Standardized Architecture for UK-OFFICIAL on the AWS Cloud

Quick Start Reference Deployment

QS

September 2020
Charlie Llewellyn, Chris King, and Matt Johnson, AWS Professional Services team
Andrew Glenn, AWS Quick Start team

Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start.

This Quick Start was created by AWS World Wide Professional Services in collaboration with Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Overview

This Quick Start reference deployment guide discusses architectural considerations and steps for deploying security-focused baseline environments on the AWS Cloud. Specifically, this Quick Start deploys a standardized environment that helps organizations adhere to guidelines set out by the UK National Cyber Security Centre (NCSC) for the Cloud Security Principles implementation.

This Quick Start is for UK public sector customers who want to experiment with deploying services in AWS that can support data classified as OFFICIAL.

Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.

Standardized Architecture for UK-OFFICIAL on AWS

UK-OFFICIAL compliance on AWS

The deployment guide includes links for viewing and launching AWS CloudFormation templates that automate the deployment, a control-mapping matrix, and recommendations for incorporating additional requirements.

The purpose of the AWS CloudFormation template is to provide a deployable reference architecture for evaluation and testing. Although the template covers many configuration aspects to support UK-OFFICIAL workloads, it is not intended for production workloads without appropriate review and validation.

Furthermore, organizations must consider their own risks, tolerances, and internal/external requirements before defining and implementing an AWS multiaccount strategy. This includes connectivity with other systems and networks, user authentication workflows, encryption methodologies, logging and auditing requirements, and similar architecture components. We recommend that you customize the AWS CloudFormation templates to meet your needs in order to obtain a repeatable and auditable reference architecture.

UK government private networks connectivity

AWS customers who require connectivity with special-purpose networks must implement enhanced network segmentation and isolation. Some organizations that may consider doing this include Public Services Network (PSN) for public-sector organizations, N3 for English National Health Service (NHS), and Janet for education and research. Such networks are restricted to organizations that have implemented the required set of technical and legal controls as required by their network operators.

AWS has worked with private-network providers within the UK government to develop a set of best practices that integrate the included architecture pattern for public-sector organizations to connect to these networks.

How to use this Quick Start

You can build an environment that serves as an example for learning, as a prototyping environment, or as a baseline for customization.

Because AWS provides a mature set of configuration options (with new services released regularly), this Quick Start provides security templates that you can use for your own environment. The security templates (in the form of AWS CloudFormation templates) provide a comprehensive rule set that can be systematically enforced. You can use these templates as a starting point and customize them to match specific use cases.

These templates are intended only for production workloads after thorough review, validation, and inclusion of your own business and technical requirements.

AWS costs

You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start. There is no additional cost for using the Quick Start.

The AWS CloudFormation templates for Quick Starts include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

After you deploy the Quick Start, create AWS Cost and Usage Reports to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. These reports provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?

Software licenses

No specific software licenses are required to use this reference architecture.

Architecture

Deploying this Quick Start builds a multi–Amazon Virtual Private Cloud (Amazon VPC) network topology, a sample LAMP (Linux Apache MySQL PHP) application, and a scalable containerized outbound proxy in the AWS Cloud, as shown in figures 1, 2, and 3.

Architecture
Figure 1. Amazon VPC design depicting the integration of a production VPC that hosts application services, an internet VPC that provides both inbound and outbound connectivity, a shared-services VPC that supports common tools (for example, Active Directory), and an endpoint VPC that provides consolidated access to AWS services and outbound access to the internet. The internet VPC can be replaced or enhanced to feature connectivity to a private government network.
Arcitecture2
Figure 2. Production VPC depicting an integration with an internet VPC for inbound communication to the sample application via AWS PrivateLink
Architecture3
Figure 3. Production VPC depicting outbound access to the internet via the endpoint VPC, which passes requests to an Auto Scaling proxy service

The sample architecture includes the following components and features:

  • Four Amazon virtual private clouds (VPCs), each with a mutiple Availability Zones (Multi-AZ) architecture:

    • A production VPC for application workloads with private subnets to support shared services.

    • A shared-services VPC with private subnets to support shared services (e.g., Active Directory).

    • An internet VPC for controlled internet access with separate public and private communication channels.

    • An endpoint VPC with private subnets to allow direct access to AWS services.

  • AWS Transit Gateway for inter-VPC communication and virtual private network (VPN) termination.

  • A peering connection for inter-VPC traffic between the internet VPC and endpoint VPC.

  • Outbound proxies to handle external requests for logging and compliance.

  • Standard Amazon VPC security groups (not shown) for Amazon Elastic Compute Cloud (Amazon EC2) instances, load balancers, and endpoints.

  • (Not shown) A LAMP (Linux Apache MySQL PHP) application using Auto Scaling and Elastic Load Balancing, which can be modified or bootstrapped using customer applications.

  • Amazon GuardDuty for capture and analysis of security events and compliance.

  • Logging, monitoring, and alerting using AWS Config rules, Amazon CloudWatch, and AWS CloudTrail.

  • A basic AWS Identity and Access Management (IAM) configuration with custom IAM policies, associated groups, roles, and instance profiles.

  • AWS Security Hub for audit compliance.

  • Amazon Route 53, a resolver to manage the shared private Domain Name System (DNS) for shared services and endpoints across VPCs.

  • AWS Systems Manager, a sessions manager for administrative access to production-VPC instances.

  • AWS Certificate Manager (ACM) to store and deploy Secure Sockets Layer (SSL) certificates to endpoints (to enable encryption in transit).

Planning the deployment

Specialized knowledge

This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see Getting Started Resource Center and AWS Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

This Quick Start requires a moderate- to high-level understanding of the process to achieve and manage control requirements and compliance processes associated with UK-OFFICIAL workloads within a traditional hosting environment.

This deployment is intended for information technology (IT) assessors and security personnel. It assumes familiarity with basic security concepts in the areas of networking, operating systems, data encryption, operational controls, and cloud computing.

Additionally, this deployment requires a moderate level of understanding of AWS services, which include the following:

  • Access to a current AWS account with IAM administrator-level permissions.

  • A basic understanding of AWS services, service quotas, and AWS CloudFormation.

  • Knowledge of architecting applications on AWS.

  • An understanding of security and compliance requirements within the customer’s organization.

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Technical requirements

Before you launch the Quick Start, review the following information and ensure that your account is properly configured. Otherwise, deployment might fail.

Resource quotas

If necessary, request service quota increases for the following resources. You might request quota increases to avoid exceeding the default limits for any resources that are shared across multiple deployments. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see What is Service Quotas? and AWS service quotas.

Resource This deployment uses

VPCs

4

Elastic IP addresses

1

AWS Identity and Access Management (IAM) security groups

10

IAM roles

14

Auto Scaling groups

1

Application Load Balancers

1

Network Load Balancers

2

t3.micro EC2 instances

7

db.t3.micro Amazon Relational Database Service (Amazon RDS) instances

2

Supported Regions

  • eu-west-2 (London)

Certain Regions are available on an opt-in basis. For more information, see Managing AWS Regions.

IAM permissions

Before launching the Quick Start, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see AWS managed policies for job functions.

Deployment options

This Quick Start provides two deployment options:

  • Deploy Standardized Architecture for UK-OFFICIAL into a new VPC (end-to-end deployment). This option builds a new AWS environment consisting of the VPC, subnets, NAT gateways, security groups, bastion hosts, and other infrastructure components. It then deploys Standardized Architecture for UK-OFFICIAL into this new VPC.

  • Deploy Standardized Architecture for UK-OFFICIAL into an existing VPC. This option provisions Standardized Architecture for UK-OFFICIAL in your existing AWS infrastructure.

The Quick Start provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and Standardized Architecture for UK-OFFICIAL settings, as discussed later in this guide.

Deployment steps

+ === Sign in to your AWS account

  1. Sign in to your AWS account at https://aws.amazon.com with an IAM user or role that has the necessary permissions. For details, see the Planning the deployment section.

  2. Ensure that your AWS account is configured correctly, as discussed in the Technical requirements section.

Launch the Quick Start

You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start. For full details, see the pricing pages for each AWS service used by this Quick Start. Prices are subject to change.
  1. Choose one of the following options to launch the AWS CloudFormation template. For help with choosing an option, see the Deployment options section.

Deploy Standardized Architecture for UK-OFFICIAL into a new VPC on AWS

If you deploy Standardized Architecture for UK-OFFICIAL into an existing VPC, ensure that your VPC has two private subnets in different Availability Zones for the workload instances and that the subnets aren’t shared. This Quick Start doesn’t support shared subnets. To download packages and software without exposing them to the internet, these subnets require NAT gateways in their route tables.

Ensure that you configure the domain name in the Dynamic Host Configuration Protocol (DHCP) options. For more information, see DHCP options sets. Provide your VPC settings when you launch the Quick Start.

Each deployment takes about 30–60 minutes to complete.

  1. Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This is where the network infrastructure for Standardized Architecture for UK-OFFICIAL is built. The template launches in the us-east-1 Region by default.

  1. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  2. On the Specify stack details page, change the stack name if needed. Review the template’s parameters, and provide values for any parameters that require input. For all other parameters, review the default settings, and customize them as necessary.

+ In the following tables, parameters are listed by category and described separately for the deployment options. When you finish reviewing and customizing the parameters, choose Next.

+ NOTE: Unless you are customizing the Quick Start templates for your own deployment projects, keep the default settings for the parameters Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these settings automatically updates code references to point to a new Quick Start location. For more information, see the AWS Quick Start Contributor’s Guide.

+ === Launch into a new VPC .VPC configuration

Parameter label (name) Default value Description

Internet VPC CIDR (InternetVPCCidr)

10.0.0.0/16

CIDR for Internet VPC supernet.

Shared VPC CIDR (SharedVPCCidr)

10.10.0.0/16

CIDR for Shared VPC supernet.

Production VPC CIDR (ProductionVPCCidr)

172.16.0.0/16

CIDR for Production VPC supernet.

Endpoint VPC CIDR (EndpointVPCCidr)

192.168.0.0/16

CIDR for Endpoint VPC supernet.

Table 1. Deployment configuration
Parameter label (name) Default value Description

Project name (ProjectName)

official-quickstart

Tag for resources.

Database password (DBPassword)

Requires input

Password for database server.

CIS alert email (CisAlertingEmail)

Requires input

Email address to send alerts for CIS breaches.

Table 2. AWS Quick Start configuration
Parameter label (name) Default value Description

Quick Start S3 bucket name (QSS3BucketName)

aws-quickstart

S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).

Quick Start S3 key prefix (QSS3KeyPrefix)

quickstart-compliance-uk-official/

S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).

Quick Start S3 bucket Region (QSS3BucketRegion)

eu-west-2

The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.

+ . On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you’re finished, choose Next. . On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros. . Choose Create stack to deploy the stack. . Monitor the status of the stack. When the status is CREATE_COMPLETE, the Standardized Architecture for UK-OFFICIAL deployment is ready. . Use the values displayed in the Outputs tab for the stack, as shown in Figure 4, to view the created resources.

cfn_outputs
Figure 4. Standardized Architecture for UK-OFFICIAL outputs after successful deployment

Test the deployment

To test your deployment, choose the link for LandingPageURL from the Outputs tab for the main stack, as shown in figure 4.

This deployment builds a working demonstration of a Multi-AZ WordPress site. To connect to the WordPress site, choose the URL provided for the WordPress application on the landing page. The URL is also available from the WebsiteURL link on the Outputs tab for the main stack.

WordPress is provided for testing and proof-of-concept purposes only; it is not intended for production use. You can replace it with another application of your choice. Application-level security, including patching, operating-system updates, and addressing application vulnerabilities, are the customer’s responsibility. For more information, see the AWS Shared Responsibility Model.

The landing page URL brings up the WordPress welcome page. You can install and test the WordPress deployment from here.

For this Quick Start, we recommend that you delete the AWS CloudFormation stacks after your proof-of-concept demonstration or testing is complete.

Deleting the stacks

When you finish using the baseline environment, you can delete the stacks. Deleting a stack by using a command line interface (CLI), application programming interface (API), or the AWS CloudFormation console removes all of the created resources for the stack. The only exceptions are the S3 buckets for logging and backup. By default, the deletion policy for those buckets is set to Retain, so you must delete them manually.

This Quick Start deployment uses nested AWS CloudFormation templates, so deleting the main stack removes nested stacks and all associated resources.

Integrating with AWS Service Catalog

To manage your AWS CloudFormation templates from a central location, add your templates for this Quick Start to the AWS Service Catalog as a portfolio or product. This helps to support consistent governance, security, and compliance requirements. Users can deploy only the approved IT services they need.

For more information, see the AWS Service Catalog Documentation.

Additional resources

FAQ

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, we recommend that you relaunch the template with Rollback on failure set to Disabled. (This setting is under Advanced in the AWS CloudFormation console, Options page.) With this setting, the stack’s state is retained and the instance remains running so you can troubleshoot the issue. (For Windows, look at the log files in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.)

When you set Rollback on failure to Disabled, you continue to incur AWS charges for the stack. Ensure that you delete the stack when you finish troubleshooting.

For additional information, see Troubleshooting AWS CloudFormation.

Q. I encountered a size limitation error when I deployed the AWS CloudFormation templates.

A. We recommend that you launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer or from a location other than an S3 bucket, you might encounter template size limitations. For more information about AWS CloudFormation quotas, see AWS CloudFormation quotas.

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, see the Quick Start Contributor’s Guide.

Quick Start reference deployments

GitHub repository

Visit our GitHub repository to download the templates and scripts for this Quick Start, to post your comments, and to share your customizations with others.


Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.