Comment by nonameiguess

Not all "government" systems are the same. They're rated in terms of impact level and data classification. Classified systems can't be logged into outside of SCIFs anyway and have no outgoing connection to the Internet. Unclassified systems at IL5 require certificate auth with a government-issued smart card. IL4 requires endpoint attestation but can otherwise use normal username/password auth. Lower impact levels are not as heavily secured. I would have expected they at least require MFA to access the AWS API, but even that depends. A lot of times accounts will be split between production and non-production with MFA required on the production accounts, but work done purely for experimentation, platform development, or other non-user facing things that don't touch real data might not even be in GovCloud since the commercial accounts are cheaper.