Skip to content
← Back to Blog
Case Study June 2026

How a Defense Organization Modernized a GovCloud Mission Platform with AWS EKS, CDK & NIST 800-53 as Code

Horus Technology rebuilt a U.S. defense organization’s mission simulation platform on AWS GovCloud as 100% infrastructure-as-code. We replaced laptop-driven deployments and hand-collected audit evidence with a reproducible Amazon EKS, AWS CDK, and GitLab OIDC pipeline that enforces NIST 800-53 Rev 5 at every build.

Overview

Challenge Run a regulated, IL-5 / CUI mission simulation platform on AWS GovCloud without the fragile, non-reproducible delivery model the program had outgrown.
Solution Partner with Horus Technology to rebuild the estate as 100% AWS CDK + Helm, with federated GitLab OIDC CI/CD and a cdk-nag NIST 800-53 Rev 5 policy gate.
Outcome A reproducible platform that rebuilds in under an hour, ships with zero long-lived credentials, and regenerates its compliance evidence on every deploy.

About the Customer

The customer is a U.S. defense and public-sector organization that operates a mission simulation platform. The system ingests geospatial and 4D entity-simulation data and streams results to operators in near real time. Because the workload handles Controlled Unclassified Information (CUI) under an IL-5 mission profile, it runs exclusively on AWS GovCloud (US) and must satisfy a NIST 800-53 Rev 5 control set. (This is an anonymized public case study; the customer’s identity is withheld for security reasons.)

Customer Challenge

The platform worked, but the way it was delivered did not scale to a regulated production posture. Services were deployed by hand from developer workstations using manual helm upgrade commands, clusters were provisioned ad hoc with eksctl, and continuous-integration jobs authenticated to AWS with long-lived static access keys. There was no infrastructure-as-code, no centralized log aggregation, and no single reproducible path to stand the environment back up.

For a CUI / IL-5 mission, that delivery model carried real risk. Control evidence for the Authority to Operate (ATO) was collected manually, only at audit time, which is slow, error-prone, and impossible to keep current between reviews. Static CI credentials are a standing attack surface. And without a reproducible build, a region-scale disruption or an accidental teardown had no fast, documented recovery path, which directly threatened mission availability.

If left unaddressed, the program faced compounding risk:

  • Accreditation risk: a failed or delayed Authority to Operate and recurring audit findings from manually assembled, stale evidence.
  • Availability risk: mission downtime with no defined recovery-time objective and no documented, reproducible rebuild path.
  • Security risk: standing credential and supply-chain exposure that a defense accreditation simply will not accept.

The program needed its infrastructure, its security controls, and its audit evidence to all become code.

Partner Solution

Horus Technology re-platformed the entire estate as code on AWS GovCloud and wrapped it in a federated, policy-gated delivery pipeline. Every AWS resource is now defined in AWS CDK (TypeScript) across a five-stack application, and the Kubernetes application chart is packaged as a CDK asset so a single cdk deploy provisions the cluster and ships the workload atomically, with no separate, hand-run Helm step.

1. Reproducible infrastructure with AWS CDK and Amazon EKS

  • AWS CDK + Helm: a five-stack application (CI federation, network, data, EKS, and optional test environments) with explicit cross-stack dependencies, so the rollout order is deterministic and the whole environment is reproducible from source. The Kubernetes application chart is packaged as a CDK asset, so one cdk deploy provisions the cluster and ships the workload together.
  • Amazon EKS (Kubernetes 1.29): the mission services run on a managed node group across two Availability Zones, with all five control-plane log streams (API, Audit, Authenticator, Controller Manager, Scheduler) delivered to Amazon CloudWatch.
  • Amazon RDS for PostgreSQL (Multi-AZ): the platform’s identity and state data store runs Multi-AZ with 14-day automated backups, deletion protection, and storage encrypted by a customer-managed key.
  • Amazon ECR: container repositories enforce image scanning on push, with lifecycle policies that expire untagged images and retain recent releases.

2. Federated identity, secrets, and encryption

  • IAM OIDC federation (GitLab): CI authenticates to AWS through AssumeRoleWithWebIdentity with branch-scoped trust and one-hour sessions, eliminating static AWS keys from the pipeline entirely.
  • IAM Roles for Service Accounts (IRSA): each pod receives its own least-privilege AWS identity rather than sharing a node role, so blast radius stays contained at the workload level.
  • AWS KMS, AWS Secrets Manager & Secrets Store CSI: a single customer-managed KMS key with rotation encrypts RDS storage, EKS Kubernetes secrets, and every Secrets Manager value. Secrets are projected into pods through the Secrets Store CSI driver, so they never live in container images or Helm values.

3. Observability and threat detection

  • Amazon CloudWatch: pod logs ship via a Fluent Bit DaemonSet to CloudWatch, and VPC Flow Logs are retained for a year for audit.
  • AWS CloudTrail: a multi-region trail with metric-filter alarms on root usage and IAM/KMS changes provides per-event attribution across the account.
  • Amazon GuardDuty: continuous threat detection across the GovCloud account completes the detective overlay.

4. Compliance as code

The policy gate is what separates this from an ordinary IaC rollout. A cdk-nag NIST 800-53 Rev 5 aspect runs at every cdk synth: any non-suppressed finding fails the build, and every accepted exception carries a written security rationale in source. Compliance evidence is therefore regenerated continuously as part of normal delivery, rather than assembled by hand at audit time. Network egress is constrained through VPC endpoints, inbound traffic enters through a single internet-facing NGINX/NLB ingress, and an air-gapped bundle path supports disconnected mission environments.

Results and Benefits

The engagement replaced the fragile, non-reproducible delivery model with a pipeline where the infrastructure provisions itself, the controls enforce themselves at build time, and the audit evidence falls out of every deploy. The mission platform was confirmed live in production on May 31, 2026, and its production cut-over passed 127 of 127 end-to-end tests (100%) against the live ingress (91 role-based, 6 multi-scenario, and 30 load tests), against a ≥95% acceptance target.

Key Results

< 1 hr
Full-environment rebuild (RTO) from CDK + Helm
127/127
End-to-end tests passing at cut-over (vs ≥95% target)
100%
Of the AWS estate defined as code
0
Long-lived CI access keys
  • Disaster recovery & reproducibility: the full GovCloud platform rebuilds in under one hour (RTO) from cdk deploy plus helm upgrade, with a 15-minute recovery point objective (RPO) on the data store.
  • Data-tier resilience: sub-minute RDS Multi-AZ failover and 14-day automated backup retention (NIST CP-9 / CP-10).
  • Validated capacity: load testing recorded 0% errors under concurrent API and streaming load, and the system remained stable through a 64-connection ramp.
  • Audit / ATO efficiency: NIST 800-53 Rev 5 evidence is regenerated at synth time on every deploy instead of collected by hand at audit, and non-compliant changes never reach production because they fail the build.
  • Security posture: zero long-lived CI credentials, least-privilege per-pod IRSA identities, and root access reserved for documented break-glass use only.
  • Cost governance: a predictable, governed monthly run-rate with AWS Budgets and Cost Anomaly Detection, reconciled monthly against the cost model.

Before and after, side by side:

Before After
Manual helm upgrade from laptops Automated cdk deploy
Static AWS access keys in CI GitLab OIDC AssumeRoleWithWebIdentity, branch-scoped
Manual ATO evidence collection at audit time cdk-nag NIST 800-53 R5 evaluated at synth time
Manual eksctl cluster provisioning Deterministic CDK synth

About the Partner

Horus Technology is a San Diego-based AWS and AI consulting firm founded by former AWS engineers. We help organizations design, build, and operate secure, well-architected cloud platforms, with specialization in AWS DevOps and infrastructure-as-code, regulated and GovCloud workloads, generative AI, and intelligent document processing. Our team delivers production systems that meet rigorous compliance bars while staying reproducible, observable, and cost-governed.

Highlights

Industry Defense / Public Sector
Solution GovCloud DevOps modernization: infrastructure-as-code, federated CI/CD, and compliance as code
AWS services Amazon EKS, Amazon RDS, AWS CDK, Amazon ECR, AWS KMS, AWS Secrets Manager, Amazon CloudWatch, Amazon GuardDuty, AWS CloudTrail, IAM OIDC federation
Delivery Horus Technology

See also: AWS Consulting Services | Generative AI Services | AWS Migration Case Study