Defense Cloud Security: Architecting Secure Infrastructure for Regulated Environments

Comprehensive security architecture guide for Azure Government, AWS GovCloud, and hybrid defense cloud environments.

Building secure cloud infrastructure for defense contractors requires understanding not just commercial cloud best practices, but also the specific compliance, isolation, and operational requirements of regulated government workloads.

This guide provides practical architecture patterns, security controls, and operational practices for Azure Government and AWS GovCloud environments supporting CMMC and FedRAMP requirements.

Part 1: Defense Cloud Fundamentals

Government Cloud vs. Commercial Cloud

Key differences:

Physical isolation:

Government clouds operate on dedicated physical infrastructure
Separate datacenters with controlled physical access
No shared physical resources with commercial customers

Logical isolation:

Separate identity planes (Azure Government uses different Azure AD instance)
Distinct management and control planes
Network segregation from commercial cloud

Personnel requirements:

US-based support staff
Background-screened operations personnel
Controlled access to government cloud infrastructure

Compliance authorizations:

FedRAMP High authorization
DoD Impact Level 4/5 approval (Azure Government Secret for IL5)
ITAR, EAR, and CUI handling authorization

Regional availability:

Limited region options (typically US-based only)
Fewer availability zones in some cases
Different service availability timeline (features lag commercial by 3-6 months)

When You Need Government Cloud

Mandatory scenarios:

Handling Controlled Unclassified Information (CUI)
CMMC Level 2 certification (most cases)
DFARS 252.204-7012 compliance
FedRAMP High or DoD IL4+ requirements
ITAR-controlled technical data

Optional but recommended:

Defense contracts with security clauses
Organizations planning to pursue DoD contracts
Companies handling sensitive federal data

Azure Government vs. AWS GovCloud

Azure Government strengths:

Deep integration with Microsoft 365 GCC High
Mature compliance offerings (CMMC, FedRAMP, DoD IL5)
Strong identity integration (Azure AD)
Comprehensive PaaS offerings (App Services, Functions, databases)

AWS GovCloud strengths:

Mature IaaS capabilities
Wide range of compute and storage options
Strong big data and analytics services
Established DoD customer base

Decision factors:

Existing commercial cloud investment (Azure or AWS)
Microsoft 365 GCC High usage (favors Azure Government)
Application architecture (IaaS-heavy vs. PaaS-preferred)
Team expertise and certifications
Specific DoD IL requirements

Part 2: Azure Government Security Architecture

Network Architecture Patterns

Pattern 1: Hub-and-Spoke for Multi-Application Environment

Architecture:

Hub VNet: Shared services (firewall, VPN, monitoring, identity)
Spoke VNets: Application-specific networks (dev, test, prod)
VNet peering: Connect spokes to hub
Forced tunneling: All internet traffic routes through hub firewall

Security benefits:

Centralized egress control
Simplified firewall rule management
Shared security services
Cost efficiency for common services

Implementation considerations:

Plan IP addressing carefully (non-overlapping CIDR blocks)
Use Network Security Groups (NSGs) at subnet level
Deploy Azure Firewall or third-party NVA in hub
Implement Azure Bastion for secure RDP/SSH

Pattern 2: Landing Zone for Enterprise

Components:

Management subscription: Logging, monitoring, security tools
Identity subscription: Domain controllers, Azure AD Connect
Connectivity subscription: Network hub, VPN, ExpressRoute
Application subscriptions: Production and non-production workloads

Azure landing zone benefits:

Scalable governance
Clear separation of concerns
Audit and compliance boundaries
Simplified cost allocation

Governance:

Azure Policy for compliance enforcement
Azure Blueprints for environment provisioning
Management groups for hierarchical policy
Resource tagging standards

Identity and Access Management

Azure AD for Government configuration:

Administrative accounts:

Break-glass accounts (2 minimum, excluded from Conditional Access)
Privileged Identity Management (PIM) for just-in-time access
Separate admin accounts from user accounts
Admin workstations (PAW) for privileged operations

Conditional Access policies:

Policy 1: Require MFA for all users

Assignments: All users (except break-glass)
Cloud apps: All cloud apps
Access controls: Grant access, require MFA

Policy 2: Block legacy authentication

Assignments: All users
Client apps: Exchange ActiveSync, Other clients
Access controls: Block

Policy 3: Require compliant device for CUI access

Assignments: All users
Cloud apps: Azure Government portal, CUI applications
Conditions: Device platforms - Any
Access controls: Require device to be marked compliant

Policy 4: Block access from non-US locations

Assignments: All users (except break-glass)
Locations: Any location, exclude Named location: United States
Access controls: Block

Service principal and managed identity:

Use managed identities for Azure resource authentication
Minimize service principal usage
Rotate service principal secrets quarterly
Audit service principal usage

Network Security Controls

Azure Firewall configuration:

Rule collections for CMMC:

Network rules:

Allow outbound: HTTPS (443) to required Microsoft services
Allow outbound: NTP (123) to time servers
Allow outbound: DNS (53) to approved resolvers
Deny all other outbound by default

Application rules:

Allow specific FQDNs for Windows Update, Microsoft 365, Azure services
Block generic internet access
Log all allowed and denied connections

Threat intelligence:

Enable threat intelligence-based filtering
Set to Alert and Deny mode
Subscribe to Microsoft threat feeds

Network Security Groups (NSGs):

Best practices:

Default deny inbound, explicit allow only required ports
Service tags for Azure services (vs. IP ranges)
Application Security Groups (ASGs) for logical grouping
NSG flow logs to Log Analytics for analysis

Example NSG rules for web tier:

Priority 100: Allow inbound HTTPS (443) from Azure Front Door
Priority 110: Allow inbound HTTP (80) from Azure Front Door (redirect to HTTPS)
Priority 200: Deny all other inbound
Priority 300: Allow outbound to database tier (1433 or 5432)
Priority 400: Allow outbound to Azure services (via service tags)
Priority 500: Deny all other outbound

Azure DDoS Protection:

Enable DDoS Protection Standard on hub VNet
Configure DDoS response team contacts
Test DDoS response procedures
Monitor DDoS metrics and alerts

Compute Security

Virtual machine hardening:

Baseline security configuration:

Apply Microsoft Security Baselines (via Azure Policy or PowerShell DSC)
Enable Azure Security Center recommendations
Disable unnecessary services and protocols
Configure Windows Firewall or iptables
Enable BitLocker/dm-crypt for disk encryption

Patch management:

Azure Update Management for automated patching
Maintenance windows aligned with change management
Test patches in non-production first
Target: Critical/high severity patches within 30 days

Antivirus and anti-malware:

Microsoft Defender Antivirus (Windows) or Defender for Linux
Real-time protection enabled
Scheduled scans configured
Cloud-delivered protection enabled
Logs sent to Log Analytics

Azure Security Center / Microsoft Defender for Cloud:

Enable Defender plans:

Defender for Servers (all VMs)
Defender for Storage (all storage accounts)
Defender for SQL (all databases)
Defender for Key Vault (all key vaults)
Defender for App Service (all web apps)
Defender for Containers (all AKS clusters)

Just-in-Time VM Access:

Enable JIT for all management ports (RDP 3389, SSH 22)
Require approval for access requests
Time-limited access (maximum 3-8 hours)
Source IP restrictions

File Integrity Monitoring:

Enable on all VMs
Monitor critical system files and registry keys
Alert on unauthorized changes

Data Protection

Azure Storage security:

Storage account configuration:

Require secure transfer (HTTPS only)
Disable public blob access (unless explicitly required)
Enable Azure AD authentication where possible
Configure firewall rules (allow only approved VNets)
Enable soft delete for blob and file shares
Enable versioning for blob storage

Encryption:

Encryption at rest: Enabled by default with Microsoft-managed keys
Consider customer-managed keys (CMK) in Azure Key Vault for CUI
Encryption in transit: TLS 1.2 minimum
Client-side encryption for highly sensitive data

Azure SQL Database / Managed Instance security:

Security features:

Transparent Data Encryption (TDE): Enabled with CMK
Always Encrypted: For column-level encryption of sensitive fields
Dynamic data masking: For PII in non-production
Row-level security: For multi-tenant databases
Azure AD authentication: Preferred over SQL authentication

Network security:

Private endpoints for database connectivity (no public endpoint)
VNet integration for applications
Firewall rules limiting source IPs
Service endpoints for Azure services

Auditing:

Enable SQL auditing to Log Analytics
Audit all administrative actions
Audit data access to CUI tables
Retention: 1 year minimum

Azure Key Vault:

Key management:

Separate key vaults for production vs. non-production
HSM-backed keys for CUI encryption
Key rotation policy (annual minimum)
Access via managed identities
Enable soft-delete and purge protection
Enable Key Vault logging to Log Analytics

Access control:

Azure RBAC for management plane
Key Vault access policies for data plane
Principle of least privilege
Quarterly access reviews

Monitoring and Logging

Log Analytics workspace configuration:

Log sources:

Azure Activity logs (all subscriptions)
Azure AD sign-in and audit logs
Azure Security Center alerts
NSG flow logs
Azure Firewall logs
VM logs (Windows Event Log, syslog)
Application logs (App Insights, Application Gateway)
Azure SQL audit logs

Retention:

1 year minimum for CMMC (2-7 years recommended)
Export to Azure Storage for long-term retention
Immutable storage for audit logs

Azure Sentinel (SIEM):

Data connectors:

Azure Activity
Azure Active Directory
Azure Security Center
Microsoft Defender for Cloud
Microsoft 365 (if integrated)
Custom logs via Log Analytics

Analytics rules:

Anomalous sign-in detection
Privilege escalation detection
Unusual resource creation
Data exfiltration indicators
Malware detection
Failed authentication brute force
Admin activity outside business hours

Incident response:

Automated response playbooks (Logic Apps)
SOAR integration for common scenarios
Escalation to security team
Integration with ticketing system

Azure Monitor:

Alerts for critical events:

VM availability or performance degradation
Azure Firewall critical rule hits
Key Vault access anomalies
Storage account public access enabled
Network Security Group rules changed
Conditional Access policy modified

Alert actions:

Email to security team
SMS for critical alerts
Webhook to incident management system
Automated remediation via Azure Automation

Part 3: AWS GovCloud Security Architecture

Network Architecture

VPC design for multi-tier applications:

Public subnet:

NAT Gateway for outbound internet access
Application Load Balancer
Bastion host or AWS Systems Manager Session Manager
No direct internet access for resources

Private subnet (application tier):

EC2 instances running application
Auto Scaling groups for resilience
Route to internet via NAT Gateway
Security groups restricting access

Private subnet (database tier):

RDS instances or Aurora clusters
ElastiCache for caching
No internet access (even via NAT)
Database subnet groups

Security groups and NACLs:

Security group best practices:

Default deny all inbound
Explicit allow rules only for required protocols
Reference other security groups (vs. IP ranges)
Separate security groups per tier
Tag for clarity and audit

Example security group rules:

Web SG:
  Inbound: Allow 443 from ALB SG
  Outbound: Allow 8080 to App SG

App SG:
  Inbound: Allow 8080 from Web SG
  Outbound: Allow 5432 to DB SG, 443 to AWS services

DB SG:
  Inbound: Allow 5432 from App SG
  Outbound: Deny all

Network ACLs:

Stateless firewall at subnet boundary
Typically used for additional defense-in-depth
Block known malicious IPs
Log denies for security analysis

Identity and Access Management (IAM)

AWS GovCloud IAM configuration:

Root account security:

Enable MFA on root account
Do not use root account for daily operations
Secure root account credentials in physical safe
Rotate root account credentials annually

IAM user management:

Disable IAM users where possible (prefer federation)
Require MFA for all IAM users
Rotate access keys every 90 days
Use IAM Access Analyzer to detect overly permissive policies

IAM roles and policies:

Principle of least privilege:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws-us-gov:s3:::cui-bucket/*"
    }
  ]
}

Service Control Policies (SCPs):

Organization-level controls
Deny actions that violate compliance (e.g., disable encryption, create public resources)
Enforce tagging requirements
Restrict regions (US-only for GovCloud)

AWS SSO for federated access:

Integrate with Azure AD or other IdP
Permission sets mapped to AWS roles
Time-limited access
Audit trail via CloudTrail

Compute Security

EC2 hardening:

AMI hardening:

Use AWS-provided or CIS-hardened AMIs
Apply security baselines before deployment
Remove unnecessary packages and services
Configure local firewall (iptables, Windows Firewall)
Disable root SSH (use sudo)

EC2 instance configuration:

Enable IMDSv2 (Instance Metadata Service v2) to prevent SSRF
Use Systems Manager Session Manager (vs. SSH/RDP)
Enable EBS encryption by default
Use KMS customer-managed keys for CUI volumes
Configure CloudWatch monitoring
Auto-tag instances via automation

AWS Systems Manager:

Patch Manager:

Define patch baselines (OS and application patches)
Automate patching via maintenance windows
Test in non-production first
Target: Critical/high patches within 30 days

State Manager:

Enforce configuration compliance
Automated remediation of drift
Bootstrap new instances with security configuration

Session Manager:

Secure access to instances without SSH/RDP ports open
Centralized audit logging
MFA for privileged sessions

Container security (ECS/EKS):

ECS security:

Use Fargate for serverless (reduces attack surface)
Store secrets in AWS Secrets Manager (not environment variables)
Use task IAM roles for least privilege
Scan container images for vulnerabilities (ECR image scanning)
Run containers as non-root

EKS security:

Enable pod security policies
Network policies for pod-to-pod communication
IRSA (IAM Roles for Service Accounts) for pod authentication
Encrypt etcd with KMS
Private API endpoint
Enable control plane logging to CloudWatch

Data Protection

S3 bucket security:

Access control:

Block public access at account and bucket level
Use bucket policies for least privilege
Enable MFA Delete for CUI buckets
Use VPC endpoints for internal access
Audit access with S3 access logs and CloudTrail

Encryption:

Enable default encryption with SSE-KMS (customer-managed keys)
Enforce encryption in transit (deny non-HTTPS)
Use S3 Object Lock for immutable audit logs

Versioning and lifecycle:

Enable versioning for accidental deletion protection
Configure lifecycle policies for cost optimization
Transition to Glacier for long-term retention

RDS security:

Database configuration:

Enable encryption at rest with KMS CMK
Enable automatic backups (7-35 day retention)
Enable audit logging (send to CloudWatch Logs)
Apply security patches during maintenance windows
Use IAM database authentication where possible

Network security:

Place RDS in private subnet with no internet access
Security group allowing access only from application tier
No public accessibility enabled
Use VPC peering or PrivateLink for cross-VPC access

Secrets management:

AWS Secrets Manager:

Store database credentials, API keys, certificates
Enable automatic rotation
Use resource-based policies for access control
Audit access via CloudTrail
Integrate with RDS for automatic credential rotation

Monitoring and Logging

CloudTrail configuration:

Enable organization trail:

Log all management events across all accounts
Log S3 and Lambda data events for CUI resources
Enable log file validation (integrity)
Encrypt logs with KMS
Store in S3 with Object Lock
Retention: 1 year minimum (7 years recommended)

CloudWatch Logs:

Centralized logging:

VPC Flow Logs
CloudTrail logs
Application logs from EC2, ECS, Lambda
RDS audit logs
WAF logs

Log retention:

1 year minimum for compliance
Use S3 lifecycle for cost-effective long-term storage

AWS Security Hub:

Enable Security Hub:

Aggregate findings from GuardDuty, Inspector, Macie, Firewall Manager
Enable CIS AWS Foundations Benchmark
Enable NIST 800-53 standard
Automated remediation via EventBridge + Lambda

AWS GuardDuty:

Enable across all regions:

Detects threats via ML and threat intelligence
Monitors CloudTrail, VPC Flow Logs, DNS logs
Alerts on cryptocurrency mining, unauthorized access, data exfiltration
Integrate with Security Hub for centralized view

Amazon Macie:

Data classification:

Scans S3 buckets for PII, CUI markers
Alerts on sensitive data exposure
Automated data discovery jobs
Compliance reporting

Part 4: Hybrid and Multi-Cloud Security

Hybrid connectivity options

Azure ExpressRoute / AWS Direct Connect:

When to use:

High bandwidth requirements (>100 Mbps sustained)
Low latency requirements
Regulatory requirement for private connectivity
Large data transfer volumes

Security considerations:

Does not encrypt by default (use VPN over ExpressRoute/Direct Connect or application-level encryption)
BGP route filtering
Dedicated vs. shared connection security model

Site-to-Site VPN:

When to use:

Lower bandwidth requirements
Cost-sensitive deployments
Backup to ExpressRoute/Direct Connect

Configuration best practices:

IKEv2 with strong encryption (AES-256)
Perfect Forward Secrecy (PFS)
DPD (Dead Peer Detection) enabled
Redundant VPN tunnels for high availability

Multi-cloud identity federation

Azure AD as central identity provider:

Azure AD connects to on-premises AD via Azure AD Connect
Azure Government uses Azure AD for Government
AWS GovCloud federates to Azure AD via SAML
Single identity source, consistent access controls

Conditional Access across clouds:

Enforce MFA at Azure AD level (applies to all federated apps)
Device compliance policies before cloud access
Location-based policies (US-only access)
Risk-based authentication

Data synchronization and replication

Secure data transfer patterns:

Azure to AWS (and vice versa):

Use VPN or ExpressRoute/Direct Connect for private connectivity
Encrypt data in transit (TLS 1.2+)
Encrypt data at rest in both source and destination
Use managed transfer services (Azure Data Factory, AWS DataSync)
Audit all data transfers

CUI handling:

Maintain audit trail of CUI movement
Ensure both source and destination are authorized for CUI
Data loss prevention policies
Encryption throughout transit

Part 5: Compliance and Audit Preparation

CMMC control mapping to cloud services

AC (Access Control) in cloud:

Azure AD / AWS IAM: User authentication and authorization
Conditional Access / IAM policies: Enforce access restrictions
PIM / AWS SSO: Just-in-time privileged access
Azure Bastion / AWS Session Manager: Secure remote access

AU (Audit and Accountability) in cloud:

Log Analytics / CloudWatch: Centralized logging
Azure Monitor / CloudWatch Alarms: Alerting on security events
Azure Sentinel / Security Hub: SIEM aggregation

SC (System and Communications Protection) in cloud:

Azure Firewall / Security Groups: Network boundary protection
NSGs / NACLs: Host and subnet-level firewalls
Azure VPN Gateway / Site-to-Site VPN: Encrypted connections
Private endpoints / VPC endpoints: Private connectivity to PaaS

SI (System and Information Integrity) in cloud:

Microsoft Defender / GuardDuty: Threat detection
Security Center / Inspector: Vulnerability scanning
Update Management / Patch Manager: Automated patching

Evidence collection automation

Azure Policy for compliance evidence:

Policy assignments for required configurations
Compliance dashboard showing adherence
Automated remediation for drift
Export compliance reports for audit

AWS Config for configuration tracking:

Record configuration changes over time
Compliance rules for required settings
Automated remediation via Systems Manager
Integration with Security Hub

Automated evidence collection:

Azure:

Export Azure Policy compliance reports
Query Log Analytics for audit evidence
Azure Resource Graph for inventory
Azure Blueprints for environment documentation

AWS:

AWS Config compliance reports
CloudTrail log queries for access evidence
AWS Security Hub findings export
AWS Audit Manager for control evidence

Documentation requirements

System Security Plan (SSP) cloud addendum:

Cloud architecture diagrams (network, compute, data flow)
Shared responsibility model explanation
Cloud-specific control implementation
Third-party attestations (FedRAMP, DoD IL)
Incident response procedures for cloud

Inventory documentation:

Azure subscriptions and resource groups
AWS accounts and organizational structure
Resource inventory (VMs, storage, databases)
Service dependencies
Data classification and location

Part 6: Operational Best Practices

Infrastructure as Code (IaC)

Azure ARM templates / Bicep:

Define infrastructure in code
Version control in Git
Peer review before deployment
Automated deployment pipelines
Environment consistency (dev, test, prod)

AWS CloudFormation / Terraform:

Same benefits as Azure IaC
Use modules for reusable components
Implement drift detection
Automated testing of infrastructure code

Security benefits:

No manual configuration (reduces human error)
Audit trail via Git history
Automated compliance validation
Rapid environment recreation for DR

Change management

Cloud change control process:

Request: Document change and business justification
Risk assessment: Evaluate security and compliance impact
Approval: Security review and management approval
Testing: Validate in non-production
Implementation: Deploy during change window
Validation: Confirm success and no adverse impact
Documentation: Update diagrams and SSP

Emergency changes:

Defined criteria for emergency changes
Streamlined approval process
Post-implementation review
Update to regular change if recurring

Backup and disaster recovery

Azure backup strategy:

Azure Backup for VMs (daily backups, 30-day retention)
Azure SQL Database automated backups (7-35 days)
Geo-redundant storage for long-term backups
Azure Site Recovery for DR (RTO < 4 hours, RPO < 15 minutes)

AWS backup strategy:

AWS Backup for centralized backup management
RDS automated backups (7-35 days)
S3 Cross-Region Replication for geo-redundancy
EC2 AMIs for system recovery
Disaster recovery to alternate AWS GovCloud region

Testing:

Quarterly restore testing
Annual DR failover exercise
Document lessons learned
Update DR runbooks

Cost optimization without compromising security

Right-sizing:

Use Azure Advisor / AWS Trusted Advisor recommendations
Resize underutilized VMs
Delete unattached disks and idle resources
Use reserved instances / savings plans for predictable workloads

Security cost considerations:

Log retention: Balance compliance needs with storage costs
Defense services (Defender/GuardDuty): Cost vs. risk
Data transfer: Minimize egress costs with architectural optimization
Always maintain required security controls (don't compromise security for cost)

Conclusion

Secure cloud architecture for defense and regulated environments is about combining cloud-native security services with additional controls for CUI protection, continuous monitoring, and evidence collection.

Key principles:

Defense in depth: Multiple layers of security controls
Least privilege: Minimal access required for function
Automation: Reduce human error and improve consistency
Continuous monitoring: Detect and respond to threats
Compliance as code: Enforce security controls programmatically

Whether you choose Azure Government, AWS GovCloud, or a hybrid approach, these principles and patterns will help you build a secure, compliant, and operationally sustainable cloud environment.

Start with network and identity security as your foundation, layer on data protection and monitoring, automate evidence collection, and maintain continuous improvement through regular assessment and testing.