Standardized Architecture for NIST High-Impact Controls on AWS
NIST High-Impact Quick Start

Appendix: Enhancements in This AWS Enterprise Accelerator – Compliance Release

This is third in a set of AWS Enterprise Accelerator – Compliance Quick Starts. AWS is constantly working to improve the design, ease of use, and security features of these solutions. This latest compliance Quick Start for NIST SP 800-53 high-impact controls on the AWS cloud featuring Trend Micro Deep Security includes the following security and compliance enhancements:

  • HTTPS load balancers with custom security policy using TLS and auto-generation of a self-signed certificate for testing purposes

  • Network access control list (ACL) rules for filtering ingress/egress traffic as an additional layer of network security

  • Security groups to limit both inbound and outbound traffic to only available ports and protocols

  • AWS Config rules automatically deployed for monitoring specific resources most relevant to compliance

  • Secure Amazon S3 policies for logging and application buckets, including custom lifecycle policies for archiving objects in Amazon Glacier and use of versioning

  • Custom CloudWatch alarms and notifications for specific security-related events in CloudTrail logging of root activity, IAM changes, and changes to logging policies

  • Simplified AWS CloudFormation templates that decouple components, including VPCs, to allow for easier modification and reuse

  • Reduced set of AWS CloudFormation parameter groups and labels to simplify console use during the deployment process

  • Elastic Load Balancing and Amazon S3 access logging enabled for the application layer

  • Deployment of a secured login bastion host for SSH access to Amazon EC2 instances within the architecture

  • Elastic Load Balancing for the Deep Security Manager

  • Multi-AZ redundancy for the Deep Security Database through Amazon RDS

  • Deep Security Anti-malware and web reputation enabled

  • Deep Security Intrusion Prevention rules deployed to protect against network attacks and provide shielding from known vulnerabilities and exploits

  • Deep Security Firewall enabled to provide logging on network traffic

  • Deep Security Integrity Monitoring started to detect and report unexpected changes to files and the system registry

  • Deep Security Log Inspection rules to turn on alerts for important security events