Standardised Architecture for UK-OFFICIAL on the AWS Cloud: Quick Start Reference Deployment - Standardised Architecture for UK-OFFICIAL on AWS

Standardised Architecture for UK-OFFICIAL on the AWS Cloud: Quick Start Reference Deployment

Based on NCSC Cloud Security Principles

Deployment Guide

AWS Envision Engineering, AWS Professional Services, AWS WWPS, and AWS Quick Start Reference Team

January 2017

This Quick Start reference deployment guide discusses architectural considerations and steps for deploying security-focused baseline environments on the Amazon Web Services (AWS) Cloud. Specifically, this Quick Start deploys a standardised environment that helps organisations adhere to guidelines set out by the UK National Cyber Security Centre (NCSC) for the Cloud Security Principles implementation.

These guidelines apply to workloads classified as OFFICIAL per the United Kingdom (UK) Government Security Classifications Policy (hereafter referred to as UK-OFFICIAL in this guide). For more information about UK security classifications and using AWS in the context of the Cloud Security Principles, see the Additional Resources section.

The deployment guide includes links for viewing and launching AWS CloudFormation templates that automate the deployment, and a controls mapping matrix that includes additional recommendations and references.

The purpose of the AWS CloudFormation template is to provide an easily deployable reference architecture for evaluation and testing. Although we have strived to make the template as comprehensive as possible, it is not intended to be used for production workloads without appropriate review and validation.

Furthermore, organisations will have to consider their own risk tolerance and internal/external requirements before they can define and implement AWS multi-account strategy, connectivity with other systems, user authentication workflows, encryption methodologies, logging and auditing requirements, and similar components of the architecture. We recommend that you customise the AWS CloudFormation template to meet your own needs in order to obtain a repeatable and auditable reference architecture.

This Quick Start is part of a set of AWS compliance offerings, which provide security-focused, standardised architecture solutions to help Managed Service Providers (MSPs), cloud provisioning teams, developers, integrators, and information security teams adhere to strict security, compliance, and risk management controls. For additional Quick Starts in this category, see the Quick Start catalog.

The following links are for your convenience. The launch button runs the main Quick Start template, which sets up a multi-tier, Linux-based web application using nested templates. For descriptions of the templates included in this Quick Start and information about using the nested templates separately, see the Templates Used in This Quick Start section of this guide.

  • If you have an AWS account that already meets the technical requirements for the UK-OFFICIAL deployment, you can launch the Quick Start to build the architecture shown in Figure 2.

    The deployment takes approximately 30 minutes. If you’re new to AWS or to UK-OFFICIAL architectures on AWS, please read the overview and follow the detailed pre-deployment and deployment steps described in this guide.

              UK-OFFICIAL Quick Start launch button

  • If you want to take a look under the covers, you can view the main template that automates this deployment. The main template includes references to child templates, and provides default settings that you can customise by following the instructions in this guide. For descriptions of the templates and guidance for using the nested templates separately, see the Templates Used in this Quick Start section of this guide.

              UK-OFFICIAL Quick Start view template button

  • You can also view the security controls matrix (Microsoft Excel spreadsheet), which maps the architecture decisions, components, and configuration in this Quick Start to security requirements within the NCSC publication; indicates which AWS CloudFormation templates and stacks affect the controls implementation; and specifies the associated AWS resources within the templates and stacks.

    The matrix also provides a mapping with the Center for Internet Security (CIS) Critical Security Controls (CSC), and additional recommendations and links to other AWS documents, in order to assist with the design and deployment of environments in alignment with security best practices.

    The excerpt in Figure 1 provides a sample of the available information.

              UK-OFFICIAL Quick Start security controls reference

          Excerpt from the security controls matrix

    Figure 1: Excerpt from the security controls matrix

We'd like your feedback

After you deploy this Quick Start, please take a few minutes to fill out our survey. Your response is anonymous and will help us improve this and other compliance-related reference deployments.

About Quick Starts

Quick Starts are automated reference deployments for key workloads on the AWS Cloud. Each Quick Start launches, configures, and runs the AWS compute, network, storage, and other services required to deploy a specific workload on AWS, using AWS best practices for security and availability.