Horus Technology rebuilt a U.S. defense organization’s mission simulation platform on AWS GovCloud as 100% infrastructure-as-code. We replaced laptop-driven deployments and hand-collected audit evidence with a reproducible Amazon EKS, AWS CDK, and GitLab OIDC pipeline that enforces NIST 800-53 Rev 5 at every build.
Overview
| Challenge | Run a regulated, IL-5 / CUI mission simulation platform on AWS GovCloud without the fragile, non-reproducible delivery model the program had outgrown. |
| Solution | Partner with Horus Technology to rebuild the estate as 100% AWS CDK + Helm, with federated GitLab OIDC CI/CD and a cdk-nag NIST 800-53 Rev 5 policy gate. |
| Outcome | A reproducible platform that rebuilds in under an hour, ships with zero long-lived credentials, and regenerates its compliance evidence on every deploy. |
About the Customer
The customer is a U.S. defense and public-sector organization that operates a mission simulation platform. The system ingests geospatial and 4D entity-simulation data and streams results to operators in near real time. Because the workload handles Controlled Unclassified Information (CUI) under an IL-5 mission profile, it runs exclusively on AWS GovCloud (US) and must satisfy a NIST 800-53 Rev 5 control set. (This is an anonymized public case study; the customer’s identity is withheld for security reasons.)
Customer Challenge
The platform worked, but the way it was delivered did not scale to a regulated production posture. Services were deployed by hand from developer workstations using manual helm upgrade commands, clusters were provisioned ad hoc with eksctl, and continuous-integration jobs authenticated to AWS with long-lived static access keys. There was no infrastructure-as-code, no centralized log aggregation, and no single reproducible path to stand the environment back up.
For a CUI / IL-5 mission, that delivery model carried real risk. Control evidence for the Authority to Operate (ATO) was collected manually, only at audit time, which is slow, error-prone, and impossible to keep current between reviews. Static CI credentials are a standing attack surface. And without a reproducible build, a region-scale disruption or an accidental teardown had no fast, documented recovery path, which directly threatened mission availability.
If left unaddressed, the program faced compounding risk:
- Accreditation risk: a failed or delayed Authority to Operate and recurring audit findings from manually assembled, stale evidence.
- Availability risk: mission downtime with no defined recovery-time objective and no documented, reproducible rebuild path.
- Security risk: standing credential and supply-chain exposure that a defense accreditation simply will not accept.
The program needed its infrastructure, its security controls, and its audit evidence to all become code.
Partner Solution
Horus Technology re-platformed the entire estate as code on AWS GovCloud and wrapped it in a federated, policy-gated delivery pipeline. Every AWS resource is now defined in AWS CDK (TypeScript) across a five-stack application, and the Kubernetes application chart is packaged as a CDK asset so a single cdk deploy provisions the cluster and ships the workload atomically, with no separate, hand-run Helm step.
1. Reproducible infrastructure with AWS CDK and Amazon EKS
- AWS CDK + Helm: a five-stack application (CI federation, network, data, EKS, and optional test environments) with explicit cross-stack dependencies, so the rollout order is deterministic and the whole environment is reproducible from source. The Kubernetes application chart is packaged as a CDK asset, so one
cdk deployprovisions the cluster and ships the workload together. - Amazon EKS (Kubernetes 1.29): the mission services run on a managed node group across two Availability Zones, with all five control-plane log streams (API, Audit, Authenticator, Controller Manager, Scheduler) delivered to Amazon CloudWatch.
- Amazon RDS for PostgreSQL (Multi-AZ): the platform’s identity and state data store runs Multi-AZ with 14-day automated backups, deletion protection, and storage encrypted by a customer-managed key.
- Amazon ECR: container repositories enforce image scanning on push, with lifecycle policies that expire untagged images and retain recent releases.
2. Federated identity, secrets, and encryption
- IAM OIDC federation (GitLab): CI authenticates to AWS through
AssumeRoleWithWebIdentitywith branch-scoped trust and one-hour sessions, eliminating static AWS keys from the pipeline entirely. - IAM Roles for Service Accounts (IRSA): each pod receives its own least-privilege AWS identity rather than sharing a node role, so blast radius stays contained at the workload level.
- AWS KMS, AWS Secrets Manager & Secrets Store CSI: a single customer-managed KMS key with rotation encrypts RDS storage, EKS Kubernetes secrets, and every Secrets Manager value. Secrets are projected into pods through the Secrets Store CSI driver, so they never live in container images or Helm values.
3. Observability and threat detection
- Amazon CloudWatch: pod logs ship via a Fluent Bit DaemonSet to CloudWatch, and VPC Flow Logs are retained for a year for audit.
- AWS CloudTrail: a multi-region trail with metric-filter alarms on root usage and IAM/KMS changes provides per-event attribution across the account.
- Amazon GuardDuty: continuous threat detection across the GovCloud account completes the detective overlay.
4. Compliance as code
The policy gate is what separates this from an ordinary IaC rollout. A cdk-nag NIST 800-53 Rev 5 aspect runs at every cdk synth: any non-suppressed finding fails the build, and every accepted exception carries a written security rationale in source. Compliance evidence is therefore regenerated continuously as part of normal delivery, rather than assembled by hand at audit time. Network egress is constrained through VPC endpoints, inbound traffic enters through a single internet-facing NGINX/NLB ingress, and an air-gapped bundle path supports disconnected mission environments.
Results and Benefits
The engagement replaced the fragile, non-reproducible delivery model with a pipeline where the infrastructure provisions itself, the controls enforce themselves at build time, and the audit evidence falls out of every deploy. The mission platform was confirmed live in production on May 31, 2026, and its production cut-over passed 127 of 127 end-to-end tests (100%) against the live ingress (91 role-based, 6 multi-scenario, and 30 load tests), against a ≥95% acceptance target.
Key Results
- Disaster recovery & reproducibility: the full GovCloud platform rebuilds in under one hour (RTO) from
cdk deployplushelm upgrade, with a 15-minute recovery point objective (RPO) on the data store. - Data-tier resilience: sub-minute RDS Multi-AZ failover and 14-day automated backup retention (NIST CP-9 / CP-10).
- Validated capacity: load testing recorded 0% errors under concurrent API and streaming load, and the system remained stable through a 64-connection ramp.
- Audit / ATO efficiency: NIST 800-53 Rev 5 evidence is regenerated at synth time on every deploy instead of collected by hand at audit, and non-compliant changes never reach production because they fail the build.
- Security posture: zero long-lived CI credentials, least-privilege per-pod IRSA identities, and root access reserved for documented break-glass use only.
- Cost governance: a predictable, governed monthly run-rate with AWS Budgets and Cost Anomaly Detection, reconciled monthly against the cost model.
Before and after, side by side:
| Before | After |
|---|---|
Manual helm upgrade from laptops |
Automated cdk deploy |
| Static AWS access keys in CI | GitLab OIDC AssumeRoleWithWebIdentity, branch-scoped |
| Manual ATO evidence collection at audit time | cdk-nag NIST 800-53 R5 evaluated at synth time |
Manual eksctl cluster provisioning |
Deterministic CDK synth |
About the Partner
Horus Technology is a San Diego-based AWS and AI consulting firm founded by former AWS engineers. We help organizations design, build, and operate secure, well-architected cloud platforms, with specialization in AWS DevOps and infrastructure-as-code, regulated and GovCloud workloads, generative AI, and intelligent document processing. Our team delivers production systems that meet rigorous compliance bars while staying reproducible, observable, and cost-governed.
Highlights
| Industry | Defense / Public Sector |
| Solution | GovCloud DevOps modernization: infrastructure-as-code, federated CI/CD, and compliance as code |
| AWS services | Amazon EKS, Amazon RDS, AWS CDK, Amazon ECR, AWS KMS, AWS Secrets Manager, Amazon CloudWatch, Amazon GuardDuty, AWS CloudTrail, IAM OIDC federation |
| Delivery | Horus Technology |
See also: AWS Consulting Services | Generative AI Services | AWS Migration Case Study