AWS GovCloud

Overview

Databricks supports deployments in AWS GovCloud (US) regions to meet the compliance, security, and data residency requirements of U.S. government agencies and contractors. The Security Reference Architecture (SRA) Terraform templates have been extended to support GovCloud-specific configurations while maintaining the same security-first design principles as commercial regions.

GovCloud deployments provide a controlled environment that adheres to U.S. government security and regulatory standards such as FedRAMP High and DoD IL5. These deployments ensure that all data and metadata remain within the U.S., operated exclusively by screened U.S. personnel.

Configuration Requirements

In addition to the steps outlined in the Getting Started page, the following parameters must be defined in the Terraform configuration (.tfvars) when deploying in a GovCloud region:

• Region: Set region to us-gov-west-1.
• GovCloud Shard: Set databricks_gov_shard to either civilian or dod.
  • Use civilian for most U.S. government agency workloads.
  • Use dod for Department of Defense (DoD) environments.

    NOTE: The dod shard is restricted to customers with a .mil email address.

For all non-GovCloud (commercial) deployments, leave databricks_gov_shard set to null.

Networking and Access Considerations

• Private Connectivity: GovCloud workspaces can be deployed with full private connectivity through AWS PrivateLink, ensuring no traffic traverses the public internet from the classic compute plane.
• Region Isolation: All data and metadata remain within the designated GovCloud region, ensuring compliance with government data residency requirements.
• IAM and Policy Controls: Follow the same IAM and endpoint policy guidance as commercial SRA deployments, while aligning with agency-specific security baselines.

Additional Resources

• Databricks on AWS GovCloud Documentation
• Compliance Security Profile and Enhanced Security Monitoring