ARNs differ between commercial accounts and GovCloud accounts. Commercial accounts have an arn:aws prefix, while GovCloud has an arn:aws-us-gov prefix. Gunasekara and Martin said that the team wanted to maintain the same Terraform modules for deployment in their commercial and GovCloud accounts.
AWS GovCloud is separated logically and physically from their standard regions with different access to certificates between partitions. AWS recommends that “workloads that process or host US export-controlled data be hosted within the AWS GovCloud (US) partition.” This includes workloads requiring FedRAMP High P-ATO or DOD IL4 and 5 PA services.
AWS provides some resources for understanding best practices when architecting workloads in GovCloud. This includes an implementation guide and a user guide. More lessons learned from Slack’s use of GovCloud can be found on their blog.