Standardized Architecture for NIST-based Assurance Frameworks on AWS
NIST Quick Start

Standardized Architecture for NIST-based Assurance Frameworks on the AWS Cloud: Quick Start Reference Deployment

Deployment Guide

AWS Envision Engineering, AWS Professional Services, and AWS Quick Start Reference Team

January 2016  (last update: November 2017)

This Quick Start reference deployment guide discusses architectural considerations and steps for deploying security-focused baseline environments on the Amazon Web Services (AWS) cloud. Specifically, this Quick Start deploys a standardized environment that helps organizations with workloads that fall in scope for any of the following:

  • National Institute of Standards and Technology (NIST) SP 800-53 (Revision 4)

  • NIST SP 800-122

  • NIST SP 800-171

  • The OMB Trusted Internet Connection (TIC) Initiative – FedRAMP Overlay (pilot)

  • The DoD Cloud Computing Security Requirements Guide (SRG)

The deployment guide includes links for viewing and launching AWS CloudFormation templates that automate the deployment.

This reference deployment is part of a set of compliance Quick Starts, which provide security-focused, standardized architecture solutions to help Managed Service Providers (MSPs), cloud provisioning teams, developers, integrators, and information security teams adhere to strict security, compliance, and risk management controls. For additional Quick Starts in this category, see the Quick Start catalog.

The following links are for your convenience. The launch button runs the main Quick Start template, which sets up a multi-tier, Linux-based web application using nested templates. For descriptions of the templates included in this Quick Start and information about using the nested templates separately, see the Templates Used in This Quick Start section of this guide.

  • If you have an AWS account that already meets the technical requirements for the NIST deployment, you can launch the Quick Start to build the architecture shown in Figure 2. The template is launched in the US East (N. Virginia) by default. If you have an AWS GovCloud (US-West) account, you can launch the template in the AWS GovCloud (US-West) Region.

    The deployment takes approximately 30 minutes. If you’re new to AWS or to NIST-compliant architectures on AWS, please read the overview and follow the detailed pre-deployment and deployment steps described in this guide.

            NIST  Quick Start launch button

  • If you want to take a look under the covers, you can view the main template that automates this deployment. The main template includes references to child templates, and provides default settings that you can customize by following the instructions in this guide. For descriptions of the templates and guidance for using the nested templates separately, see the Templates Used in this Quick Start section of this guide.

              NIST Quick Start view template button

  • You can also view the security controls matrix (Microsoft Excel spreadsheet), which maps the architecture decisions, components, and configuration in this Quick Start to security requirements within NIST, TIC, and DoD Cloud SRG publications; indicates which AWS CloudFormation templates and stacks affect the controls implementation; and specifies the associated AWS resources within the templates and stacks. The excerpt in Figure 1 provides a sample of the available information.

              NIST Quick Start security controls reference

          Excerpt from the security controls matrix

    Figure 1: Excerpt from the security controls matrix

We'd like your feedback

After you deploy this Quick Start, please take a few minutes to fill out our survey. Your response is anonymous and will help us improve this and other compliance-related reference deployments.

About Quick Starts

Quick Starts are automated reference deployments for key workloads on the AWS Cloud. Each Quick Start launches, configures, and runs the AWS compute, network, storage, and other services required to deploy a specific workload on AWS, using AWS best practices for security and availability.

On this page: