Platform: AWS

Managed AWS Operations for Public Sector Digital Platforms

AWS handles the hypervisor down. We operate everything above it: infrastructure, security, DevOps, and the CMS application layer, under one engagement and one accountable team.

Schedule an Architecture Review Explore Cloud Operations

Partner credentials and procurement vehicles

AWS Solution Provider Partner

Decade-plus practice. Certified architects across Solutions Architect Professional, DevOps Engineer Professional, and Security Specialty.

AWS Public Sector Partner

Designated AWS Public Sector Partner. Validated experience operating AWS workloads for federal, state, local, and higher education organizations.

AWS Marketplace and Carahsoft

Customers with active AWS accounts can procure eWay managed services via AWS Marketplace private offers. Public sector customers can also procure through Carahsoft using established government contract vehicles.

SBA 8(a) · SBA Small Business

Certified for set-aside and direct-award procurement across federal, state, and local government acquisitions.

Full-stack ownership

Most AWS partners stop at infrastructure.We operate every layer above it.

eWay's managed AWS engagement is not scoped to infrastructure alone. We operate the full stack: network and compute, database, application runtime, CMS platform, security controls, and CI/CD pipelines. Each layer is staffed by certified engineers with defined response SLAs.

Infrastructure layer

VPC architecture, subnets, routing, and network segmentation
EC2, Auto Scaling Groups, and Elastic Load Balancing
RDS, Aurora, and database replication management
S3, EBS, EFS, and Glacier storage lifecycle management
CloudFront CDN configuration and edge optimization
Route 53 DNS management and health check routing
DirectConnect and VPN for secure hybrid connectivity

Security and identity layer

IAM policy design and least-privilege enforcement
WAF with OWASP-tuned rulesets and false-positive management
Shield Standard and Advanced DDoS protection
GuardDuty threat detection and automated alerting
Inspector vulnerability scanning and patch remediation tracking
Certificate Manager lifecycle management
Directory Service integration (Active Directory, LDAP, SAML)
CloudTrail audit logging and log retention management

Operations and DevOps layer

CloudWatch monitoring, dashboards, and alerting
Systems Manager patch management and automation
CloudFormation and Infrastructure as Code provisioning
CodePipeline, CodeDeploy, and CodeCommit CI/CD management
Trusted Advisor cost and security reviews
Automated backup validation and DR readiness checks
Capacity planning and performance baseline monitoring

Application and WebOps layer

Drupal, WordPress, and Cascade CMS platform operations
CMS core, module, plugin, and theme patching under SLA
OpenSearch / Elasticsearch search infrastructure
Custom application deployment and maintenance
API Gateway and Cognito for application integrations
Lambda and serverless function management

Infrastructure, security, DevOps, and CMS application layer. One engagement. One SLA. One accountable team.

Scope honesty

What we operate, what we integrate with, what stays yours

Full-stack ownership has clear edges. Here is what eWay operates inside an AWS managed engagement, what we integrate with on your behalf, and what remains in your organization's hands.

What we operate

AWS infrastructure: VPC, EC2, RDS, S3, CloudFront, Route 53
Security controls: WAF, IAM, encryption, DDoS protection, audit logging
DevOps and CI/CD: pipelines, IaC, automated deployments
CMS application layer: Drupal, WordPress, Cascade hosting infrastructure
24/7 monitoring, incident response, and patch management under SLA

What we integrate with

SSO and identity: SAML, LDAP, Active Directory, Cognito
Hannon Hill Cascade CMS (the SaaS authoring platform)
Third-party plugins, modules, and CMS extensions
CRM, SIS, ERP, and payment gateway integrations
Analytics, marketing automation, and business intelligence platforms

What stays yours

Content authoring, editorial governance, and publishing decisions
Business policy, data classification, and retention rules
End-user accounts, roles, and access decisions
Compliance attestation. We align infrastructure to FERPA, HIPAA, NIST, and StateRAMP-aligned controls. Your organization attests.
Strategic platform direction and content roadmap

Primary practice: Managed WebOps

Drupal, WordPress, and Cascade.Operated, not just hosted.

Most AWS partners deploy a CMS and hand it off. eWay operates the entire WebOps stack as a continuous managed service. Your team publishes content. We operate everything underneath it.

Drupal on AWS

The platform powering more than 55% of U.S. federal government websites. Multi-site architectures (50+ department sub-sites), RBAC with Active Directory and SAML integration, multilingual with translation workflows, content governance with editorial approval chains, WCAG 2.1 AA as a continuous compliance discipline, and OpenSearch for citizen-facing search. No licensing fees. Full-stack accountability.

Learn about our Drupal practice →

WordPress on AWS

Enterprise-scale WordPress operations. Not commodity hosting. Plugin and core patching, custom plugin development, multisite networks, SSO and RBAC for large multi-department organizations, OpenSearch for 50K+ content environments, Redis object caching, database query optimization, and QUIC/HTTP3 performance infrastructure.

Learn about our WordPress practice →

Cascade on AWS

Hannon Hill operates the Cascade CMS authoring platform. eWay operates the AWS infrastructure that receives published output: the production hosting environment, CDN, performance layer, DNS, SSO and identity integrations (SAML, LDAP, Active Directory), publish target configuration, and API and webhook integrations.

Learn about our Cascade practice →

Secondary practice: Migration and onboarding

From legacy infrastructure to managed AWS operations

Many of our public sector clients arrive from aging on-premises hardware, legacy managed hosting, or cloud deployments that were never properly operationalized. Our migration framework is a five-phase process designed to eliminate risk at every stage. Not a lift-and-shift followed by a handoff document.

Phase 1

Discovery and Architecture Review

Current environment assessment
Security and DR gap analysis
Performance baseline establishment
Contract and statement of work sign-off

Phase 2

Environment Build

Engagement kick-off with dedicated PM
AWS architecture design and IaC development
Staging environment provisioning
Client architecture review and sign-off

Phase 3

Migration and Validation

Infrastructure as Code repeatable provisioning
Configuration consistency validated across Dev/Test/Prod
Data migration using AWS Database Migration Service
Server migration using AWS Server Migration Service

Phase 4

Go-Live

Controlled DNS cutover via Route 53
Security checkpoint and WAF validation
Post-launch performance optimization
Migration close and formal transition to managed operations

Phase 5

Ongoing Managed Operations

24/7 monitoring and alerting
Patch management and security governance
Cost optimization reviews: Reserved Instances, Savings Plans, rightsizing
Monthly operational reporting

Security architecture

Layered security across the shared responsibility model

AWS secures the physical infrastructure. Everything above the hypervisor is your responsibility, or ours. eWay's security practice covers every layer of the shared responsibility model, including alignment with FERPA, HIPAA, NIST 800-53, and StateRAMP/FedRAMP-aligned controls.

Web Application Firewall

AWS WAF with OWASP Top 10 rule sets, tuned per application
Custom rules aligned to institutional and sector traffic patterns
Continuous false-positive review and rule refinement
CMS-specific rulesets for Drupal, WordPress, and Cascade environments

Threat detection and DDoS

GuardDuty continuous threat intelligence and anomaly detection
Shield Standard on all environments; Shield Advanced for high-value targets
Real-time threat detection with automated alerting
Incident response escalation procedures with defined SLAs

Data encryption

AES-256 encryption at rest across EBS, S3, and RDS
TLS 1.2+ encryption in transit enforced at load balancer and CloudFront
Certificate Manager lifecycle management. No expired certificate incidents.
KMS key management for regulated data environments

Identity, access, and network

IAM role design with least-privilege policy enforcement
SSO/SAML integration via AWS Directory Service and Cognito
VPC security groups and NACLs for network segmentation
DirectConnect and VPN for secure hybrid and on-premises connectivity

Vulnerability management

Inspector automated vulnerability scanning across EC2 and container workloads
Patch remediation tracking with Systems Manager Patch Manager
Log aggregation and anomaly detection via CloudWatch and CloudTrail
Penetration testing coordination and remediation support

Monitoring, logging, and audit

CloudWatch centralized monitoring with custom dashboards and alerting
CloudTrail API audit logging with immutable log retention
Security event logging, alerting, and audit trail management
Monthly security review reports and incident and SLA summaries

AWS-validated capabilities

Service Delivery Designations validated by AWS

Service Delivery Program designations are a separate AWS validation that requires demonstrated customer success, technical proficiency, and operational capability in specific AWS services. Our practice is staffed by accredited engineers and architects, including AWS Professional-level Solutions Architects.

EC2 for Windows Server Delivery

Validated delivery capability for Microsoft Windows Server workloads on EC2: Windows-based application hosting, SQL Server environments, and hybrid Active Directory integrations common in government and higher education.

RDS Delivery

Validated delivery capability for Amazon RDS: database provisioning, Multi-AZ configuration, automated backup management, parameter group tuning, and database migration across MySQL, PostgreSQL, and SQL Server engines.

Aurora Delivery

Validated delivery capability for Amazon Aurora: Aurora MySQL and PostgreSQL cluster design, read replica configuration, Aurora Serverless for variable-workload environments, and high-availability failover architecture.

Systems Manager Delivery

Validated delivery capability for AWS Systems Manager: patch management automation, run command execution, parameter store configuration management, session manager access, and maintenance window scheduling.

WAF Delivery

Validated delivery capability for AWS WAF: OWASP rule set configuration and tuning, custom rule development aligned to institutional traffic patterns, false-positive management, and WAF integration with CloudFront, ALB, and API Gateway.

Frequently Asked Questions

Common questions about our AWS managed practice

How is eWay different from Rackspace for AWS managed services?

Rackspace is a strong infrastructure managed services provider with no CMS or WebOps capability. If your platform includes Drupal, WordPress, or Cascade CMS — which most public sector digital platforms do — Rackspace manages the infrastructure layer and leaves the application layer to you or a second vendor. eWay operates the full vertical: AWS infrastructure, CMS application layer, security controls, CI/CD pipelines, and ongoing operations under one engagement. One team. One SLA. No coordination overhead between an infrastructure partner and a CMS partner.

How do we procure eWay services? We're a government agency with procurement requirements.

We support multiple procurement paths for public sector organizations. Direct engagement is available with standard government contract documentation. We are an AWS Marketplace seller — which means your organization can procure eWay managed services through an existing AWS Marketplace agreement, simplifying acquisition and often reducing procurement cycle time significantly. We are also available through Carahsoft using their established government contract vehicles. Our SBA 8(a), MBE, DBE, and SBA Small Business certifications support set-aside and direct-award procurement.

What does the shared responsibility model mean for our organization, practically?

AWS's shared responsibility model means AWS secures the physical data centers and hypervisor infrastructure. Everything above that — operating system patching, network configuration, IAM policies, application security, WAF configuration, data encryption, audit logging, incident response — is your responsibility. Most organizations don't have the internal capacity to do this well across a complex multi-service AWS environment. That gap is exactly what eWay manages. We take ownership of every layer above the AWS hypervisor — so your team isn't carrying an operational burden they weren't staffed to handle.

How long does a migration from on-premises or legacy hosting typically take?

Timeline depends significantly on environment complexity. A straightforward CMS platform migration — a single Drupal or WordPress site with a standard database and no complex integrations — typically completes in 6–10 weeks through our five-phase framework. Complex environments with multiple applications, legacy databases, custom integrations, or significant data volumes typically run 12–20 weeks. Discovery and architecture review in Phase 1 produces a detailed timeline with milestones before any migration work begins — so you have a commitment, not an estimate.

Do you support FERPA, HIPAA, NIST, or StateRAMP compliance alignment?

We design and operate environments with alignment to the compliance frameworks most common in our public sector verticals: FERPA for higher education, HIPAA for healthcare, and NIST 800-53 and StateRAMP-aligned controls for government agencies. This means architecture decisions, IAM policies, encryption configurations, audit logging, and incident response procedures are designed to support your compliance posture — not bolted on afterward. We provide the documented evidence and control implementations that your auditors need.

Ready to close the shared responsibility gap?

Full-stack managed AWS operations for public sector. One partner. One SLA.

Schedule an Architecture Review with our AWS team. We will assess your current environment, identify gaps in your security and operational coverage, and outline what a full-stack managed engagement looks like for your organization. Available direct, through AWS Marketplace, and through Carahsoft.