Automated deployment - Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US)

Automated deployment

Before you launch the automated deployment, review the architecture, configuration, network security, and other considerations in this guide. Follow the step-by-step instructions in this section to configure and deploy this solution.

Time to deploy: Approximately 90 minutes

Prerequisites

To launch this solution, you need the following:

  1. The account used to launch the solution must be enabled to access AWS GovCloud (US).

  2. You must be authorized to create accounts in the AWS GovCloud (US) Region. For more information on the AWS GovCloud (US) Region, refer to the AWS GovCloud (US) User Guide.

  3. An IAM user and AWS CLI keys created in the AWS GovCloud (US) Central Account. For instructions, refer to Creating an IAM user in your AWS account in the AWS Identity and Access Management User Guide and Create a Systems Manager parameter (console) in the AWS Systems Manager User Guide.

    The corresponding AWS CLI keys and AWS GovCloud (US) Central Account information must be stored as the following SSM parameters in the commercial Central account:

    • /compliant/framework/central/aws-us-gov/id [String]

    • /compliant/framework/central/aws-us-gov/access-key-id [String]

    • /compliant/framework/central/aws-us-gov/secret-access-key [SecureString]

  4. Trusted Access for AWS Organizations has been enabled for AWS CloudFormation StackSets within the AWS GovCloud (US) account. Refer to AWS CloudFormation StackSets and AWS Organizations for instructions.

Step 1. Launch the stack

This automated AWS CloudFormation template deploys the Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US) solution in the AWS Cloud. Ensure that you have reviewed and gathered all the necessary information for the parameters before launching the stack.

Note

You are responsible for the cost of the AWS services used while running this solution. Refer to the Cost section for more details. For full details, refer to the pricing webpage for each AWS service you will be using in this solution. Refer to Additional resources for links to the webpages for all services used in this solution.

  1. Sign in to the AWS Management Console and select the button below to launch the compliant-framework-for-federal-and-dod-workloads-in-aws-govcloud-us AWS CloudFormation template.

    
                                Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US) launch button

    Alternatively, you can also download the template as a starting point for your own implementation. Refer to the README.md file in the GitHub repository for guidance to customize the template.

    Important

    The template must be launched from the default US East (N. Virginia) Region. Do not select any other Region.

  2. On the Create stack page, verify that the correct template URL shows in the Amazon S3 URL text box and choose Next.

  3. On the Specify stack details page, assign a name to your solution stack.

  4. Under Parameters, review the parameters for the template, and modify them as necessary. In many cases, the default values are suitable; however, some of the parameters do not have default values and require your input. This solution uses the following default values.

    Parameter Default Description
    Deployment Notifications Email <Requires input> Specify an email address to receive notifications about this deployment.
    Core Notifications Email <Requires input> Specify an email address to receive notifications about Core accounts.
    Environment Notifications Email <Requires input> Specify an email address to receive notifications about Environment accounts.
    Logging Account Email <Requires input> Specify an email address to use for the Logging account. This email address must not already be associated with another AWS account. You must use a valid email address to complete account creation. You can't access the root user of the account or remove an account that was created with an invalid email address.
    Transit Account Email <Requires input> Specify an email address to use for the Transit account. This email address must not already be associated with another AWS account. You must use a valid email address to complete account creation. You can't access the root user of the account or remove an account that was created with an invalid email address.
    Management Services Account Email <Requires input> Specify an email address to use for the Management services account. This email address must not already be associated with another AWS account. You must use a valid email address to complete account creation. You can't access the root user of the account or remove an account that was created with an invalid email address.
    AWS GovCloud (US)? true Specify true to deploy the Compliant Framework into AWS GovCloud (US). If selecting GovCloud, verify that the current account is a GovCloud (US) / ITAR enabled primary payer account and AWS CLI access keys have been inputted into SSM Parameter Store, per prerequisites.
    Deployment Region us-gov-west-1 Specify the Region to deploy the solution into. This solution will install by default into us-gov-west-1. Please contact AWS Professional Services for more information about how to enable this solution to also deploy into us-gov-east-1 .
    Transit Gateway Configuration
    Amazon Side Autonomous System Number (ASN) 65224 The Autonomous System Number (ASN) for the AWS side of a Border Gateway Protocol (BGP) session. The range is 64512 to 65534 for 16-bit ASNs. The range is 4200000000 to 4294967294 for 32-bit ASNs. If you have a multi-Region deployment, we recommend that you use a unique ASN for each of your transit gateways.
    Firewall A (ASN) 65200 The range is 64512 to 65534 for 16-bit ASNs. The range is 4200000000 to 4294967294 for 32-bit ASNs. If you have a multi-Region deployment, we recommend that you use a unique ASN for each of your transit gateways.
    Firewall B (ASN) 65210 The range is 64512 to 65534 for 16-bit ASNs. The range is 4200000000 to 4294967294 for 32-bit ASNs. If you have a multi-Region deployment, we recommend that you use a unique ASN for each of your transit gateways.
    Transit Account - Firewall VPC Configuration
    Firewall VPC CIDR 10.0.0.0/21 Classless Inter-Domain Routing (CIDR) block for the Transit Virtual Private Cloud (VPC).
    (Optional) Firewall VPC NIPR CIDR 0.0.0.0/0 If specified, an additional CIDR range will be added to the VPC. The external subnet CIDR blocks should reflect the usage of this Non-classified Internet Protocol (IP) Router based range.
    VPC Instance Tenancy default The allowed tenancy of instances launched into the VPC.
    External Subnet CIDR Block - Availability Zone A 10.0.0.0/24 CIDR block for the specified subnet.
    External Subnet CIDR Block - Availability Zone B 10.0.1.0/24 CIDR block for the specified subnet.
    Internal Subnet CIDR Block - Availability Zone A 10.0.3.0/24 CIDR block for the specified subnet.
    Internal Subnet CIDR Block - Availability Zone B 10.0.4.0/24 CIDR block for the specified subnet.
    Management Subnet CIDR Block - Availability Zone A 10.0.6.0/27 CIDR block for the specified subnet.
    Management Subnet CIDR Block - Availability Zone B 10.0.6.32/27 CIDR block for the specified subnet.
    Transit Gateway Attachment Subnet CIDR Block - Availability Zone A 10.0.7.208/28 CIDR block for the specified subnet.
    Transit Gateway Attachment Subnet CIDR Block - Availability Zone B 10.0.7.224/28 CIDR block for the specified subnet.
    Management Services Account - Management Services VPC Configuration
    Management Services VPC CIDR 10.0.20.0/22 CIDR block for the Management Services VPC.
    VPC Instance Tenancy default The allowed tenancy of instances launched into the VPC.
    Application Subnet CIDR Block - Availability Zone A 10.0.20.0/24 CIDR block for the specified subnet.
    Application Subnet CIDR Block - Availability Zone B 10.0.21.0/24 CIDR block for the specified subnet.
    Data Subnet CIDR Block - Availability Zone A 10.0.23.0/26 CIDR block for the specified subnet.
    Data Subnet CIDR Block - Availability Zone B 10.0.23.64/26 CIDR block for the specified subnet.
    Transit Gateway Attachment Subnet CIDR Block - Availability Zone A 10.0.23.208/28 CIDR block for the specified subnet.
    Transit Gateway Attachment Subnet CIDR Block - Availability Zone B 10.0.23.224/28 CIDR block for the specified subnet.
    Management Services Account - External Access VPC Configuration
    External Access VPC CIDR 10.0.24.0/22 CIDR block for the External Access VPC.
    VPC Instance Tenancy default The allowed tenancy of instances launched into the VPC.
    Public Subnet CIDR Block - Availability Zone A 10.0.24.0/27 CIDR block for the specified subnet.
    Public Subnet CIDR Block - Availability Zone B 10.0.24.32/27 CIDR block for the specified subnet.
    Application Subnet CIDR Block - Availability Zone A 10.0.24.96/27 CIDR block for the specified subnet.
    Application Subnet CIDR Block - Availability Zone B 10.0.24.128/27 CIDR block for the specified subnet.
    Transit Gateway Attachment Subnet CIDR Block - Availability Zone A 10.0.24.208/28 CIDR block for the specified subnet.
    Transit Gateway Attachment Subnet CIDR Block - Availability Zone B 10.0.24.224/28 CIDR block for the specified subnet.
    Management Services Account - Directory VPC Configuration
    Directory VPC CIDR 10.0.10.0/24 CIDR block for the Directory VPC.
    VPC Instance Tenancy default The allowed tenancy of instances launched into the VPC.
    Application Subnet CIDR Block - Availability Zone A 10.0.10.0/27 CIDR block for the specified subnet.
    Application Subnet CIDR Block - Availability Zone B 10.0.10.32/27 CIDR block for the specified subnet.
    Data Subnet CIDR Block - Availability Zone A 10.0.10.96/27 CIDR block for the specified subnet.
    Data Subnet CIDR Block - Availability Zone B 10.0.10.128/27 CIDR block for the specified subnet.
    Transit Gateway Attachment Subnet CIDR Block - Availability Zone A 10.0.10.208/28 CIDR block for the specified subnet.
    Transit Gateway Attachment Subnet CIDR Block - Availability Zone B 10.0.10.224/28 CIDR block for the specified subnet.
  5. Choose Next.

  6. On the Configure stack options page, choose Next.

  7. On the Review page, review and confirm the settings. Be sure to check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  8. Choose Create stack to deploy the stack.

    You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a CREATE_COMPLETE status in approximately 90 minutes.