Standardized Architecture for NIST High-Impact Controls on AWS
NIST High-Impact Quick Start

Appendix: Enhancements in This Release

This is part of a set of compliance Quick Starts. AWS is constantly working to improve the design, ease of use, and security features of these solutions. This latest compliance Quick Start for NIST SP 800-53 high-impact controls on the AWS Cloud featuring Trend Micro Deep Security includes the following security and compliance enhancements:

  • HTTPS load balancers with custom security policy using TLS and auto-generation of a self-signed certificate for testing purposes

  • Network access control list (ACL) rules for filtering ingress/egress traffic as an additional layer of network security

  • Security groups to limit both inbound and outbound traffic to only available ports and protocols

  • AWS Config rules automatically deployed for monitoring specific resources most relevant to compliance

  • Secure Amazon S3 policies for logging and application buckets, including custom lifecycle policies for archiving objects in Amazon Glacier and use of versioning

  • Custom CloudWatch alarms and notifications for specific security-related events in CloudTrail logging of root activity, IAM changes, and changes to logging policies

  • Simplified AWS CloudFormation templates that decouple components, including VPCs, to allow for easier modification and reuse

  • Reduced set of AWS CloudFormation parameter groups and labels to simplify console use during the deployment process

  • Elastic Load Balancing and Amazon S3 access logging enabled for the application layer

  • Deployment of a secured login bastion host for SSH access to Amazon EC2 instances within the architecture

  • Elastic Load Balancing for the Deep Security Manager

  • Multi-AZ redundancy for the Deep Security Database through Amazon RDS

  • Deep Security Anti-malware and web reputation enabled

  • Deep Security Intrusion Prevention rules deployed to protect against network attacks and provide shielding from known vulnerabilities and exploits

  • Deep Security Firewall enabled to provide logging on network traffic

  • Deep Security Integrity Monitoring started to detect and report unexpected changes to files and the system registry

  • Deep Security Log Inspection rules to turn on alerts for important security events