Standardized Architecture for NIST High-Impact Controls on AWS
NIST High-Impact Quick Start

Step 2. Launch the Stacks

This automated AWS CloudFormation template deploys the Quick Start architecture into Amazon VPCs in multiple Availability Zones into Amazon VPCs. Please review the technical requirements and pre-deployment steps before launching the stacks.

  1. Launch the AWS CloudFormation template into your AWS account.

                                NIST high-impact Quick Start launch button

    The template will be deployed into the AWS Region that appears in the navigation bar at the upper-right corner of the AWS Management Console. You can change the region by using the region selector in the navigation bar. Note that if you select a region where AWS Config is available, make sure to manually initialize the AWS Config service in that region.

    If you have an AWS GovCloud (US) account, you can launch the template in the AWS GovCloud (US) Region.

    The stacks take approximately one hour to create.


    You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start. For full details, see the pricing pages for each AWS service you will be using in this Quick Start or the AWS Simple Monthly Calculator. Prices are subject to change.

    The Quick Start deployment includes ten trial licenses for Trend Micro Deep Security, which will protect one EC2 instance; see for additional licensing and purchasing options.

    You can also download the template to use it as a starting point for your own implementation.

  2. On the Select Template page, keep the default settings for the template URL, and then choose Next.

  3. On the Specify Details page, provide the required parameter values for the template. These are described in the following table.

    Label Parameter Default Description
    Database Password pDBPassword Requires input Password for the database administrator account. This must be a complex password that’s between 8 and 28 mixed, alphanumeric characters.
    Notification Email Address pNotifyEmail Notification email address for security events (you will receive confirmation email).
    Existing SSH Key for Bastion Instance pEC2KeyPairBastion Requires input The SSH key pair in your account to use for bastion host login (see pre-deployment steps).
    Existing SSH Key for Other Instances pEC2KeyPair Requires input The SSH key pair in your account to use for all other host logins (see pre-deployment steps).
    Support Config pSupportsConfig Requires input Select Yes if you are deploying in an AWS Region where AWS Config is available, and you want to use AWS Config (see pre-deployment steps)
    First Availability Zone pAvailabilityZoneA Requires input Select your desired first Availability Zone (Note: Some Availability Zones may be restricted. If the deployment fails, you may need to use a different Availability Zone.)
    Second Availability Zone pAvailabilityZoneB Requires input Select your desired second Availability Zone (Note: Some Availability Zones may be restricted. If the deployment fails, you may need to use a different Availability Zone.)
    Username for Deep Security Manager Web Console Manager pDeepSecurityAdminUserName Requires input The Deep Security Manager administrator username for web console access.
    Password for Deep Security Manager Admin User pDeepSecurityAdminPass Requires input The Deep Security Manager administrator password. Must be 8-41 characters long and can only contain alphanumeric characters or the following special characters !^*-_+
    Accept Trend Micro EULA pDeepSecurityAcceptEula Yes By launching this AWS CloudFormation stack that installs Trend Micro's Deep Security, you accept the terms and conditions of Trend Micro's EULA.


    You can also download the main template and edit it to create your own parameters based on your specific deployment scenario.

  4. On the Options page, you can specify tags (key-value pairs) for resources in your stack and set additional options. When you're done, choose Next.

  5. On the Review page, review the settings and select the acknowledgement check box. This simply states that the template will create IAM resources.

                        IAM resource acknowledgement

    Figure 11: IAM resource acknowledgement

  6. Choose Create to deploy the stack.

  7. Monitor the status of the stack being deployed. When the status field shown in Figure 12 displays CREATE_COMPLETE for all the stacks deployed, the cluster for this reference architecture is ready. Since you’re deploying the full architecture, you’ll see eight stacks listed (for the main template and seven nested templates).

                        Status message for deployment

    Figure 12: Status message for deployment