Updated May 2026

AWS GovCloud CMMC Cost: $1,500 to $8,000 per month

AWS GovCloud (US) holds FedRAMP High authorisation and a DoD Provisional Authorisation up to IL5, making it eligible to host CUI under DFARS 252.204-7012. Typical monthly spend for a sub-100-user defense contractor runs $1,500-$8,000 depending on workload size and the security-tooling stack layered on top.

When AWS GovCloud is the right CMMC enclave

AWS GovCloud is the most common cloud answer for defense contractors whose CUI workload is application-shaped: a custom-built web application that processes engineering data, a database that holds export-controlled product designs, a continuous-integration pipeline that builds firmware for defense electronics, a data-lake that aggregates flight-test telemetry. For document-shaped workloads (Word, Excel, PowerPoint, email), Microsoft 365 GCC High is usually the cleaner answer and that path is covered in the GCC High migration cost page. Many contractors run both: GCC High for productivity, GovCloud for engineering application workloads.

AWS GovCloud runs in two regions, us-gov-west-1 (Oregon) and us-gov-east-1 (Northern Virginia). Both are physically and logically isolated from commercial AWS, operated by AWS US-citizen staff, and connected to commercial AWS only through limited control planes. The authorised service list is narrower than commercial AWS but covers the core compute, storage, networking, database, security, and management services that most defense application workloads need. The list and authorisation levels are published at aws.amazon.com/compliance/services-in-scope.

For C3PAO assessments, GovCloud brings a strong shared-responsibility story. The AWS-side controls (datacentre physical security, hypervisor isolation, hardware lifecycle, base network controls) are inherited from the underlying FedRAMP High authorisation. The contractor is responsible for everything in the customer responsibility matrix: identity and access management policies, network segmentation inside the VPC, encryption-at-rest and in-transit configuration, logging and monitoring, patching of OS and applications, backup and recovery. The customer-responsibility line is where most contractors put their build effort.

Per-service pricing for a typical enclave

Service	Unit price (GovCloud)	Typical monthly
EC2 t3.large (web tier, 2x On-Demand)	$0.103/hr	$150 - $300
EC2 m5.xlarge (app tier, 2x On-Demand)	$0.230/hr	$330 - $660
RDS db.m5.large MySQL Multi-AZ	$0.342/hr	$250 - $500
S3 Standard (1TB)	$0.039/GB/mo	$40
EBS gp3 (500GB attached)	$0.096/GB/mo	$48
CloudTrail (storage to S3 of 500GB logs)	$0.039/GB	$20
GuardDuty (medium-volume CUI workload)	~$1/account/day + data	$80 - $250
WAF + Shield Standard	$5/Web ACL/mo + req	$30 - $100
KMS keys (10 CMKs + req)	$1/key/mo	$10 - $40
Site-to-Site VPN tunnel	$0.05/hr per tunnel	$36 - $72
Data transfer out (50GB to internet)	$0.09/GB	$45
AWS Business Support (3%, $100 min)	3% of monthly spend	$100
Small-enclave total		$1,140 - $2,170

All prices verified against the public AWS GovCloud pricing pages at aws.amazon.com/govcloud-us/pricing. Reserved Instance and Savings Plan discounts of 20-60 percent are available for workloads with predictable utilisation.

Enclave size scenarios

Scenario	Workload profile	Monthly run rate	Annual
XS enclave	2 EC2, RDS Single-AZ, 100GB S3, basic security stack	$800 - $1,500	$10K - $18K
Small enclave	4-6 EC2, RDS Multi-AZ, 1TB S3, full security stack	$1,500 - $3,500	$18K - $42K
Medium enclave	10-15 EC2, RDS + ElastiCache, 5TB S3, multi-account org	$3,500 - $8,000	$42K - $96K
Large enclave	30+ EC2, Aurora cluster, 20TB+ S3, Direct Connect, full SIEM ingest	$8,000 - $25,000	$96K - $300K

CMMC-driven AWS service decisions

Several AWS services are practically required to evidence specific NIST SP 800-171 controls. AWS CloudTrail provides the audit log trail required by AU-2, AU-3, AU-12 family. AWS Config provides configuration baseline and drift evidence for CM-2 family. AWS KMS provides FIPS 140-2 validated encryption keys required for SC-13. AWS Secrets Manager (or Parameter Store) provides credential rotation evidence for IA-5(1)(d). AWS IAM Identity Center (formerly SSO) is the cleanest path to evidence centralised access management for AC-2 family. None of these are individually expensive, but together they add roughly $200-$800 per month to a small enclave.

GuardDuty deserves a separate note: it provides threat detection across VPC Flow Logs, DNS logs, CloudTrail events, and (with Malware Protection enabled) EC2 instance memory and EBS volumes. For an enclave running CUI workloads, GuardDuty is functionally a SIEM-input source and is one of the cleanest ways to evidence the SI-4 monitoring control family. The cost scales with the volume of telemetry processed, so a small enclave can land at $80-$150 per month while a larger enclave can run into the high hundreds. Compare against external SIEM costs on the SIEM cost calculator sister site.

Setup project for a new GovCloud enclave

Standing up a CMMC-ready GovCloud enclave from scratch is typically a $25K-$80K project, separate from the recurring AWS spend. Components: AWS Organisations setup with Control Tower equivalents in GovCloud, baseline VPC architecture with public/private subnet patterns, IAM Identity Center configured with federation to your identity provider, KMS key hierarchy with key rotation, CloudTrail and Config aggregator at the org level, GuardDuty enabled across accounts, security baseline patterns codified in Terraform or CloudFormation. For contractors already running a Landing Zone in commercial AWS, the GovCloud version is faster (3-6 weeks) because the patterns transfer; for contractors with no AWS history, expect 8-14 weeks plus a partner engagement.

Partner options include AWS Partner Network Premier-tier providers that specialise in public sector (Effectual, Stratus10, ClearPoint, Mission Cloud Public Sector). Typical engagement fees: $30K-$60K for an XS-to-small enclave Landing Zone build, $60K-$150K for a medium enclave with multi-account org and federated identity. Internal builds without partner support are cheaper in dollars but extend timeline by 4-8 weeks and introduce risk around assessment-readiness of the resulting configuration.

Related cost pages

Frequently asked questions

Does AWS GovCloud meet the DFARS 7012 cloud requirement?

Yes. AWS GovCloud (US-East and US-West) holds FedRAMP High authorisation and a DoD Provisional Authorisation up to Impact Level 5 (IL5). That makes it eligible for CUI processing under DFARS 252.204-7012(b)(2)(ii)(D) when configured correctly. The authorisation covers a specific subset of AWS services; check the AWS GovCloud (US) service-by-service authorisation table at aws.amazon.com/compliance/services-in-scope for the current list. Not every commercial AWS service is in scope.

How much does an AWS GovCloud enclave actually cost?

For a typical sub-100-user defense contractor running a small CUI workload (web tier, database, file storage, monitoring), the monthly AWS GovCloud spend lands around $1,500 to $8,000 depending on workload size. Compute (EC2) usually drives 40-60 percent of the bill; storage (S3 + EBS) drives 15-25 percent; managed services (RDS, GuardDuty, WAF) drive another 15-25 percent; and data transfer plus support drives the rest. Smaller engineering teams can run a properly architected enclave for under $1,000 per month if they keep instance sizes modest.

Is GovCloud more expensive than commercial AWS?

Yes, typically 10-25 percent more per service. The premium is driven by US-citizen-only operator staffing, separate datacentre infrastructure, and a smaller customer base across which to amortise fixed costs. For example, an m5.xlarge On-Demand instance in commercial us-east-1 is roughly $0.192 per hour, while the equivalent in GovCloud us-gov-west-1 runs around $0.230 per hour. Always check the live pricing pages on aws.amazon.com/govcloud-us/pricing for current figures.

What additional AWS spend do I need for CMMC compliance?

Beyond the workload itself, CMMC Level 2 typically drives spend on AWS GuardDuty (threat detection), AWS WAF and Shield (perimeter), AWS Security Hub (control aggregation), AWS CloudTrail (audit logging, free for the first management-event trail but storage adds up), AWS Config (configuration history), AWS Secrets Manager (credential rotation), and AWS Key Management Service (encryption keys). For a small enclave, these add roughly $300-$1,200 per month on top of the workload baseline.

Do I need AWS Direct Connect for GovCloud?

Direct Connect is not required for CMMC compliance, but it is commonly used by contractors with large data transfers or strict latency requirements between on-premises and GovCloud. A 1Gbps Direct Connect port costs roughly $300-$400 per month plus data transfer at $0.03-$0.05 per GB depending on region. For most sub-100-user contractors, a Site-to-Site VPN at $0.05 per hour (around $36 per month per tunnel) is sufficient and avoids the Direct Connect commitment.

Can I run CMMC workloads in commercial AWS instead of GovCloud?

Not for CUI under standard interpretation of DFARS 7012(b)(2)(ii)(D). Commercial AWS does not hold FedRAMP Moderate authorisation as a single region; some individual AWS services in commercial regions are authorised but the boundary is narrower and the customer responsibility matrix is more complex. Most defense contractors find that GovCloud (or AWS Top Secret Cloud for higher classification) is the cleaner story for a C3PAO assessment. For Level 1 (FCI only, no CUI), commercial AWS with appropriate configuration may be acceptable, but check with your assessor before committing.