The AWS GovCloud integration enables security and compliance teams to automate continuous monitoring and evidence collection for infrastructure-level security controls within AWS GovCloud environments.
Key Capabilities
Infrastructure Monitoring: Continuously monitors AWS GovCloud configurations for compliance evidence.
Evidence Collection: Automatically collects data across dozens of security controls.
Prerequisites & Data Access
Must have Admin access in your AWS GovCloud account.
Must have permissions to create IAM roles and assign the SecurityAudit policy.
Must have access to the Drata Connections page.
Carefully review your organization’s data residency and compliance requirements before enabling this integration.
IMPORTANT NOTICE: Drata’s AWS GovCloud feature provides the same continuous compliance monitoring as our other AWS connections. However, it is important to note that Drata is currently hosted outside AWS GovCloud. You can find a complete list of our Sub-processors here.
This feature involves providing Drata with read-only access to AWS’s SecurityAudit policy, which may not be appropriate in all AWS GovCloud use cases.
Permissions & Data Table
Permission/Scope | Why It’s Needed | Data Accessed (Read Only) |
SecurityAudit Policy | Grants read-only visibility into AWS services and configurations for compliance monitoring. | Infrastructure configuration, encryption settings, IAM roles, and audit metadata |
Step-by-Step Setup
Step 1: Open the AWS GovCloud Connection in Drata
Navigate to Connections → Available Connections in Drata.
Search for AWS GovCloud or go directly to the connection URL:
https://app.drata.com/account-settings/connections/connection?provId=AWS_GOV_CLOUDSelect Create Connection in the upper-right corner to begin setup.
Expected outcome: You’ll open the guided connection instructions for AWS GovCloud.
Step 2: Create a Read-Only IAM Role in AWS GovCloud
Sign in to your AWS GovCloud console at https://console.amazonaws-us-gov.com using an account with privileges to create IAM roles.
Go to the IAM service: https://console.amazonaws-us-gov.com/iam.
In the sidebar, select Roles, then click Create role.
Choose AWS account → Another AWS account.
Copy the Account ID field (
345844027492) from Drata.Note: This is Drata’s AWS GovCloud account ID, used for all customers.
Copy the Require external ID from Drata.
This unique External ID ensures a secure cross-account connection between your AWS environment and Drata.
Leave Require MFA unchecked. Click Next.
In the search bar, type SecurityAudit, then select the checkbox next to SecurityAudit (AWS-managed policy). Click Next.
(Optional) In the Role name and Description field, enter:
Role Name:
DrataAutopilotRoleDescription:
Cross-account read-only access for Drata Autopilot.
(Optional) Add tags if required by your organization.
Click Create role.
After creation, open the new role and copy the Role ARN. You’ll paste this into Drata in the next step.
Note: The integration uses AWS’s default SecurityAudit policy, which grants broad read-only access. If your organization requires stricter controls, review the policy before proceeding to ensure it aligns with internal compliance requirements.
Expected outcome: You’ve created a secure, read-only IAM role in AWS GovCloud for Drata.
Step 3: Complete the Connection in Drata
Copy the Role ARN from your newly created role in AWS GovCloud.
In Drata’s connection setup, paste the Role ARN into the required field.
Select Save & Test Connection to validate the setup.
Once validated, the connection will appear under the Active Connections tab.
Drata Field | AWS GovCloud Value |
Role ARN | ARN of the |
All the Infrastructure monitoring tests should also include data from the AWS GovCloud account. (Please check the Data Encryption test below as an example)