Principal past performance · January–April 2023 · Enduvo, Inc.
Pre-ATO GovCloud Migration — 60 Days, Delivered on Schedule
A commercial learning-platform company had 60 days to move a production Azure Kubernetes workload into AWS GovCloud and pass a provisional Authority to Operate review for their DoD customer. One engineer — Joel Comeaux, now the founder of Aegis Cloud Group — delivered it end-to-end, on schedule, as a W-2 employee of Enduvo prior to founding ACG. This is the engagement the practice is built around, cited here as key-personnel past performance rather than as a corporate ACG engagement.
The problem
The client had a product in active use at a DoD customer and a looming provisional ATO milestone. The existing production stack ran on Azure Kubernetes Service (AKS) — a credible commercial architecture, but not a viable one for the ATO path. The program needed to be running in AWS GovCloud, under a defensible control posture mapped to NIST 800-53, and documented well enough that the compliance team could carry the A&A package to the end customer within the deadline.
There was no existing GovCloud footprint. There was no existing IaC codebase. There was no existing CI/CD pipeline that would work inside an isolated AWS partition. The team that had built the original AKS platform didn't have GovCloud experience, and the compliance team didn't have infrastructure engineering capacity to build what they needed to document. The window was 60 days.
The approach: descope first, then build
A one-to-one lift of the AKS platform into GovCloud would have been both the obvious path and the wrong one. Moving a containerized platform across cloud boundaries preserves the original attack surface, adds new control mappings for the runtime and the orchestrator, and multiplies the number of technical control artifacts the compliance team has to evidence. The 60-day window made that path untenable.
The decision was to descope the architecture before migrating it: shrink the attack surface deliberately, eliminate entire control families by removing their underlying components, and land on a serverless-first AWS GovCloud architecture that the compliance team could document with a fraction of the effort. The principle at work is the one that shows up on the Design Principles page as security-is-a-graph and operating-shouldn't-be-a-slog: fewer moving parts, fewer edges to map, fewer things to keep running in production.
The technical build
The target architecture landed on a serverless stack inside AWS GovCloud:
- Compute — AWS Lambda for application logic, replacing the Kubernetes Deployment + Service model entirely. Cold-start and concurrency characteristics were validated against the actual production traffic profile before commit.
- API surface — Amazon API Gateway with request-level authorization and usage plans. Fewer edge-routing components, one audited control plane.
- Data — Amazon Aurora PostgreSQL for transactional data (the application's primary store), Amazon DynamoDB for session and document state, and Amazon S3 for object storage. Each store mapped to a specific control family on the compliance side.
- Keys and secrets — AWS KMS for encryption-at-rest on every store, AWS Secrets Manager for application credentials. The key-management posture was built to survive the ATO review specifically — no IAM user secrets, no hand-rolled envelope encryption.
- CI/CD — AWS CodeBuild and CodePipeline running inside GovCloud, pulling a mirrored GitHub repository through a source connection that worked within the partition's constraints. The build and deploy path was inside the boundary so the pipeline itself was part of the authorization package.
- Infrastructure as code — Everything above, declared in code, version-controlled, and reviewable end-to-end. No click-ops. The IaC codebase itself was an audit artifact.
Constraints that mattered
- GovCloud is a separate partition. You can't just copy an IAM role from a commercial account and expect it to work. Every service dependency, every endpoint URL, every partition ARN had to be explicitly built for GovCloud from the start.
- GitHub source integration has quirks in GovCloud. The CodePipeline integration paths that are standard in commercial AWS don't all map cleanly into GovCloud regions. Getting a clean, reliable source-to-build pipeline inside the boundary required working around region-specific limitations that weren't obvious until the path was being built.
- One engineer, one deadline. There was no team to delegate to. Architecture, IaC, CI/CD, infrastructure, operational handoff, and coordination with the client's compliance team all had to happen in parallel within the 60-day window.
The outcome
The migration was delivered on schedule. The pre-ATO milestone was met. The compliance team carried the A&A package forward with the technical control artifacts, IaC codebase, and control mapping documentation that was produced during the engagement. The target GovCloud environment went into operation, the AKS platform was decommissioned, and the deadline was hit.
The descope-first approach paid off at exactly the point it was supposed to: the A&A package covered fewer components than a like-for-like migration would have, and the compliance team's documentation burden shrank accordingly. That's the architectural lever that makes tight pre-ATO deadlines possible — not just moving faster, but moving less.
What I'd do differently
Two things, both in hindsight. First: more aggressive pre-commit investment in the GovCloud-specific CI/CD path. The CodePipeline-plus-GitHub integration in GovCloud has enough partition-specific quirks that a day or two of prototype work early would have saved time later. Second: tighter coordination with the compliance team on control mapping during the architecture phase, not after. I learned that the infrastructure decisions that seem purely technical (what service, what region, what VPC endpoint) are also control-mapping decisions, and the earlier those are made together, the less rework both sides do.
Neither issue affected the delivery date. Both are now part of how ACG runs pre-ATO engagements.
The takeaway
Deadline-driven pre-ATO sprints are not how healthy federal programs should run — but when they happen, they're won by descope-first architecture and end-to-end ownership, not by throwing more people at the deadline. That's the engagement model ACG is built around, and the Enduvo migration is the canonical example.