Menu
Standardized Architecture for NIST High-Impact Controls on AWS
Quick Start Reference Deployment Guide

Planning the Deployment

Prerequisites

Specialized Knowledge

This Quick Start requires a moderate to high level of understanding of the process to achieve and manage NIST 800-53 control requirements and compliance processes within a traditional hosting environment.

Additionally, this solution is targeted at Information Technology (IT) NIST 800-53 assessors and security personnel, and assumes familiarity with basic security concepts in the area of networking, operating systems, data encryption, operational controls, and cloud computing services.

Familiarity with AWS Services

This deployment guide also requires a moderate level of understanding of AWS services and requires the following, at a minimum:

  • Access to a current AWS account with IAM administrator-level permissions

  • Basic understanding of AWS services, AWS service limits, and AWS CloudFormation

  • Knowledge of architecting applications on AWS

  • Understanding of security and compliance requirements in the customer organization

AWS offers training and certification programs to help you develop skills to design, deploy, and operate your infrastructure and applications on the AWS cloud. Whether you are just getting started or looking to deepen your technical expertise, AWS has a variety of resources to meet your needs. For more information, see the AWS Training and Certification website, or read the AWS Training and Certification Overview.

Familiarity with Trend Micro Deep Security

This deployment guide also requires a moderate level of Trend Micro’s Deep Security product knowledge:

  • General understanding of host-based security implementation and management

  • Basic understanding of Deep Security product features and management

  • Knowledge of Deep Security architecture and implementation on AWS

  • Understanding of security and compliance requirements in the customer organization

Trend Micro offers training programs to help you develop skills to design, deploy, and operate your applications on the AWS cloud. More information is available at Trend Micro’s AWS website at http://aws.trendmicro.com/.

AWS Account

If you don’t already have an AWS account, create one at http://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Technical Requirements

Before you launch the Quick Start, your account must be configured as specified in the following table. Otherwise, deployment might fail. For step-by-step configuration instructions, see the Pre-Deployment Steps section.

Resources

Resource Default Used in this deployment (by default)
VPCs 5 per region 2
EIPs 5 per region 3
IAM groups 100 per account 6
IAM roles 250 per account 5
Amazon EC2 Auto Scaling groups 20 per region 2
ELB load balancers 20 per region 4
Regions

The AWS services used in this Quick Start exist in all commercial regions, but AWS Config rules, which are used for configuration enforcement, are currently available only in five AWS Regions: US East (N. Virginia), US West (Oregon), EU (Frankfurt), EU (Ireland), and Asia Pacific (Tokyo). If you require this capability, you must deploy in one of these regions until AWS Config rules become available more widely.

It is important to be aware of what is available in the region you choose to deploy. To see the latest list of supported services per region, see AWS Regions and Endpoints in the AWS documentation. For information about service differences in the AWS GovCloud (US), see Supported Services in the AWS GovCloud documentation.

AWS Config and AWS Config rules

If you deploy this Quick Start in an AWS region where AWS Config and AWS Config rules are available, the template-config-rules.json template will attempt to automatically use the service. However, the deployment will fail if you have not previously manually set up AWS Config in that region. Before you deploy the Quick Start, navigate to the AWS Config console, and choose the Get Started Now button. Note that this feature is currently available only in five AWS Regions: US East (N. Virginia), US West (Oregon), EU (Frankfurt), EU (Ireland), and Asia Pacific (Tokyo).

Amazon S3 URLs

If you’re copying the templates to your own S3 bucket for deployment, make sure that you update vTemplateUrlPrefix in the Mappings section of the template-main.json file with a valid and accessible URL. Otherwise, deployment will fail.

IAM permissions

To deploy the Quick Start using the console, you must be logged in to the AWS Management Console with IAM permissions for the resources and actions the templates will deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions.

S3 buckets

Unique S3 bucket names are automatically generated based on the account number and region. If you delete a stack, the logging buckets are not deleted (to support security review). If you plan to re-deploy this Quick Start in the same region, you must first manually delete the previously created S3 buckets; otherwise, the re-deployment will fail.

Deployment Methods

You can deploy the Quick Start templates by using AWS CLI commands or directly from the AWS Management Console. You can also deploy the template package as an AWS Service Catalog product. AWS Service Catalog enables a self-service model for deploying applications and architecture on AWS. You can create portfolios that include one or more products, which are defined by AWS CloudFormation templates. You can grant IAM users, groups, or roles access to specific portfolios, which they can then launch from a separate interface. We’ve provided step-by-step instructions for the AWS Management Console deployment option in the following sections.