AWS CloudFormation Templates - Standardized Architecture for PCI DSS on the AWS Cloud

AWS CloudFormation Templates

An AWS CloudFormation template is a JSON JSON (JavaScript Object Notation) or YAML-formatted text file that describes the AWS infrastructure needed to run an application or service along with any interconnections among infrastructure components. You can deploy a template and its associated collection of resources (called a stack) by using the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the AWS CloudFormation API. AWS CloudFormation is available at no additional charge, and you pay only for the AWS resources needed to run your applications. Resources can consist of any AWS resource you define within the template. For a complete list of resources that can be defined within an AWS CloudFormation template, see the AWS Resource Types Reference in the AWS documentation.

AWS CloudFormation Stacks

When you use AWS CloudFormation, you manage related resources as a single unit called a stack. In other words, you create, update, and delete a collection of resources by creating, updating, and deleting stacks. All the resources in a stack are defined by the stack’s AWS CloudFormation template.

To update resources, you first modify the stack templates and then update the stack by submitting the modified template. You can work with stacks by using the AWS CloudFormation console or the AWS CloudFormation API.

For more information about AWS CloudFormation and stacks, see Get Started in the AWS CloudFormation documentation.

Templates Used in this Quick Start

The Quick Start consists of a main template and six additional AWS CloudFormation templates: IAM, production VPC, management VPC, centralized logging, (with optional AWS Config rules), database, and web application. These templates are designed to deploy the architecture within stacks that align with AWS best practices and the security compliance framework. The following table describes each template and its dependencies. To view the child templates, see the GitHub repository.

Stack and template Description Dependencies

Main stack

(main.template— or see GovCloud version)

Primary template file that deploys the rest of the stacks and passes parameters between nested templates automatically. None

IAM stack


Creates a basic IAM configuration with custom policies, groups, roles, and PCI-compliant password policy. None

Centralized logging stack


Sets up baseline AWS Config rules for monitoring. Enables CloudTrail, S3 buckets, and bucket policies for logging and archive data. Creates standard CloudWatch alarms for security-related CloudTrail events. Creates Amazon ES cluster with Kibana and Amazon Cognito front end. None

Production VPC stack


Configures a secure VPC for a public-facing application that includes subnets, NAT instances or NAT gateways, route tables, and custom network ACL rules. None

Management VPC stack


Configures a secure VPC for management functions that support the production VPC, and includes subnets, NAT, route tables, custom network ACL rules, and a restricted, public-facing bastion host to support a secured login path for administrator access. Production VPC stack

Config rules stack


(Optional) Sets up baseline AWS Config rules for monitoring. Centralized logging template

Database stack


Sets up a subnet group from two private subnets for the Amazon Aurora cluster, encrypted DB with a symmetric CMK, IAM groups for Key Admins and Key Users (usage). Adds a security group that allows port 3306 access only from within the customer-provided (or main template) VPC. Enables Secrets Manager to rotate passwords every 89 days. None

Application stack


Sets up EC2 instances for reverse proxy and web application, HTTPS Elastic Load Balancing, CloudWatch alarms, AWS WAF, and Auto Scaling groups. None

The AWS CloudFormation template main.template is now only a basic architecture for customers to deploy resources on top of. Customers can choose between the various templates to test and customize their environments without needing to deploy the entire architecture.

The IAM user must have permissions to deploy the resources each template creates, which includes IAM configuration for groups and roles.

You can also edit main.template to customize the subnets and architecture. This can be useful for provisioning teams who must deploy the initial base architecture in accounts for application owners. For more information about deployment options and use cases, see Deployment Methods.