Government Cloud Overview & Support

After InsightCloudSec is successfully installed, you're ready to start harvesting resources from your target cloud accounts. This documentation details configuring your Government Cloud (GovCloud) environments to "talk" with InsightCloudSec securely. Review the sections below to determine the best starting point for your environment.

GovCloud in InsightCloudSec: Frequently Asked Questions (FAQ)

What does InsightCloudSec support from GovCloud?

What does InsightCloudSec support from GovCloud?

Review the full list of GovCloud-specific supported services below.

How do I start seeing my GovCloud environments in InsightCloudSec?

How do I start seeing my GovCloud environments in InsightCloudSec?

InsightCloudSec relies on a process called "harvesting" to pull data from various CSPs. Currently, InsightCloudSec only offers setup instructions for a single cloud account in AWS GovCloud. Review AWS Cloud - Onboarding for details.

Can customers running InsightCloudSec in GovCloud (self-hosted) harvest commercial account data/resources?

Can customers running InsightCloudSec in GovCloud (self-hosted) harvest commercial account data/resources?

AWS GovCloud:

Yes, however, customers must use a STS assume role operation instead of a traditional assume role. API calls cannot be made between AWS partitions (commercial/GovCloud/China) until a cross-partition STS assume role operation has been performed.

Can customers running InsightCloudSec in commercial cloud environments (SaaS and self-hosted) harvest GovCloud account data/resources?

Can customers running InsightCloudSec in commercial cloud environments (SaaS and self-hosted) harvest GovCloud account data/resources?

AWS GovCloud:

Yes, however, customers must use a STS assume role operation instead of a traditional assume role. API calls cannot be made between AWS partitions (commercial/GovCloud/China) until a cross-partition STS assume role operation has been performed.

AWS GovCloud Support

AWS GovCloud accounts are onboarded the same way as AWS Commercial accounts. Review Onboard an AWS Cloud Account for more information.

AWS GovCloud Policies

AWS GovCloud Policies

InsightCloudSec offers several different AWS policies for harvesting resource information found in your AWS accounts and enabling InsightCloudSec features. Our universal onboarding experience will implement the appropriate policies automatically, so there's no need for AWS GovCloud-specific policies. Review AWS Policies for details.

AWS GovCloud Supported Deployment Regions

InsightCloudSec can only be deployed in AWS. For self-hosted customers, InsightCloudSec can be exclusively deployed/hosted in AWS GovCloud, if you so choose. For SaaS customers reach out to support for additional details on deployment.

AWS GovCloud Services

AWS GovCloud Supported Services

Listed below are all of the AWS GovCloud services (and their components) supported by InsightCloudSec. In general if a service is supported by InsightCloudSec for GovCloud, we support it in any region in which the CSP provides the service. If you have questions related to AWS or specific services and their support, contact us through the Customer Support Portal.

text
1
Amazon API Gateway (Domain, Key, Stage, Usage Plans)
2
Amazon DocumentDB
3
Amazon QuickSight
4
Amazon SageMaker (Notebook, Training job)
5
Amazon Simple Email Service (Configuration sets, Rules)
6
Amazon Redshift (Snapshot)
7
Amazon Transcription
8
AppStream 2.0
9
Athena (Workgroup)
10
AWS Auto Scaling (Group)
11
AWS Backup (gateway, Vault)
12
AWS Control Tower (Control, Landing zone)
13
AWS Glue (Connection, Crawler, Data Catalog, Database, Job, Security Configuration)
14
AWS Health Dashboard
15
AWS Organizations
16
AWS Systems Manager (Association, Parameter Store (Parameter), Document)
17
Batch (Compute Environment)
18
Certificate Manager (Private Certificate Authority)
19
CloudFormation (Templates)
20
CloudFront
21
CloudHSM
22
CloudTrail
23
CloudWatch (Alarm, Log Group)
24
Database Migration Service (Endpoint, Replication Instance)
25
DynamoDB
26
EC2 (Amazon EBS Snapshot, Amazon EBS Volume,Instance, Launch Template, Reserved Instance, Resource/Service Limit/Quota, Savings Plans, SSH Key Pairs)
27
EFS
28
Elastic Beanstalk (Application, Environment)
29
Elastic Container Registry (Container Registry)
30
Elastic Container Service/Fargate
31
Elastic Kubernetes Service (Node Group)
32
Elastic Load Balancer (Application Load Balancer, Gateway Load Balancer, Network Load Balancer)
33
ElastiCache (Snapshot)
34
EMR
35
FSx
36
Global Accelerator
37
IAM (Cloud Account, Group, Policy (Customer Managed), Role, User, User Access Key)
38
Key Management Service
39
Kinesis
40
Lambda (Layer)
41
Neptune
42
OpenSearch Service
43
RDS (Aurora, Cluster, Event Subscription, Instance, fSnapshot)
44
Region
45
Resource Access Manager (Resource shares, Shared resources)
46
Route 53
47
S3 (Access Point)
48
SAML Identity Provider
49
Secrets Manager (Secret)
50
Simple Queue Service
51
Simple Notification Service (Subscription, Topic)
52
Step Function State Machine
53
Storage Gateway
54
Systems Manager (Document)
55
Trusted Advisor
56
VPC (Elastic IP, Elastic Network Interface (ENI), Flow Log, Internet Gateway, NACL/Security Group, NACL/Security Group Rules, NAT Gateway, Network Firewall, Peer, Route Table, Subnet)
57
WAF
58
WorkSpaces (Instances)

Azure GovCloud Support

Azure GovCloud accounts are onboarded the same way as Azure Commercial accounts. Review Onboard an Azure Cloud Account or Onboard an Azure Organization for more information.

Azure GovCloud Roles

Azure GovCloud Roles

InsightCloudSec offers a couple Azure roles for harvesting resource information found in your Azure accounts and enabling InsightCloudSec features.

Custom GovCloud Reader Role

If you are interested in operating in read-only mode, which prevents InsightCloudSec from taking actions against your Microsoft Azure GovCloud resources, then we recommend using the Custom GovCloud Reader Role. This role grants InsightCloudSec read-only permissions to supported resources so data is harvested and available for reporting. Using this role means you must manually update the role with each new Azure GovCloud service that InsightCloudSec supports.

The JSON file for this role can be obtained from our public S3 bucket. The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Custom GovCloud Power User Role

If you would like to use InsightCloudSec to manage your Microsoft Azure GovCloud resources directly or through the use of Bots, then use the Custom GovCloud Power User Role. This role will grant InsightCloudSec all permissions to supported resources so it can act upon cloud resources in addition to monitoring and reporting on them. Using this role means you must manually update the role with each new Azure GovCloud service that InsightCloudSec supports.

The JSON file for this role can be obtained from our public S3 bucket. The JSON file includes a placeholder value for the subscription ID. This placeholder value will need to be replaced before implementing the role.

Azure GovCloud Supported Regions

Azure GovCloud Supported Regions

text
1
usgovarizona
2
usgoviowa
3
usgovtexas
4
usgovvirginia
Azure GovCloud Supported Services

Azure GovCloud Supported Services

Listed below are all of the Azure GovCloud services (and their components) supported by InsightCloudSec. For resource support, in general if a resource is supported by InsightCloudSec for GovCloud, we support it in any region in which the CSP provides the resource. If you have questions related to Azure or specific services and their support, contact us through the Customer Support Portal.

text
1
Activity log (Alerts)
2
API Management services
3
App Registration
4
App Services
5
App Service plans
6
Application credentials
7
Application gateways
8
Automation Account
9
Azure Active Directory (Group, Service Principal, User)
10
Azure Blob Storage
11
Azure Cache for Redis
12
Azure Cosmos DB
13
Azure Database for PostgreSQL/MySQL/MariaDB
14
Azure Databricks
15
Azure Files
16
Azure role assignments
17
Azure Synapse Analytics
18
Batch (Accounts, Pools)
19
Bot services
20
CDN profile
21
Cognitive Services (Azure OpenAI, Computer vision, Content moderator, Language service, Language understanding (classic), Personalizer, Speech service, Translator)
22
Container instances
23
Container registries (Container Image)
24
Compute/Network Usage Limit
25
Data factories
26
Dedicated SQL pools
27
DDoS protection plans
28
Diagnostic settings
29
Disks
30
DNS zones
31
Event Grid (Topics)
32
Event Hubs
33
ExpressRoute circuits
34
Firewall (Rule, Rule Collection)
35
Front Doors
36
Function App
37
HDInsight clusters
38
IP Groups
39
Kubernetes services
40
Load balancers
41
Log Analytics workspaces
42
Logic apps
43
Management groups
44
Microsoft Defender for Cloud (Security posture recommendations)
45
NAT gateways
46
Network interfaces
47
Network security groups (Flow Logs, Security Rules)
48
Peerings
49
Policy (Definitions)
50
Private Link services
51
Public IP addresses
52
Region
53
Resource groups
54
Role Definition
55
Route tables (Route)
56
Service Bus (Queue)
57
Service Fabric clusters
58
Shared Image Gallery (Image Definition, Image Version)
59
SQL Servers
60
SSL Certificate
61
Storage accounts
62
Storage Sync Services
63
Subscriptions
64
Traffic Manager
65
Virtual machine (Dedicated Host, Image)
66
Virtual machine scale sets
67
Virtual network (Private Endpoint, Service Endpoint, Service Endpoint Policy Subnet)
68
Virtual network gateway