AWS Public Sector Blog

How to secure communications beyond encryption with AWS Wickr

A person is holding a cell phone and typing on a laptop. The laptop screen shows a green lock symbol. Concept of security and protection

In response to state-sponsored threats, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have recommended using encrypted messaging applications to protect sensitive communications.

CISA’s Mobile Communications Best Practice Guidance advises government and political personnel to “adopt a free messaging application for secure communications that guarantees end-to-end encryption.”

Encryption alone is not enough

As adoption of these applications increases, it’s important not to lose sight of recordkeeping and compliance obligations. Public-key cryptography pioneer Whitfield Diffie alluded to the recent US government group chat leak during the Cryptographer’s Panel at RSA Conference 2025. The use of an encrypted consumer messaging application to communicate classified information, he noted, broke archiving laws. Because many of these tools use 256-bit Advanced Encryption Standard (AES) encryption, which is “good enough” to protect sensitive information, he predicted an increase in the use of consumer applications in unapproved ways.

Consumer messaging applications are convenient, but they aren’t designed for national security or regulated environments. They don’t go beyond encryption to deliver the data retention and policy enforcement controls that are needed to secure mission-critical communications while meeting compliance requirements.

How AWS can help

AWS Wickr is a messaging and collaboration service that protects messaging, calling, file sharing, screen sharing, and location sharing with 256-bit end-to-end encryption (E2EE). Wickr combines advanced security for sensitive communications, administrative controls for user and policy management, and data retention for auditing and regulatory needs.

With Wickr, communications are encrypted locally on devices and remain undecipherable in transit. Every call, message, and file is encrypted with a unique secret key, and no one but intended recipients can decrypt them. It’s straightforward for personnel and teams to use and to access and download on iOS, Android, macOS, Windows, and Linux devices.

“For many federal agencies and organizations, having the ability to securely communicate and share information—whether in an office or out in the field, with the ability to translate languages in real-time—is key to mission success. AWS Wickr helps our customers collaborate securely with end-to-end encryption across multiple use cases, while also driving AI innovation and providing the administrative controls needed to support sensitive and regulated workloads.”

–Dave Levy, vice president, worldwide public sector at AWS

Wickr is Department of Defense (DoD) Cloud Computing Security Requirements Guide Impact Level 5 (CC SRG IL5) and Federal Risk and Authorization Management Program (FedRAMP) High authorized in the AWS GovCloud (US-West) Region. It also meets compliance programs and standards such as Health Insurance Portability and Accountability Act (HIPAA) eligibility, International Organization for Standardization (ISO) 27001, and System and Organization Controls (SOC) 1, 2, and 3.

Meeting CISA recommendations

Wickr features and capabilities align with the following CISA mobile communications best practices, and can help you enhance the protection of sensitive data against threats:

  • E2EE on by default for all communications and metadata
  • Text interoperability across operating systems
  • No reliance on SMS-based authentication
  • Integration with single sign-on for phishing-resistant authentication
  • Burn-on-read and expiration timers for added security and privacy
  • Continuous security updates and vulnerability management

Centralized management

Wickr offers a centralized management console you can use to monitor network security in real time, enforce role-based access controls and security policies, manage message retention periods in accordance with your requirements, and generate detailed compliance and audit reports.

Fine-grained administrative controls allow administrators to add and remove users, and you can organize them into security groups with restricted access to features and content at their level. You can apply policies to each group that are custom-tailored to meet desired outcomes. Files can be uploaded and organized in folders, and a view-only mode can be configured for specific security groups to prevent downloading.

External collaboration

Unlike consumer messaging apps that allow the registration of anyone with a phone number or username—and don’t enforce limits on who can be invited to a conversation—Wickr federation and guest access features promote secure collaboration with outside parties. Wickr network administrators can enable or disable guest access and restrict communication with external networks by using allow lists that limit communication to approved network IDs. Groups of users can be assigned to specific federation rules, and there is a differentiated UX treatment for conversations that include out-of-network users.

Data retention

Administrators can configure and apply data retention to both internal and external communications in a Wickr network. This includes conversations with guest users, external teams, and other partner networks, so you can retain messages and files sent to and from the organization. Data retention is implemented as an always-on recipient that is added to conversations, similar to the blind carbon copy (BCC) feature in email. The data-retention process can run anywhere Docker workloads are supported: on-premises, on AWS Fargate, on an Amazon Elastic Compute Cloud (Amazon EC2) instance, or at a location of your choice. AWS can’t decrypt conversations, giving you complete control over your data.

Digital sovereignty

When you use Wickr in an AWS Region of your choice, all the infrastructure required to operate it and all the conversations in your network are hosted within that Region. Wickr is among the services that will be featured in the AWS European Sovereign Cloud.

Wickr is currently available in the following AWS Regions:

  • US East (N. Virginia)
  • Asia Pacific (Malaysia, Singapore, Sydney, and Tokyo)
  • Canada (Central)
  • Europe (Frankfurt, London, and Zurich)
  • AWS GovCloud (US-West)

Wickr and generative AI

Wickr agents can help you extend the E2EE capabilities of Wickr to other applications and automate workflows. They function as standard users and facilitate integrations with external services, communication tools such as Slack, Discord, or Matrix-compatible endpoints, and specialized solutions such as the Android Team Awareness Kit (ATAK) through a dedicated plugin.

Using Wickr bots, your technical teams can build and deploy agent integrations within your Wickr network to bring AWS generative AI services to edge devices in a straightforward chat interface, opening up a variety of use cases:

  • Get answers with a Wickr LLM agent – Build a Wickr LLM agent integration with Amazon Bedrock using sample code. The bot can be configured not to store your questions or the answers it provides.
  • Recognize images – Build an agent for identifying objects, scenes, actions, and more in images uploaded through the chat interface using Amazon Rekognition. Capabilities such as object detection and facial recognition can be used to process photos or videos captured in the field and provide alerts or metadata to users.
  • Transcribe speech – Integrate an agent with Amazon Transcribe to automatically transcribe voice messages sent through Wickr and respond through text.
  • Translate messages – Build a multilingual agent that translates messages between languages using Amazon Translate in support of global collaboration.
  • Analyze audio – Use agents with services such as Amazon Polly or Amazon Transcribe to analyze audio from bodycams, drones, and other sources, and automatically generate transcripts, identify speakers, and detect sounds of interest.

Teams operating in high-stakes environments can ingest signal and sensor data through an API agent and integrate real-time alerts. This allows mission-critical messages to be rapidly disseminated to both federated and nonfederated Wickr users, reducing tactical latency and enhancing decision-making capabilities.

Protect your most sensitive conversations

Encryption is a critical component of a defense-in-depth security strategy, but it’s not a standalone solution for secure and compliant communications. AWS Wickr can advance your organization’s efforts to protect sensitive message content—including text, files, audio, and video—by combining E2EE with the broader protections needed to help meet requirements as cyber threats and regulations change. With enterprise-grade security features, granular administrative controls, and flexible integration capabilities, Wickr supports you as you follow the guidance set out by CISA, use generative AI to accelerate collaboration, and move beyond encryption to close the security and compliance gaps presented by consumer messaging applications.

Want to learn more about how AWS helps public sector organizations deploy AI-driven solutions? Connect with the AWS Public Sector Team today.

TAGS: , , , ,
Chris O’Rourke

Chris O’Rourke

Chris is a senior worldwide specialist at AWS, where he specializes in implementing secure communications solutions for law enforcement and government agencies. He works directly with local, state, and federal organizations to optimize their use of AWS Wickr in support of mission assurance and interagency collaboration.

Anne Grahn

Anne Grahn

Anne is a senior worldwide security GTM specialist at AWS, based in Chicago. She has 15 years of experience in the security industry and focuses on effectively communicating cybersecurity risk. She maintains a Certified Information Systems Security Professional (CISSP) certification.