ISMS-P on the AWS Cloud

Quick Start Reference Deployment

QS

December 2020
Cheon Jong Hyun, SK Infosec
Troy Ameigh and Dave May, AWS Quick Start team, and Jekwang Ryu, YeonJoo Kwon, and SangYoul Jin, Amazon Professional Services organization

Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start.

This Quick Start was created by SK Infosec in collaboration with Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Overview

This Quick Start deployment guide provides step-by-step instructions for deploying Personal Information and Information Security Management System (ISMS-P), an architecture-based environment and resources, on the AWS Cloud.

This Quick Start is for organizations and users who need to create a cloud-based security infrastructure and services that comply with ISMS-P, as required by the Personal Information Protection Act and Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.

This Quick Start solution is designed to implement as many ISMS-P package controls as possible, but may not include all solutions that are recommended.

Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.

ISMS-P on AWS

This reference architecture includes security and management services that meet ISMS-P control requirements. It demonstrates how to combine different AWS services to support general multi-tier web applications.

AWS costs

You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start. There is no additional cost for using the Quick Start.

The AWS CloudFormation templates for Quick Starts include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

After you deploy the Quick Start, create AWS Cost and Usage Reports to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. These reports provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?

Software licenses

This Quick Start does not require a license.

Architecture

Deploying this Quick Start template builds the following AWS Cloud architecture to meet the key requirements of ISMS-P controls. It configures AWS security services for critical data and infrastructure.

Architecture
Figure 1. Quick Start architecture for ISMS-P on AWS

As shown in Figure 1, the Quick Start sets up the following:

  • A multi-service Availability Zone (AZ) architecture with management and production virtual private networks (VPC).

  • In the management VPC:

    • AWS-managed network address translation (NAT) gateways to control public network access by the resources in the private subnets.

    • A bastion host in a public subnet that provides system administrator access and connection via Secure Shell (SSH) for troubleshooting Amazon Elastic Compute Cloud (Amazon EC2) instances. The bastion host is assigned an Elastic IP address (EIP).

  • In the production VPC:

    • AWS-managed NAT gateways to control public network access by the resources in the private subnets.

    • Web and application instances with public (front-end) and private (back-end) subnets for web, application, and database layers.

    • A redundant Amazon Relational Database Service (Amazon RDS) database in a multi-AZ configuration.

    • Separate Auto Scaling groups for web and application instances to secure high availability, and a three-tier web application (WordPress) that supports load balancing with Application Load Balancer.

  • Standard security groups for Amazon EC2 instances.

  • Default AWS Identity and Access Management (IAM) configurations that include groups, roles, and instance profiles as well as customizable IAM policies.

  • AWS Key Management Service (AWS KMS) for AWS CloudTrail and Amazon RDS key encryption.

  • Amazon GuardDuty to identify external intrusion threats.

  • Notification policies based on Amazon Simple Notification Service (Amazon SNS) topics to capture Amazon RDS CPU and storage alarms.

  • AWS Config rules to monitor security policies and compliance.

  • An AWS WAF that creates response rules (Core Rule, WordPress, Application, SQL database, PHP application) automatically against the top 10 Open Web Application Security Project (OWASP) vulnerabilities.

  • Amazon S3 buckets for centralized logging.

  • Amazon CloudWatch metric filters and alarms to monitor various aspects of the infrastructure, including the reliability, availability, and performance of Amazon RDS.

  • Amazon CloudWatch alarms to trigger Amazon SNS topics and send email notifications.

  • AWS Systems Manager for managing Amazon Machine Images (AMI) and keeping them current.

  • AWS Secrets Manager for creating and rotating the database password.

Planning the deployment

Specialized knowledge

This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see Getting Started Resource Center and AWS Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

This Quick Start assumes familiarity with the ISMS-P reference architecture. See AWS Artifact or ISMS compliance for more information.

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Technical requirements

Before you launch the Quick Start, review the following information and ensure that your account is properly configured. Otherwise, deployment might fail.

Resource quotas

If necessary, request service quota increases for the following resources. You might request quota increases to avoid exceeding the default limits for any resources that are shared across multiple deployments. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see What is Service Quotas? and AWS service quotas.

Resource This deployment uses

VPCs

2

Internet Gateways

2

Elastic IP addresses

5

Lambda functions

3

Identity and Access Management (IAM) groups

5

IAM roles

11

Auto Scaling groups

2

Application Load Balancers

2

t3.small instances

1

m5.large instance

4

db.r4 large instances

2

CloudWatch Log Group

1

CloudWatch Alarm

15

Config Conformance Pack

1

WAF network access control lists (ACLs)

1

Amazon GuardDuty subscriptions

1

Supported Regions

This deployment includes services that may not be available in all AWS Regions (for example, AWS Auto Scaling, AWS WAF, and AWS Firewall Manager). See Service endpoints and quotas and AWS Regional Services List to find the latest list of Regions that support these services.

Certain Regions are available on an opt-in basis. For more information, see Managing AWS Regions.

EC2 key pairs

Make sure that at least one Amazon EC2 key pair exists in your AWS account in the Region where you plan to deploy the Quick Start. Make note of the key pair name. You need it during deployment. To create a key pair, see Amazon EC2 key pairs and Linux instances.

For testing or proof-of-concept purposes, we recommend creating a new key pair instead of using one that’s already being used by a production instance.

IAM permissions

Before launching the Quick Start, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see AWS managed policies for job functions.

Deployment options

This Quick Start provides the following deployment option:

Deploy ISMS-P into a new VPC. This option builds a new AWS environment consisting of the VPC, subnets, NAT gateways, security groups, bastion hosts, and other infrastructure components. It then deploys ISMS-P into this new VPC.

Deployment steps

Sign in to your AWS account

  1. Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. For details, see Planning the deployment earlier in this guide.

  2. Make sure that your AWS account is configured correctly, as discussed in the Technical requirements section.

Confirm Amazon EC2 key pair

Make sure that at least one Amazon EC2 key pair exists in your AWS account in the Region where you plan to deploy the Quick Start.

Make note of the key pair name, as you will need it during deployment. To create a key pair, see Amazon EC2 key pairs and Linux instances.

For testing or proof-of-concept purposes, create a new key pair instead of using one that’s already being used by a production instance.

Confirm IAM permissions

Before launching the Quick Start, log in to the AWS Management Console with IAM permissions for the resources and actions the templates deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see AWS managed policies for job functions.

Check status of Amazon GuardDuty and AWS Config

  1. Disable Amazon GuardDuty or set the EnableGuardDuty CloudFormation parameter to Disable if it is enabled in your Region. If you attempt to deploy a GuardDuty detector to an account with an already-configured detector, the deployment will fail. For more information, see Suspending or disabling GuardDuty.

  2. Enable AWS Config if it is disabled in your Region to avoid trouble during deployment. For more information, see Setting up AWS Config through the console.

Launch the Quick Start

You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start. For full details, see the pricing pages for each AWS service used by this Quick Start. Prices are subject to change.
  1. Sign in to your AWS account, and choose the following option to launch the AWS CloudFormation template.

Deploy ISMS-P into a new VPC on AWS

View template

Each deployment takes about 1 hour to complete.

  1. Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This Region is where the network infrastructure for ISMS-P is built. The template is launched in the ap-northeast-2 Region by default.

  1. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  2. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. For details on each parameter, see the Parameter reference section of this guide. When you finish reviewing and customizing the parameters, choose Next.

  1. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you’re finished, choose Next.

  2. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.

  3. Choose Create stack to deploy the stack.

  4. Monitor the status of the stack. When the status is CREATE_COMPLETE, the ISMS-P deployment is ready.

  5. Use the values displayed in the Outputs tab for the stack, as shown in Figure 2, to view the created resources.

cfn_outputs
Figure 2. ISMS-P outputs after successful deployment

Test the deployment

Open the URL links in the Outputs tab to navigate to the web pages that shows whether the deployment was successful. The template uses HTTPS and adopts a private certificate for better security, so a window about an untrusted certificate might appear when opening the web page.

Delete template and resources

To delete the ISMS-P Quick Start resources after deployment, do the following steps:

Delete the CloudFormation template

  1. Navigate to the CloudFormation area of the AWS console, and choose the name of the ISMS-P Quick Start stack that you deployed. Note that you must choose the name of the stack you used to deploy the Quick Start, not the duplicate stack generated during the stack creation.

  2. Open the Delete menu at the top of the window and choose Delete stack in the confirmation window. After the stack is deleted, the state changes from DELETE_IN_PROGRESS to DELETE_COMPLETE.

Identify and remove undeleted resources

Though unlikely, some resources may remain undeleted if they are in use or experience a permission issue. If this happens, you can choose to select the stack and read the message that displays on the Events tab, or you can delete the resources manually.

If deleting resources manually, you can identify the resources that were created during the Quick Start template deployment by viewing the list in the Technical requirements section of this deployment guide.

Best practices for using ISMS-P on AWS

Complete the following best practices before deploying this Quick Start on production workloads:

  • To save costs, this architecture uses a single instance and Availability Zone for implementing one Auto Scaling group. For a production deployment, after reviewing your environment and corresponding requirements, configure your instances to span across two or more Availability Zones for high availability.

  • The class of Classless Inter-Domain Routing (CIDR) for the VPC subnets is configured as a fixed class of 10.10.x.x or 10.100.x.x. You can change them as needed by modifying the template file before deployment.

  • This Quick Start environment is configured for testing purposes, so some network access control lists (NACL) are set to open and do not have traffic control in place. Make sure you adopt stronger NACL policies to meet your security requirements before deploying the template.

  • Build your personal endpoints for AWS services.

Security

Ensuring security and complying with relative laws are a shared responsibility between AWS and customers. Customers should become familiar with the AWS Shared Responsibility Model before applying this solution to their production workloads.

This solution implements certain summarized control mechanisms from the ISMS-P reference architecture, but not all recommendations to achieve each ISMS-P control are included in this Quick Start. For information that is specific to ISMS-P, see other documents or follow the instructions provided on the Korea Information Security Management System page.

Always seek the latest version for the source files and deployment guide for possible updates on the ISMS-P Quick Start features and guide.

The following list describes the controls that are either not included in this solution or need additional information:

  • This ISMS-P Quick Start provides internet gateways for internet connectivity, which simplifies the deployment to the level of proof of concept. If you’re planning to store sensitive information in the solution, ensure that you review the ISMS-P package guidelines and comply with controls. Also, consider adopting data-in-transit encryption and AWS Direct Connect (DX) along with a VPN or HTTP protocol.

  • To simplify the build, this architecture uses a Domain Name System (DNS) provided by Amazon VPC. You may consider using Amazon EC2 or your own in-house DNS service.

  • The root volume of Amazon EC2 instances is not encrypted. See the New – Encrypted EBS Boot Volumes page before storing sensitive information.

  • Remediation has not been applied for non-compliant AWS resources by AWS Config rules in this Quick Start. See Remediating Noncompliant AWS Resources by AWS Config Rules for more information.

  • Consider adopting AWS KMS or a third-party solution to minimize the exposure of critical data to the outside world. See AWS Key Management Service and AWS Crypto Tools for details.

  • AWS WAF is designed to apply five rules as a priority. These rules are considered to be starting points rather than a comprehensive set of rules prepared for a production environment. Determine if these rules fit your environment and security policies and apply only the rules that are necessary for your production environment. Also, the AWS WAF action is set to Count by default to prevent tasks from being blocked. For more information, see AWS WAF rule action.

Other useful information

  • If you’re considering expanding the use of AWS Organizations and single sign-on (SSO) to operate a multi-account environment or to manage IAM users effectively, see AWS Organizations.

  • Review the logging and analysis features using AWS CloudTrail and Amazon CloudWatch to track the creation, modification, or deletion of AWS IAM user activities, infrastructure, and AWS services. For more information, see AWS CloudTrail and Amazon CloudWatch.

  • If you’re planning to run applications or services on the infrastructure created by this Quick Start deployment, find ways to securely store and manage database credentials, API keys, and other security information against exposure. For details, see AWS Secrets Manager and AWS Systems Manager Parameter Store.

  • Consider using AWS Config and AWS Config rules to continuously monitor, evaluate, and remediate security vulnerabilities. For details, see AWS Config.

Troubleshooting

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, relaunch the template with Rollback on failure set to Disabled. This setting is under Advanced in the AWS CloudFormation console on the Configure stack options page. With this setting, the stack’s state is retained and the instance is left running, so you can troubleshoot the issue. (For Windows, look at the log files in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.)

When you set Rollback on failure to Disabled, you continue to incur AWS charges for this stack. Delete the stack when you finish troubleshooting.

For additional information, see Troubleshooting AWS CloudFormation on the AWS website.

Q. I encountered a size-limitation error when I deployed the AWS CloudFormation templates.

A. Launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer or from a location other than an S3 bucket, you might encounter template size limitations. For more information, see AWS CloudFormation quotas on the AWS website.

Q. A warning message appears when accessing the landing page.

A. Different browsers may display different warning messages due to HTTPS protocols that use private certificates. You can bypass the warning by choosing Accept or opening an Advanced page with additional options.

Q. I failed to create the stack because an Amazon GuardDuty detector already exists in my AWS account.

A. Disable Amazon GuardDuty in the Region where you want to deploy the Quick Start, or delete the GuardDuty detector from the CloudFormation template.

Q. I failed to create the stack because AWS Config was disabled in my AWS account.

A. Enable AWS Config in a Region where you want to deploy the Quick Start. See Setting up AWS Config through the console for more information.

Q. I want to set up notifications but didn’t receive an Amazon Simple Notification Service (SNS) subscription email.

A. When prompted during the Quick Start deployment process, confirm that you entered the email address correctly in the NotificationList field in the stack details. If the address is incorrect, choose the Update tab of the stack, replace the address with the correct one, and deploy the stack again.

Q. I deleted the CloudFormation stack after deployment but some resources remain undeleted.

A. You can check the messages displayed on the Events tab of the stack, or you can identify the resources created with the Quick Start template deployment and delete them manually. See the Technical requirements section for a list of resources used in this deployment.

Q. Which topics are available to learn more about Amazon CloudWatch metric filters and alarms?

A. The following topics are available:

Parameter reference

Unless you are customizing the Quick Start templates for your own deployment projects, we recommend that you keep the default settings for the parameters labeled Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these parameter settings automatically updates code references to point to a new Quick Start location. For more information, see the AWS Quick Start Contributor’s Guide.

Parameters for launching into a new VPC

Table 1. Network configuration
Parameter label (name) Default value Description

The first Availability Zone (AvailabilityZoneA)

Requires input

The name of Availability Zone 1.

The second Availability Zone (AvailabilityZoneB)

Requires input

The name of Availability Zone 2. Name must be different from the name of the first Availability Zone.

Table 2. ISMS configuration
Parameter label (name) Default value Description

Key pair name for bastion host (EC2KeyPairBastion)

Requires input

The SSH key pair in your account to use for the bastion host login. This is one of the keys that you created in the pre-deployment steps.

Key pair name for production instances (EC2KeyPair)

Requires input

The SSH key pair in your account to use for all other EC2 instance logins. This is one of the keys that you created in the pre-deployment steps. logins

Database user name (DBUsername)

admin

User name for connecting to the database instance.

CIDR for accessing bastion host (BastionCIDR)

0.0.0.0/0

Allowed CIDR block for external access (use VPC CIDR).

Enable Amazon GuardDuty (EnableGuardDuty)

enable

Enable GuardDuty, if it is currently diabled in your account.

Table 3. AWS Quick Start configuration
Parameter label (name) Default value Description

Quick Start S3 bucket name (QSS3BucketName)

aws-quickstart

Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html.

Quick Start S3 bucket Region (QSS3BucketRegion)

us-east-1

AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point to a new Quick Start location. When using your own bucket, specify the Region. See https://aws-quickstart.github.io/option1.html.

Quick Start S3 key prefix (QSS3KeyPrefix)

quickstart-korea-isms-p/

S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html.

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, see the Quick Start Contributor’s Guide.

Quick Start reference deployments

GitHub repository

Visit our GitHub repository to download the templates and scripts for this Quick Start, to post your comments, and to share your customizations with others.


Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.