Menu
Standardised Architecture for UK-OFFICIAL on AWS
Quick Start Reference Deployment Guide

Planning the Deployment

Prerequisites

Specialised Knowledge

This Quick Start requires a moderate to high level of understanding of the process to achieve and manage control requirements and compliance processes associated with UK-OFFICIAL within a traditional hosting environment.

Additionally, this solution is targeted at Information Technology (IT) assessors and security personnel, and assumes familiarity with basic security concepts in the area of networking, operating systems, data encryption, operational controls, and cloud computing services.

This deployment guide also requires a moderate level of understanding of AWS services and requires the following, at a minimum:

  • Access to a current AWS account with IAM administrator-level permissions

  • Basic understanding of AWS services, AWS service limits, and AWS CloudFormation

  • Knowledge of architecting applications on AWS

  • Understanding of security and compliance requirements in the customer organisation

AWS offers training and certification programs to help you develop skills to design, deploy, and operate your infrastructure and applications on the AWS Cloud. Whether you are just getting started or looking to deepen your technical expertise, AWS has a variety of resources to meet your needs. For more information, see the AWS Training and Certification website, or read the AWS Training and Certification Overview.

AWS Account

If you don’t already have an AWS account, create one at http://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Additional Considerations for Production Workloads

A very important aspect of any AWS-based solution relates to the AWS accounts strategy. The previous section describes the simple process for creating a single AWS account you can use to deploy the template for testing purposes. However, for production environments, we recommend that you adopt a multi-account strategy in order to maximise operational efficiency, finance management and reporting, security, auditability, and an effective implementation of security best practices.

For example, your AWS accounts setup could include:

  • Billing account (containing an Amazon S3 bucket to hold financial reporting only)

  • Development account

  • Production account

  • Logging account (containing Amazon S3(s) to hold logs only)

And, as necessary:

  • Auditing account (to provide read access to everything for auditors/accreditors)

  • User account (to manage user identities)

Additionally, regardless of which setup you choose, you should configure each AWS account by following the recommendations in the CIS Foundation Benchmark for AWS, as appropriate.

User Authentication and Privileges

Whenever possible, users should be authenticated via federation (e.g., SAML) with the user’s existing identity provider (IdP), as described in the AWS IAM documentation, in order to avoid the proliferation of multiple IdPs—unless AWS identity services are used as your authoritative IdP. Furthermore, you should use temporary user credentials to control access to AWS resources, and grant users one default permission only, which is the AssumeRole permission. AWS IAM can then be used to manage users-to-roles mapping.

In this way, user identities will be managed in a consistent manner, and the credentials used to access AWS resources will be dynamically generated and limited in time, reducing the attack surface and improving the overall security posture. This is in line with the recommendations included in the CIS Foundation Benchmark for AWS and security best practices.

Technical Requirements

Before you launch the Quick Start, your account must be configured as specified in the following table. Otherwise, deployment might fail. For step-by-step configuration instructions, see the Pre-Deployment Steps section.

Resources

Resource Default Used in this deployment (by default)
VPCs 5 per region 2
EIPs 5 per region 3
IAM groups 100 per account 6
IAM roles 250 per account 5
Amazon EC2 Auto Scaling groups 20 per region 2
ELB load balancers 20 per region 2
Regions

The AWS services used in this Quick Start exist in all commercial regions, but AWS Config rules, which are used for configuration enforcement, are not. If you require this capability, you must deploy in a region where AWS Config rules are available.

It is important to be aware of what is available in the region you choose to deploy. To see the latest list of supported services per region, see AWS Regions and Endpoints in the AWS documentation.

AWS Config and AWS Config rules

If you deploy this Quick Start in an AWS region where AWS Config and AWS Config rules are available, the config-rules.template template will attempt to automatically use the service. However, the deployment will fail if you have not previously manually set up AWS Config in that region. Before you deploy the Quick Start, navigate to the AWS Config console, and choose the Get Started Now button.

Amazon S3 URLs

If you’re copying the templates to your own S3 bucket for deployment, make sure that you update Resources section of the main.template file. Otherwise, deployment will fail.

IAM permissions

To deploy the Quick Start using the console, you must be logged in to the AWS Management Console with IAM permissions for the resources and actions the templates will deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organisation may choose to use a custom policy with more restrictions.

S3 buckets

Unique S3 bucket names are automatically generated based on the account number and region. If you delete a stack, the logging buckets are not deleted (to support security review). If you plan to re-deploy this Quick Start in the same region, you must first manually delete the previously created S3 buckets; otherwise, the re-deployment will fail.

Deployment Methods

You can deploy the Quick Start templates by using AWS CLI commands or directly from the AWS Management Console. You can also deploy the template package as an AWS Service Catalog product. AWS Service Catalog enables a self-service model for deploying applications and architecture on AWS. You can create portfolios that include one or more products, which are defined by AWS CloudFormation templates. You can grant IAM users, groups, or roles access to specific portfolios, which they can then launch from a separate interface. We’ve provided step-by-step instructions for the AWS Management Console deployment option in the following sections.