Overview - Standardised Architecture for UK-OFFICIAL on AWS


AWS Compliance Architectures

AWS compliance solutions help streamline, automate, and implement secure baselines in AWS—from initial design to operational security readiness. They incorporate the expertise of AWS solutions architects, security and compliance personnel to help you build a secure and reliable architecture easily through automation.

This Quick Start includes AWS CloudFormation templates, which can be integrated with AWS Service Catalog, to automate building a standardised reference architecture that aligns with the NCSC Cloud Security Principles. It also includes a security controls matrix, which maps the security controls and requirements to architecture decisions, features, and configuration of the baseline to enhance your organisation’s ability to understand and assess the system security configuration.

UK Government Private Networks Connectivity

AWS customers who require connectivity with special purpose networks such as Public Services Network (PSN) for public sector organisations, N3 for English National Health Service (NHS), and Janet for education and research, will need to implement enhanced network segmentation and isolation, because these networks are restricted to organisations that have implemented the required set of technical and legal controls as required by the network operators.

AWS has worked with the UK Government Private Networks providers to develop a set of best practices and architecture patterns for public sector organisations; please contact AWS for guidance.

Architecture for Compliance on AWS

Deploying this Quick Start builds a multi-tier, Linux-based web application in the AWS Cloud, as illustrated in Figures 2 and 3.


You can also download these diagrams in Microsoft PowerPoint format, and edit the icons to reflect your specific workload.

        Standard three-tier web architecture depicting integration with multiple VPCs (notional development VPC shown)

Figure 2: Standard three-tier web architecture depicting integration with multiple VPCs (notional development VPC shown)

        Production VPC design

Figure 3: Production VPC design

The sample architecture includes the following components and features:

  • Basic AWS Identity and Access Management (IAM) configuration with custom (IAM) policies, with associated groups, roles, and instance profiles

  • Standard, external-facing Amazon Virtual Private Cloud (Amazon VPC) Multi-AZ architecture with separate subnets for different application tiers and private (back-end) subnets for application and database

  • Amazon Simple Storage Service (Amazon S3) buckets for encrypted web content, logging, and backup data

  • Standard Amazon VPC security groups for Amazon Elastic Compute Cloud (Amazon EC2) instances and load balancers used in the sample application stack

  • Three-tier Linux web application using Amazon EC2 Auto Scaling and Elastic Load Balancing, which can be modified and/or bootstrapped with customer application

  • A management VPC hosting a secured bastion login host to facilitate command-line Secure Shell (SSH) access to Amazon EC2 instances for troubleshooting and systems administration activities. This VPC can be used for any other centralised governance and security tools, such as operational monitoring, long-term user credentials management, vulnerability management, configuration management source repositories, etc.

  • Encrypted, Multi-AZ Amazon Relational Database Service (Amazon RDS) MySQL database

  • Logging, monitoring, and alerts using AWS CloudTrail, Amazon CloudWatch, and AWS Config rules

AWS Services

The core AWS components used by this Quick Start include the following AWS services. (If you are new to AWS, see Getting Started with AWS.)

  • AWS CloudTrail – AWS CloudTrail records AWS API calls and delivers log files that include caller identity, time, source IP address, request parameters, and response elements. The call history and details provided by CloudTrail enable security analysis, resource change tracking, and compliance auditing.

  • Amazon CloudWatch – Amazon CloudWatch is a monitoring service for AWS Cloud resources and the applications you run on AWS. You can use CloudWatch to collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes in your AWS resources.

  • AWS Config – AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. AWS Config rules enable you to automatically check the configuration of AWS resources recorded by AWS Config.

  • Amazon EBS – Amazon Elastic Block Store (Amazon EBS) provides persistent block-level storage volumes for use with Amazon EC2 instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. Amazon EBS volumes provide the consistent and low-latency performance needed to run your workloads.

  • Amazon EC2 – The Amazon Elastic Compute Cloud (Amazon EC2) service enables you to launch virtual machine instances with a variety of operating systems. You can choose from existing Amazon Machine Images (AMIs) or import your own virtual machine images.

  • Elastic Load Balancing – Elastic Load Balancing automatically distributes traffic across multiple EC2 instances, to help achieve better fault tolerance and availability.

  • Amazon S3 Glacier – Amazon S3 Glacier is a storage service for archiving and long-term backup of infrequently used data. It provides secure, durable, and extremely low-cost storage, supports data transfer over SSL, and automatically encrypts data at rest. With S3 Glacier, you can store your data for months, years, or even decades at a very low cost.

  • Amazon RDS – Amazon Relational Database Service (Amazon RDS) enables you to set up, operate, and scale a relational database in the AWS Cloud. It also handles many database management tasks, such as database backups, software patching, automatic failure detection, and recovery, for database products such as MySQL, MariaDB, PostgreSQL, Oracle, Microsoft SQL Server, and Amazon Aurora. This Quick Start includes a MySQL database by default.

  • Amazon VPC – The Amazon Virtual Private Cloud (Amazon VPC) service lets you provision a private, logically isolated section of the AWS Cloud where you can launch AWS services and other resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

Best Practices

The architecture built by this Quick Start supports AWS best practices for high availability and security:

  • Multi-AZ architecture intended for high availability

  • Isolation of instances between private/public subnets

  • Security groups limiting access to only necessary services and ports

  • Network access control list (ACL) rules to filter traffic into subnets as an additional layer of network security

  • Management VPC and a secured bastion host instance to facilitate restricted login access for system administrator actions

  • NAT gateways and proxies to manage Internet access

  • Standard IAM policies with associated groups and roles, exercising least privilege

  • Monitoring and logging; alerts and notifications for critical events such as logging of root activity, IAM changes, and changes to logging policies

  • S3 buckets (with security features enabled) for logging, archive, and application data, including custom lifecycle policies for archiving objects in Amazon S3 Glacier and use of versioning

  • Implementation of proper load balancing and Auto Scaling capabilities

  • HTTPS-enabled Elastic Load Balancing (ELB) load balancers with hardened security policy (please note that a self-signed certificate is auto-generated for testing purposes)

  • Amazon RDS database backup and encryption

How You Can Use This Quick Start

You can build an environment that serves as an example for learning, as a prototyping environment, or as a baseline for customisation.

Since AWS provides a very mature set of configuration options (and new services are being released all the time), this Quick Start provides security templates that you can use for your own environment. These security templates (in the form of AWS CloudFormation templates) provide a comprehensive rule set that can be systematically enforced. You can use these templates as a starting point and customise them to match your specific use cases.

The AWS CloudFormation templates are not intended to be used for production workloads without thorough review, validation, and inclusion of your own business and technical requirements.


You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customise. Some of these settings will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using or the AWS Simple Monthly Calculator. Prices are subject to change.