AWS CloudFormation Templates - Standardized Architecture for NIST-based Assurance Frameworks on AWS

AWS CloudFormation Templates

An AWS CloudFormation template is a JSON (JavaScript Object Notation) or YAML-formatted text file that describes the AWS infrastructure needed to run an application or service along with any interconnections among infrastructure components. You can deploy a template and its associated collection of resources (called a stack) by using the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the AWS CloudFormation API. AWS CloudFormation is available at no additional charge, and you pay only for the AWS resources needed to run your applications. Resources can consist of any AWS resource you define within the template. For a complete list of resources that can be defined within an AWS CloudFormation template, see the AWS Resource Types Reference in the AWS documentation.

AWS CloudFormation Stacks

When you use AWS CloudFormation, you manage related resources as a single unit called a stack. In other words, you create, update, and delete a collection of resources by creating, updating, and deleting stacks. All the resources in a stack are defined by the stack’s AWS CloudFormation template.

To update resources, you first modify the stack templates and then update the stack by submitting the modified template. You can work with stacks by using the AWS CloudFormation console, AWS CloudFormation API, or AWS CLI.

For more information about AWS CloudFormation and stacks, see Get Started in the AWS CloudFormation documentation.

Templates Used in This Quick Start

This Quick Start uses nested AWS CloudFormation templates to deploy the architecture for a multi-tier, Linux-based web application.

The Quick Start consists of a master template and seven child templates: IAM, logging, production VPC, management VPC, Config rules, NAT instance, and application. These templates are designed to deploy the architecture within stacks that align with AWS best practices and the security compliance framework. The following table describes each template and its dependencies. To view the child templates, see the GitHub repository.

Template Description Dependencies
Main stack

(main.template — or see GovCloud version)

Primary template file that deploys the rest of the stacks and passes parameters between nested templates automatically. None
IAM stack


Creates a basic IAM configuration with custom policies, groups, and roles. None
Logging stack


Sets up baseline AWS Config rules for monitoring. Enables AWS CloudTrail, S3 buckets, and bucket policies for logging and archive data. Creates standard Amazon CloudWatch alarms for security-related CloudTrail events. None
Production VPC stack


Configures a secure Amazon VPC for a public-facing application that includes subnets, NAT instances or NAT gateways, route tables, and custom network access control list (network ACL) rules. None
Management VPC stack


Configures a secure Amazon VPC for management functions that support the production VPC, and includes subnets, NAT, route tables, custom network access control list (network ACL) rules, and a restricted, public-facing bastion host to support a secured login path for administrator access. Production VPC stack
Config rules stack


Sets up baseline AWS Config rules for monitoring. IAM, Production VPC, and Management VPC stacks
NAT instance stack


Conditionally launched by the Management and Production VPC templates to set up EC2 instances for NAT in AWS Regions where the managed NAT gateway capability is not yet available. None
Application stack


Sets up EC2 instances for reverse proxy and web application, an Amazon RDS database, HTTPS Elastic Load Balancing, Amazon CloudWatch alarms, and Auto Scaling groups. Production VPC stack

The AWS CloudFormation template main.template is the entry point for launching the entire architecture, and also allows parameters to be passed into each of the nested stacks. The YAML templates for those nested stacks deploy the resources for the architecture.

To deploy the entire architecture (including IAM and Amazon VPC), use main.template when launching the stacks. To deploy the full package, the IAM user must have permissions to deploy the resources each template creates, which includes IAM configuration for groups and roles.

You can also edit main.template to customize stacks or to omit stacks to be deployed. This can be useful for provisioning teams who must deploy the initial base architecture in accounts for application owners. For more information about deployment options and use cases, see Deployment Methods.

Additionally, you can deploy each stack independently. However, this requires that you pass individual parameters to each template upon launch, instead of relying on the main template to pass these values automatically.