AWS Public Sector Blog

How to improve government customer experience by building a modern serverless web application in AWS GovCloud (US)

Whether filing taxes, applying for student financial aid, seeking healthcare coverage, or receiving disaster support, customers are increasingly using internet-based web applications as the primary method of interaction with the federal government. Improving the customer experience (CX) of web applications provided by the US federal government is an executive priority, and part of the President’s Management Agenda (PMA). For a positive customer experience, web applications need to be highly responsive.

Modern applications built using microservices architectures improve customer experience by dramatically reducing the risk of failures in a web application. With microservices architecture, developers build an application with independent components that run each application process as a service. These services communicate via a well-defined interface using lightweight APIs. Services are built for specific business capabilities and each service performs a single function. Because they run independently, each service can be updated, deployed, and scaled to meet demand for specific functions of an application.

In the blog post, “Architecture framework for transforming federal customer experience and service delivery,” we described an architecture framework along with a curated set of services from Amazon Web Services (AWS) that agencies can use to build and deploy modern applications built using a microservices architectures. In this blog post, we present a sample reference architecture of a microservices application built using services selected from the previously described architecture framework. Several agencies require their workloads to adhere to the Federal Risk and Authorization Management Program (FedRAMP) High Baseline. Web applications built in the AWS GovCloud (US) Region can accomplish this objective. Note: to provide a highly responsive and low latency application across the US and other countries, we use Amazon CloudFront deployed in a standard AWS Region in this walkthrough, as Amazon CloudFront is currently not available from the AWS GovCloud (US) Regions.

Serverless web application reference architecture in AWS GovCloud (US)

Figure 1 illustrates the sample reference architecture of a serverless application built across the AWS GovCloud (US) Region and the standard AWS Region US East (N. Virginia).

Figure 1. Reference architecture for implementing a modern application on AWS GovCloud (US).

Figure 1. Reference architecture for implementing a modern application on AWS GovCloud (US).

The application consists of a single page application (SPA) built using any front-end frameworks or libraries such as Angular or React. The static content of the SPA is hosted in an Amazon Simple Storage Service (Amazon S3) bucket in an AWS account in the AWS GovCloud (US-West) Region. If the application serves users across a widely dispersed geographic region, then using a content delivery network is important to reduce latency of the application for improved CX.

To achieve low latency, use Amazon CloudFront in an AWS account in any standard region. Amazon Cognito user pools set up authentication for the application. Agencies can either use this option directly, or choose to integrate Amazon Cognito with an external Security Assertion Markup Language (SAML)-based authentication service. The SPA invokes microservices deployed using AWS Lambda and exposed using RESTful endpoints with Amazon API Gateway. The architecture uses Amazon Cognito user pools so only authenticated users can call the endpoints on Amazon API Gateway. Agencies can also choose to use customized authorizers instead of Amazon Cognito user pools for API authentication. AWS Lambda integrates with Amazon DynamoDB for managing data persistence as well as state of the application. AWS WAF, a web application firewall, helps protect the static content as well as APIs against common web exploits and bots.

Modern serverless web application configuration details

In this section, we walk through the necessary steps to set up the above reference architecture in AWS using a simple application. The application takes your first name and last name as inputs and returns a greeting with your full name.

Prerequisites

We assume basic familiarity with the AWS Management Console and serverless service configurations, as well as a basic understanding of building a web service. We also assume experience with deploying applications using AWS Cloud Development Kit (AWS CDK). To complete the configuration, you need the following:

1. Access to an AWS account in AWS GovCloud (US)

2. Access to an AWS account in US-East-1

3. AWS Identity and Access Management (IAM) permissions to set up and configure the services in the reference architecture.

4. Make sure that account level Block Public Access is disabled in Amazon S3 in the AWS GovCloud (US) account as shown in the following Figure 2. This should be done in an account where you do not have any sensitive information. In a production environment, the entire setup should be done in a separate account dedicated for this purpose.

Figure 2. Remove Block Public Access settings in Amazon S3.

5. To deploy the architecture for the AWS GovCloud (US) Region, visit the GitHub repo and follow the instructions in the README.md file.

How to configure a modern severless web application in AWS GovCloud (US)

1. In order to upload files for the web application to the Amazon S3 bucket, follow the ‘Configuring and building the frontend application’ and then ‘Upload the frontend application artifacts to the frontend (Amazon S3) Bucket’ sections, as specified in the installation instructions in the README.md file.

Figure 3. Upload files for the web application to the Amazon S3 bucket.

Figure 3. Upload files for the web application to the Amazon S3 bucket.

2. In your account in the standard AWS Region US East (N. Virginia), create an Amazon CloudFront distribution. For the origin name, enter the domain name of the Amazon S3 website bucket created in Step 5 of the Prerequisites section. (Note: You cannot directly use an origin from the listed Amazon S3 buckets). Make a note of the distribution domain name.

3. To make sure that Amazon S3 is not open for direct retrieval of objects, add a custom header called “Referer” with the value “referertest” (Figure 4).

Figure 4. Add a custom header to the distribution.

Figure 4. Add a custom header to the distribution.

4. In the AWS GovCloud (US) account, under the Permissions of the bucket, confirm that the Bucket Policy specifies the custom header from CloudFront.

Figure 5. Bucket policy in the AWS GovCloud (US) account.

Figure 5. Bucket policy in the AWS GovCloud (US) account.

In case the bucket policy needs to be updated, edit and enter the following policy and save the changes:

{
    "Version": "2012-10-17",
    "Id": "http referer policy example",
    "Statement": [
        {
            "Sid": "Allow get requests from Cloudfront",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws-us-gov:s3:::<bucket-name>/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": "referertest"
                }
            }
        }
    ]
}

Make sure the indentation is exactly as shown below; otherwise, you may get an error when saving.

Figure 6. Save bucket policy in the AWS GovCloud (US) account.

Figure 6. Save bucket policy in the AWS GovCloud (US) account.

 Congratulations! You now have a secure working serverless web application in AWS GovCloud (US) that uses CloudFront for static content distribution from the commercial region. Your application consists of an SPA with content in Amazon S3 that invokes an API on Amazon API Gateway integrated with Lambda, and protected by Amazon Cognito.

5. To test the application, open the Domain name of the CloudFront distribution, that you noted in Step 2, in a web browser. Create users in the Amazon Cognito User Pool by using the Sign-up tab of the application.

6. Using the credentials in Step 5, log in to the application using the Sign-In tab. Once signed in successfully, enter values in the First Name and Last Name text fields. Select the Call API button. You should get a response back as “Hello from Lambda, <First Name value> <Last Name value>” as shown in Figure 7.

Figure 7. Testing the application returns the response “Hello from Lambda, Testing User.”

Figure 7. Testing the application returns the response “Hello from Lambda, Testing User.”

AWS can help government agencies scale rapidly to deliver on CX

In this blog, we presented a sample reference architecture and configuration details of a microservices-based application deployed in AWS GovCloud (US) that leverages Amazon CloudFront from a commercial region. Modern applications built using a microservices architecture can dramatically reduce the risk of failures in a web application for improved customer experience. Amazon CloudFront further enhances this experience by enabling a highly responsive and low latency web application for customers based across the US and other countries. To get started on a proof-of-concept or implementation project using this reference architecture, or to learn more about AWS serverless and managed services, contact your AWS account team or reach out to the AWS Public Sector team for more.

Read more about AWS for government:


Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.

Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.

Sanjeev Pulapaka

Sanjeev Pulapaka

Sanjeev is a principal solutions architect on the US Federal Civilian team at Amazon Web Services (AWS). He works closely with customers in building and architecting mission-critical solutions. Sanjeev has an undergraduate degree in engineering from the Indian Institute of Technology and an MBA from the University of Notre Dame.

Mickey Iqbal

Mickey Iqbal

Mickey is director of enterprise and principal technologists at Amazon Web Services (AWS). He leads a global team of expert builders who deliver innovative and scalable cloud solutions for public sector customers worldwide. Before joining AWS, Mickey was an IBM Fellow and vice president, a CEO of a digital health startup, and a co-author of three technical books and multiple publications. He has also filed 40-plus patents and received the 2018 Asian American Engineer of the Year award from AAEOY.org.

Rajarshi Das

Rajarshi Das

Rajarshi Das is a senior solutions architect at Amazon Web Services (AWS). He focuses on helping public sector customers accelerate their security and compliance certifications and authorizations by architecting secure and scalable solutions. Rajarshi holds four AWS certifications including AWS Certified Solutions Architect – Professional and AWS Certified Security – Specialist.