Overview - Standardized Architecture for NIST High-Impact Controls on AWS


Compliance Architectures

AWS compliance solutions help streamline, automate, and implement secure baselines in AWS—from initial design to operational security readiness. They incorporate the expertise of AWS solutions architects, security and compliance personnel to help you build a secure and reliable architecture easily through automation.

This Quick Start includes AWS CloudFormation templates, which can be integrated with AWS Service Catalog, to automate building a standardized reference architecture that aligns with the requirements within NIST SP 800-53, NIST SP 800-171, the FedRAMP TIC Overlay pilot, and the DoD Cloud SRG. It also includes a security controls matrix, which maps the security controls and requirements to architecture decisions, features, and configuration of the baseline to enhance your organization’s ability to understand and assess the system security configuration.

NIST-based Assurance Frameworks

NIST FIPS PUB 199 establishes security categories for various federal government information and information systems, and provides guidance for determining the security category for a given information set or system.[1] A system can be categorized as high impact if "the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals."

This Quick Start supports the following requirements:

  • NIST SP 800-53 (Revision 4), high-impact security controls baseline

  • CNSS Instruction 1253

  • FedRAMP

  • The DoD Cloud Computing SRG

  • NIST SP 800-171

  • The OMB TIC Initiative – FedRAMP Overlay (pilot)

NIST SP 800-53 [2] security controls are generally applicable to Federal Information Systems, "…operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency."[3] These are typically systems that must go through a formal assessment and authorization process to ensure sufficient protection of confidentiality, integrity, and availability of information and information systems, based on the security category and impact level of the system (low, moderate, or high), and a risk determination. Security controls are selected from the NIST SP 800-53 Security Control Catalog, and the system is assessed against those security control requirements.

NIST SP 800-171 is generally applicable to Nonfederal Information Systems that store or process federal Controlled Unclassified Information (CUI), but must appropriately protect the confidentiality of the CUI data in accordance with CUI Federal Acquisition Regulation (FAR).[4] These are typically businesses, educational institutions, and research organizations that legitimately store and process federal CUI on their own systems. NIST SP 800-171 chapter 3 contains a set of security requirements that align with the moderate confidentiality requirements within the NIST SP 800-53 security controls.

The OMB Trusted Internet Connection (TIC) Initiative is designed to reduce the number of United States Government (USG) network boundary connections, including internet points of presence (POPs), to optimize federal network services, and improve cyber protection, detection, and response capabilities.[5] In its current form, a TIC-compliant architecture precludes direct access to applications running in the cloud. However, the TIC program recently proposed a draft Federal Risk and Authorization Management Program (FedRAMP)–TIC Overlay that provides a mapping of NIST SP 800-53 security controls to the required TIC capabilities. In May 2015, GSA and DHS invited AWS to participate in a FedRAMP–TIC Overlay pilot. The purpose of the pilot was to determine whether the proposed TIC overlay on the FedRAMP moderate security control baseline was achievable. In collaboration with GSA and DHS, AWS assessed how remote agency users could use the TIC overlay to access cloud-based resources, and whether existing AWS capabilities would allow an agency to enforce TIC capabilities.

The DoD Cloud Computing Security Requirements Guide (SRG) provides security requirements and guidance for the use of cloud services by DoD mission owners.[6] It provides security controls implementation guidance for cloud service providers (CSPs) that wish to have their cloud service offerings (CSOs) accredited for use by DoD components and mission owners. In August 2014, AWS became one of the first CSPs to be granted a Provisional Authorization to Operate (P-ATO) to store and process DoD Impact Level 4 data. DoD mission owners that operate their workloads on AWS can use our P-ATO as part of the supporting documentation that their authorizing official (AO) uses to grant the workload a system Authorization to Operate (ATO).

[1] FIPS PUB 199, “Standards for Security Categorization of Federal Information and Information Systems,” February 2004, http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf.

[2] NIST Special Publication 800-53, Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations,” April 2013, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

[3] Federal Information Security Management Act (40 U.S.C., Sec. 11331).

[4] NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” June 2015, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf.

[5] Memorandum M-08-05, “Implementation of Trusted Internet Connections (TIC),” November 20, 2007, https://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-05.pdf.

[6] “Department of Defense Cloud Computing Security Requirements Guide,”18 March 2016, http://iasecontent.disa.mil/cloud/SRG/index.html.

Architecture for NIST High-Impact Compliance on AWS

Deploying this Quick Start builds a multi-tier, Linux-based web application in the AWS Cloud with comprehensive protection using Trend Micro’s Deep Security. Figures 2 and 3 illustrate the architecture.


You can also download these diagrams in Microsoft PowerPoint format, and edit the icons to reflect your specific workload.

        Standard three-tier web architecture depicting integration with multiple VPCs (notional development VPC shown)

Figure 2: Standard three-tier web architecture depicting integration with multiple VPCs (notional development VPC shown)

        Production VPC design

Figure 3: Production VPC design

The sample architecture includes the following components and features:

  • Basic AWS Identity and Access Management (IAM) configuration with custom (IAM) policies, with associated groups, roles, and instance profiles

  • Standard, external-facing Amazon Virtual Private Cloud (Amazon VPC) Multi-AZ architecture with separate subnets for different application tiers and private (back-end) subnets for application and database

  • Amazon Simple Storage Service (Amazon S3) buckets for encrypted web content, logging, and backup data

  • Standard Amazon VPC security groups for Amazon Elastic Compute Cloud (Amazon EC2) instances and load balancers used in the sample application stack

  • Three-tier Linux web application using Amazon EC2 Auto Scaling and Elastic Load Balancing, which can be modified and/or bootstrapped with customer application

  • A secured bastion login host to facilitate command-line Secure Shell (SSH) access to Amazon EC2 instances for troubleshooting and systems administration activities

  • Encrypted, Multi-AZ Amazon Relational Database Service (Amazon RDS) MySQL database

  • Logging, monitoring, and alerts using AWS CloudTrail, Amazon CloudWatch, and AWS Config rules

  • Policies for Deep Security proactive host-based protection to include preventing, monitoring, logging, and alerting for anti-malware, web reputation, file integrity, IPS/IDS, and host firewall

AWS Services

The core AWS components used by this Quick Start include the following AWS services. (If you are new to AWS, see the Getting Started section of the AWS documentation.)

  • AWS CloudTrail – AWS CloudTrail records AWS API calls and delivers log files that include caller identity, time, source IP address, request parameters, and response elements. The call history and details provided by CloudTrail enable security analysis, resource change tracking, and compliance auditing.

  • Amazon CloudWatch – Amazon CloudWatch is a monitoring service for AWS Cloud resources and the applications you run on AWS. You can use CloudWatch to collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes in your AWS resources.

  • AWS Config – AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. AWS Config rules enable you to automatically check the configuration of AWS resources recorded by AWS Config.


    The AWS Config rules feature is currently available in the AWS Regions listed on the AWS Regions and Endpoints webpage.

  • Amazon EBS – Amazon Elastic Block Store (Amazon EBS) provides persistent block-level storage volumes for use with Amazon EC2 instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. Amazon EBS volumes provide the consistent and low-latency performance needed to run your workloads.

  • Amazon EC2 – The Amazon Elastic Compute Cloud (Amazon EC2) service enables you to launch virtual machine instances with a variety of operating systems. You can choose from existing Amazon Machine Images (AMIs) or import your own virtual machine images.

  • Elastic Load Balancing – Elastic Load Balancing automatically distributes traffic across multiple EC2 instances, to help achieve better fault tolerance and availability.

  • Amazon S3 Glacier – Amazon S3 Glacier is a storage service for archiving and long-term backup of infrequently used data. It provides secure, durable, and extremely low-cost storage, supports data transfer over SSL, and automatically encrypts data at rest. With S3 Glacier, you can store your data for months, years, or even decades at a very low cost.

  • Amazon RDS – Amazon Relational Database Service (Amazon RDS) enables you to set up, operate, and scale a relational database in the AWS Cloud. It also handles many database management tasks, such as database backups, software patching, automatic failure detection, and recovery, for database products such as MySQL, MariaDB, PostgreSQL, Oracle, Microsoft SQL Server, and Amazon Aurora. This Quick Start includes a MySQL database by default.

  • Amazon VPC – The Amazon Virtual Private Cloud (Amazon VPC) service lets you provision a private, logically isolated section of the AWS Cloud where you can launch AWS services and other resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

Trend Micro Deep Security

Trend Micro’s Deep Security is a host-based security product that provides Anti-Malware, Host Firewall, Intrusion Prevention, File Integrity Monitoring, Log Inspection, Web Application Firewalling, and Content Filtering modules in a single agent running in the guest operating system.

  • Anti-malware with web reputation protects cloud instances against viruses, spyware, Trojans, and other malware with zero in-guest footprint. Performance is optimized to avoid antivirus storms commonly seen in full system scans and pattern updates from traditional security capabilities. This feature provides protection from sophisticated attacks in virtual environments by isolating malware from critical operating system and security components.

  • Intrusion prevention examines all incoming and outgoing traffic for protocol deviations, policy violations, or content that signals an attack. This feature automatically protects against known but unpatched vulnerabilities by virtually patching (shielding) from an unlimited number of exploits, pushing protection to thousands of servers in minutes without reboots.

  • Bidirectional host-based firewall decreases the attack surface of cloud instances and servers with fine-grained filtering, policies per network, and location awareness for all IP-based protocols and frame types.

  • Integrity monitoring monitors critical operating system and application files, such as directories, registry keys, and values, to detect and report malicious and unexpected changes in real time.

  • Log inspection collects and analyzes operating system and application logs in over 100 log file formats, identifying suspicious behavior, security events, and administrative events across your cloud. Events can be forwarded to security information and event management (SIEM) products or centralized logging servers for correlation, reporting, and archiving.

Best Practices

The architecture built by this Quick Start supports AWS and Trend Micro best practices for high availability and security:

  • Multi-AZ architecture intended for high availability

  • Isolation of instances between private/public subnets

  • Security groups limiting access to only necessary services

  • Network access control list (ACL) rules to filter traffic into subnets as an additional layer of network security

  • A secured bastion host instance to facilitate restricted login access for system administrator actions

  • Standard IAM policies with associated groups and roles, exercising least privilege

  • Monitoring and logging; alerts and notifications for critical events

  • S3 buckets (with security features enabled) for logging, archive, and application data

  • Implementation of proper load balancing and Auto Scaling capabilities

  • HTTPS-enabled Elastic Load Balancing (ELB) load balancers with hardened security policy

  • Amazon RDS database backup and encryption

How You Can Use This Quick Start

You can build an environment that serves as an example for learning, as a prototyping environment, or as a baseline for customization.

Since AWS provides a very mature set of configuration options (and new services are being released all the time), this Quick Start provides security templates that you can use for your own environment. These security templates (in the form of AWS CloudFormation templates) provide a comprehensive rule set that can be systematically enforced. You can use these templates as a starting point and customize them to match your specific use cases.

Cost and Licenses

You are responsible for the cost of the AWS services and Trend Micro Deep Security software used for this Quick Start reference deployment. There is no additional cost for using the Quick Start.

The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using. Prices are subject to change.

Because this Quick Start uses Trend Micro AMIs from AWS Marketplace, you must be subscribed to Trend Micro Deep Security for AWS Marketplace before you launch the Quick Start. There are two licensing options: Per Protected Instance Hour and Bring Your Own License (BYOL). See step 2 in the deployment section for details and links.