AWS GovCloud

Last modified on September 13, 2024

Introduction

AWS GovCloud provides a cloud environment that is operated by United States citizens and uses servers that are physically located within the United States. GovCloud is a cloud platform that provides compliance with a variety of protocols that government entities or affiliated organizations may desire to meet.

StrongDM provides the option for organizations to deploy StrongDM using a version of our control plane that is running in GovCloud. This offering allows many government institutions to use StrongDM to manage and audit access to cloud infrastructure without compromising on their specific security policies.

The GovCloud-hosted version of StrongDM is similar in most respects to the standard offering, but this page provides information on the specific differences.

Differences from the Commercial Version

  • Connections between the GovCloud version of the control plane and the StrongDM client and nodes (gateways and relays) meet FIPS 140-3 standards.
  • Domain Name System Security Extensions (DNSSEC) are enabled.

Technical Implementation Differences

There are a few differences in the implementation and usage of a GovCloud StrongDM organization.

  • If you employ one or more of the StrongDM SDKs, review the SDK variations.
  • If you use StrongDM Docker containers (relay, client, rdpreplay) you need to append -fips to the URLs shown on the Download & Install page of the Admin UI or ECR rather than the standard version. For example: public.ecr.aws/relay:latest-fips.
  • Anywhere you use an app.strongdm.com URL in configuration for GovCloud deployments, such as for a SAML entity ID or SCIM connector, replace the app.strongdm.com portion of the value with app.strongdm-gov.com.

SDK variations

GovCloud organizations use the following format for client definition (or provider, for Terraform), which adds a parameter defining the host as api.strongdm-gov.com.

Go 

client, err := sdm.New(
	accessKey,
	secretKey,
	sdm.WithHost("api.strongdm-gov.com")
)

Python 

client = strongdm.Client(
	api_access_key,
	api_secret_key,
	'api.strongdm-gov.com:443'
)

Ruby 

client = SDM::Client.new(
	api_access_key, 
	api_secret_key,
	"api.strongdm-gov.com:443"
)

Java 

var opts = new ClientOptions();
opts = opts.WithHostAndPort("api.strongdm-gov.com", 443)
var client = new Client(apiAccessKey,apiSecretKey, opts);

Terraform 

provider "sdm" {
  api_access_key = var.SDM_API_ACCESS_KEY
  api_secret_key = var.SDM_API_SECRET_KEY
  host = "api.strongdm-gov.com:443"
}

Setup and Configuration

Download GovCloud FIPS node installer

The installer for GovCloud nodes is FIPS-compliant and can be downloaded at this direct download link.

Download the FIPS-compliant installer:

curl -J -O -L https://app.strongdm-gov.com/release\?os\=linux\&software\=sdm-cli\&redirect\=true

The downloaded file is a zip file named in the format sdmcli_<VERSION>_fips_linux_amd64, such as: sdmcli_42.77.0_fips_linux_amd64.zip. Unzip the file:

unzip <FILENAME>

Lastly, install the package to set up your node:

sudo ./sdm install --relay

Configure a GovCloud node after installation

The environment variable SDM_DOMAIN must be set on the node in order to direct it to use the GovCloud version of StrongDM.

To set an environment variable specifically for a service using systemctl edit, you can follow these steps:

  1. Log in to the node and run sudo systemctl edit sdm-proxy. Doing so opens the current sdm-proxy file in a text editor (such as nano or vim).

  2. If the sdm-proxy file doesn’t already exist, open a new file.

  3. In the editor, add the following lines to set the environment variable:

 [Service]
 Environment="SDM_DOMAIN=strongdm-gov.com"

  1. Save and close the editor.

  2. Reload the systemctl configuration to apply the changes:

sudo systemctl daemon-reload

The service is named “sdm-proxy” if installed via sdm install -relay. Alternatively you can use systemctl | grep -i sdm to search for the service name.

Set up clients

Additionally, each client needs an SDM_DOMAIN system variable set to the same value strongdm-gov.com in order to redirect the client to log in using GovCloud rather than the commercial version of StrongDM.

Other Considerations

For further information about platform security at StrongDM that is not specific to GovCloud deployments, see the Platform Security page.