Databricks on AWS GovCloud

This article describes the Databricks on AWS GovCloud offering and its compliance controls.

AWS GovCloud overview

AWS GovCloud gives United States government customers and their partners the flexibility to architect secure cloud solutions that comply with the FedRAMP High baseline and other compliance regimes, including United States International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR). For details, see AWS GovCloud.

Databricks on AWS GovCloud provides the Databricks platform deployed in AWS GovCloud with compliance and security controls. Databricks on AWS GovCloud is operated exclusively by US citizens on US soil.

Note

The Databricks GovCloud Help Center is where you submit and manage support cases. Go to https://help.databricks.us/s/. Do not share any export-controlled data regarding support cases through channels other than the Databricks GovCloud Help Center. For more information on support, see Support.

When a Databricks on AWS GovCloud account is provisioned, the account owner receives an email with a short-lived login URL.

Compliance security profile

The compliance security profile is enabled on all Databricks on AWS GovCloud workspaces by default. The compliance security profile has additional monitoring, enforced instance types for inter-node encryption, a hardened compute image, and other features that help meet the requirements of FedRAMP High compliance. Automatic cluster update and enhanced securing monitoring are also automatically enabled.

The compliance security profile enforces the use of AWS Nitro instance types that provide both hardware-implemented network encryption between cluster nodes and encryption at rest for local disks in cluster and Databricks SQL SQL warehouses. Fleet instances are not available in AWS Gov Cloud. The supported instance types are:

• General purpose: M5dn, M5n, M5zn, M6i, M7i, M6id, M6in, M6idn

• Compute optimized: C5a, C5ad, C5n, C6i, C6id, C7i, C6in

• Memory optimized: R6i, R7i, R7iz, R6id, R6in, R6idn

• Storage optimized: D3, D3en, P3dn, R5dn, R5n, I4i, I3en

• Accelerated computing: G4dn, G5, P4d, P4de, P5

For more information on the compliance security profile, see Compliance security profile.

FedRAMP High compliance

The FedRAMP High authorization status of Databricks on AWS GovCloud is currently In Process.

Customers are responsible for implementing and operating applicable FedRAMP HIGH compliance controls as documented in the Control Implementation Summary / Customer Responsibility Matrix in SSP Appendix J of the Databricks FedRAMP authorization documentation package. US Government agencies can obtain access to the Databricks FedRAMP High authorization documentation through the FedRAMP package access request form. Follow the instructions on the Databricks FedRAMP Marketplace listing (package ID: FR2324740262).

You must configure the following on Databricks on AWS GovCloud workspaces:

• Single sign-on authentication, see Configure SSO in Databricks

• PrivateLink for both back-end and front-end connections, see Enable private connectivity using AWS PrivateLink.

• Ensure that sensitive information is never entered in customer-defined input fields, such as workspace names, cluster names, and job names.

Databricks for AWS GovCloud region and URLs

The Databricks AWS account ID for Databricks on AWS GovCloud is 044793339203. This account ID is required to create and configure a cross-account IAM role for Databricks workspace deployment. See Create an IAM role for workspace deployment.

Databricks on AWS GovCloud workspaces are in the us-gov-west-1 region. For region information, see Databricks clouds and regions.

Databricks on AWS GovCloud URLs differ from Databricks URLs on the commercial offering. Use the following URLs for Databricks on AWS GovCloud:

• Databricks account console URL: https://accounts.cloud.databricks.us

• Base URL for account-level REST APIs: https://accounts.cloud.databricks.us/

• Databricks workspace URL: https://<deployment-name>.cloud.databricks.us

  For example, if the deployment name you specified during workspace creation is ABCSales, your workspace URL is https://abcsales.cloud.databricks.com.us.

• Base URL for workspace-level REST APIs: https://<deployment-name>.cloud.databricks.us/

Feature availability

Notable features that are supported:

• Unity Catalog

• Databricks Runtime latest versions and LTS versions

• Databricks SQL

• Dashboards

• MLflow experiments

• OAuth authentication

Features that are not supported:

• Serverless compute

• Model serving

• In-product messaging

• Databricks Marketplace

• Partner Connect

• System tables

• Compute metrics

• In-product support ticket submission