| title | GovCloud Deployment Guide |
|---|
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: MIT-0
Deploying the GenAI IDP Accelerator to an AWS GovCloud region (us-gov-west-1, us-gov-east-1) has a few unique requirements compared to a standard Commercial deployment:
- Headless is required. The UI-layer services used by a standard deployment (CloudFront, AppSync, Cognito, WAF for CloudFront) are not available in GovCloud, so GovCloud stacks must use the Headless Deployment mode.
- Build from source is required. Public IDP CloudFormation templates are not published to GovCloud regions, so GovCloud stacks must be built locally with
idp-cli deploy --from-code .. - ARN partition compatibility. All ARN references in the template use
arn:${AWS::Partition}:instead ofarn:aws:so they resolve correctly in theaws-us-govpartition. - GovCloud configuration defaults. The CLI automatically applies GovCloud-appropriate configuration defaults (GovCloud-compatible Bedrock models, the
lending-package-sample-govcloudconfiguration preset).
Note: "Headless" mode itself is not GovCloud-specific — it can be used in Commercial regions too (for API-only / pipeline integrations). See Headless Deployment for the generic guide. This document covers only GovCloud-specific considerations on top of headless.
Supported GovCloud regions:
us-gov-west-1us-gov-east-1
Bedrock and Bedrock Data Automation (BDA) model availability varies between the two regions — check Bedrock in GovCloud for your target region before deploying.
The CLI sets GovCloud-compatible defaults when --region us-gov-* is detected:
amazon.nova-lite-v1:0amazon.nova-pro-v1:0us.anthropic.claude-3-5-sonnet-20240620-v1:0anthropic.claude-3-7-sonnet-20250219-v1:0
You must enable access to these models in the Bedrock console of the target GovCloud account/region before the first run.
The default ConfigurationPreset for GovCloud deployments is lending-package-sample-govcloud, which uses the GovCloud-compatible model IDs above. You can supply your own configuration with --custom-config.
The headless template transformation rewrites all arn:aws: references to arn:${AWS::Partition}:, so the same template can deploy in either partition. This happens automatically when the CLI detects a us-gov-* region.
You need the following installed on the machine that runs the deploy:
- Bash shell (Linux, macOS, Windows-WSL)
- AWS CLI (configured with GovCloud credentials)
- AWS SAM CLI
- Python 3.12
- Node.js ≥ 22.12
- npm ≥ 10
- A local Docker daemon (for container-image Lambda builds)
- The IDP CLI / SDK venv: run
make setup-venvfrom the project root, thensource .venv/bin/activate
Build and deploy to GovCloud with a single command. --from-code . builds from your local source (required for GovCloud), and --headless strips UI / AppSync / Cognito / WAF resources:
idp-cli deploy \
--stack-name my-idp-govcloud \
--region us-gov-west-1 \
--from-code . \
--headless \
--waitThe CLI creates an S3 bucket for build artifacts automatically in your GovCloud account. Customize with
--bucket-basenameand--prefixif needed.
Legacy: The
scripts/generate_govcloud_template.pyscript is deprecated. Useidp-cli deploy --headless --from-code .instead — it's the same transformation, exposed through the CLI / SDK with additional features (template upload, validation, 1-click launch URL).
When the region begins with us-gov-, idp-cli publish --headless and idp-cli deploy --headless additionally:
- Rewrite ARN references to use
arn:${AWS::Partition}: - Update the default
ConfigurationPresettolending-package-sample-govcloud - Update default Bedrock model IDs to GovCloud-supported models
- Validate the transformed template via the CloudFormation
ValidateTemplateAPI
See Headless Deployment for the full list of resources removed and retained by the headless transformation.
Since the Web UI is not deployed, interact with the system through one of:
- Direct S3 upload to the Input bucket (see stack Outputs)
- IDP CLI (
idp-cli process,idp-cli status,idp-cli download-results) - IDP SDK (
client.document.process(...), etc.) - CloudWatch dashboards and Step Functions console for monitoring
See the Headless Deployment — Access Methods section for details and code samples.
- Navigate to CloudWatch → Dashboards
- Dashboard name:
{StackName}-{Region} - View processing metrics, error rates, performance
/aws/lambda/{StackName}-*— Lambda function logs/aws/vendedlogs/states/{StackName}/workflow— Step Functions logs/{StackName}/lambda/*— pattern-specific logs
- The SNS
AlertsTopicreceives alerts for errors and performance issues — subscribe your ops email.
Bedrock model access not enabled
- Enable model access in the Bedrock console for the GovCloud region.
- GovCloud uses
amazon.nova-lite-v1:0,amazon.nova-pro-v1:0,us.anthropic.claude-3-5-sonnet-20240620-v1:0, andanthropic.claude-3-7-sonnet-20250219-v1:0by default.
ConfigurationPreset AllowedValues error
- Use a recent CLI version —
lending-package-sample-govcloudis included in the base templateAllowedValuesandConfigurationMap.
GraphQLApi.Arn unresolved reference error
- Fixed in recent CLI versions (Discovery resources are now included in the headless removal list). Upgrade and rebuild.
IAM permissions
- Ensure the deploying identity has permissions for CloudFormation, S3, IAM, Lambda, Step Functions, DynamoDB, SQS, EventBridge, CloudWatch, and Bedrock in the GovCloud partition.
Because GovCloud deployments are always headless, the following standard-deployment features are not available:
- Web-based user interface
- Real-time document status updates via WebSockets
- Interactive configuration management UI
- Cognito-backed user authentication
- CloudFront content delivery and WAF protection
- Agent Companion Chat / Agent Analytics / Knowledge-base chat
- Test Studio (UI)
- Human-in-the-Loop review UI (A2I)
See Headless Deployment — Features Not Available for complete details and workarounds.
- IAM: Use least-privilege IAM roles for automation and CI/CD.
- Encryption: Customer-managed KMS keys are enabled by default.
- Network: Deploy Lambda functions in private subnets if required (see Deployment in Private Network).
- Access Control: Implement custom authentication at your application / network layer (IAM, VPC, API Gateway, SSO).
- Monitoring: Set up CloudWatch alarms for critical metrics; subscribe to
AlertsTopic. - Logging: Configure appropriate log-retention policies.
- Backup: Implement backup strategies for configuration and reporting data.
- Updates: Re-run
idp-cli deploy --headless --from-code .to apply changes.
- Concurrency: Adjust
MaxConcurrentWorkflowsbased on load. - Timeouts: Configure appropriate timeout values.
- Memory: Optimize Lambda memory settings.
- Batching: Use appropriate batch sizes for processing.
See Capacity Planning for details.
If migrating an existing Commercial-region deployment to GovCloud:
- Export configuration: download configuration from the source stack (
idp-cli config-download ...). - Export data: copy any baseline or reference data you need.
- Deploy to GovCloud: use
idp-cli deploy --headless --from-code .as described above. - Import configuration: upload configuration to the new stack (
idp-cli config-upload ...). - Validate: process a sample document end-to-end.
GovCloud pricing differs from commercial regions:
- Review GovCloud Pricing
- Update cost estimates in your configuration accordingly
- Monitor actual usage through the billing dashboard
- Data encryption and retention policies are preserved (same as Commercial deployments)
- All processing remains within the GovCloud boundary
- No data egress to commercial AWS regions
- Headless Deployment — the generic headless-mode guide (required reading for GovCloud)
- IDP CLI —
deploy --headless,publish --headless, and all processing commands - IDP SDK — programmatic SDK including
publish.build(headless=True) - Deployment Guide — general build / publish / deploy reference