How we architected a FedRAMP Moderate boundary on AWS GovCloud for an AI SaaS

A redacted engineering write-up: draw the authorization boundary first, then write Terraform. Account topology, Bedrock under a BAA, KMS, OPA gates, and an SSP generated from modules.

mercoledì 3 giugno 2026 New tab

1,237 words~6 min read

Draw the boundary first. Then write Terraform.

A federal customer was ready to procure. The architecture was not.

This is a redacted write-up of a real engagement: a FedRAMP Moderate authorization boundary built on AWS GovCloud for an AI SaaS vendor selling into federal buyers, against a customer-driven timeline tied to a fiscal year.

The context

The client ran production on commercial AWS with a strong engineering culture, modern Terraform practice, and zero prior federal experience. A federal customer had committed to procurement contingent on a FedRAMP Moderate path, with an aggressive deadline.

How we architected a FedRAMP Moderate boundary on AWS GovCloud for an AI SaaS

How we architected a FedRAMP Moderate boundary on AWS GovCloud for an AI SaaS

Other newsrooms on this story

Related reading

Terraform with AI: Build AWS Infra (Cursor + MCP)

I Built a Multi-Tenant SaaS for 50+ Tenants — Here's the Complete Architecture

Terraforming a Production-Lite GCP Web Platform: MIG, Cloud NAT, Load Balancer,…

Automating AWS Well-Architected Reviews with Kiro CLI

AWS to Quick admins: The access control didn't work, but you weren't using it…

Zero-Trust RAG: Defeating the Shared Private Link Deadlock in Azure Terraform

Other newsrooms on this story

Related reading

Terraform with AI: Build AWS Infra (Cursor + MCP)

I Built a Multi-Tenant SaaS for 50+ Tenants — Here's the Complete Architecture

Terraforming a Production-Lite GCP Web Platform: MIG, Cloud NAT, Load Balancer,…

Automating AWS Well-Architected Reviews with Kiro CLI

AWS to Quick admins: The access control didn't work, but you weren't using it…

Zero-Trust RAG: Defeating the Shared Private Link Deadlock in Azure Terraform