Standardized Architecture for NIST High-Impact Controls on AWS
NIST High-Impact Quick Start

Step 3. Launch the Stacks

This automated AWS CloudFormation template deploys the Quick Start architecture in multiple Availability Zones into VPCs. Please review the technical requirements and pre-deployment steps before launching the stacks.

  1. Launch the AWS CloudFormation template into your AWS account.

    
                                    NIST high-impact Quick Start launch button

    The template will be deployed into the AWS Region that appears in the navigation bar at the upper-right corner of the AWS Management Console. You can change the region by using the region selector in the navigation bar. Note that if you select a region where AWS Config is available, make sure to manually initialize the AWS Config service in that region.

    If you have an AWS GovCloud (US) account, you can launch the template in the AWS GovCloud (US) Region.

    The stacks take approximately one hour to create.

    Note

    You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start. For full details, see the pricing pages for each AWS service you will be using in this Quick Start. Prices are subject to change.

    The Quick Start deployment includes ten trial licenses for Trend Micro Deep Security, which will protect one EC2 instance; see http://aws.trendmicro.com for additional licensing and purchasing options.

  2. On the Select Template page, keep the default settings for the template URL, and then choose Next.

  3. On the Specify Details page, provide the required parameter values for the template. These are described in the following table.

    Label Parameter Default Description
    Database Password pDBPassword Requires input Password for the database administrator account. This must be a complex password that’s between 8 and 28 mixed, alphanumeric characters.
    Notification Email Address pNotifyEmail distlist@example.org Notification email address for security events (you will receive confirmation email).
    Existing SSH Key for Bastion Instance pEC2KeyPairBastion Requires input The SSH key pair in your account to use for bastion host login (see pre-deployment steps).
    Existing SSH Key for Other Instances pEC2KeyPair Requires input The SSH key pair in your account to use for all other host logins (see pre-deployment steps).
    Support Config pSupportsConfig Requires input Select Yes if you are deploying in an AWS Region where AWS Config is available, and you want to use AWS Config (see pre-deployment steps)
    First Availability Zone pAvailabilityZoneA Requires input Select your desired first Availability Zone (Note: Some Availability Zones may be restricted. If the deployment fails, you may need to use a different Availability Zone.)
    Second Availability Zone pAvailabilityZoneB Requires input Select your desired second Availability Zone (Note: Some Availability Zones may be restricted. If the deployment fails, you may need to use a different Availability Zone.)

    Trend Micro Deep Security Manager Configuration:

    Label Parameter Default Description
    Administrator username for Deep Security DeepSecurityAdminName MasterAdmin The Deep Security Manager administrator username for web console access.
    Administrator password for Deep Security DeepSecurityAdminPass Requires input The Deep Security Manager administrator password. Must be 8-41 characters long and can only contain alphanumeric characters or the following special characters !^*-_+

    AWS Quick Start Configuration:

    Parameter label Parameter name Default Description
    Quick Start S3 Bucket Name QSS3BucketName aws-quickstart S3 bucket name for the Quick Start assets. The bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).
    Quick Start S3 Key Prefix QSS3KeyPrefix quickstart-compliance-nist-high/ S3 key prefix for the Quick Start assets. The key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/).

    Other Parameters:

    Parameter label Parameter name Default Description
    pVPCTenancy default The tenancy attribute for the instances launched into the VPC. By default, all instances in the VPC run as shared-tenancy instances. Set this parameter to dedicated to run them as single-tenancy instances instead. For more information, see Dedicated Instances in the Amazon EC2 User Guide.

    Note

    You can also download the main template and edit it to create your own parameters based on your specific deployment scenario.

  4. On the Options page, you can specify tags (key-value pairs) for resources in your stack and set additional options. When you're done, choose Next.

  5. On the Review page, review the settings and select the acknowledgement check box. This simply states that the template will create IAM resources.

    
                            IAM resource acknowledgement

    Figure 11: IAM resource acknowledgement

  6. Choose Create to deploy the stack.

  7. Monitor the status of the stack being deployed. When the status field shown in Figure 12 displays CREATE_COMPLETE for all the stacks deployed, the cluster for this reference architecture is ready. Since you’re deploying the full architecture, you’ll see eight stacks listed (for the main template and seven nested templates).

    
                            Status message for deployment

    Figure 12: Status message for deployment