Deploy now

View guide — HTML | PDF
View security controls matrix

Quick Start architecture for UK-OFFICIAL workloads on the AWS Cloud

Quick Start architecture for UK-OFFICIAL workloads on AWS

This Quick Start is part of a set of AWS Enterprise Accelerator - Compliance solutions. For additional AWS Quick Starts, see the complete catalog.

This Quick Start sets up a standardized AWS Cloud environment that supports workloads that are classified as United Kingdom (UK) OFFICIAL.This data classification is associated with guidance and controls that help public sector organizations manage risks and ensure security when handling information assets.

The AWS environment built by the Quick Start aligns with the following guidelines that fall in scope with UK-OFFICIAL:

 National Cyber Security Centre (NCSC) Cloud Security Principles
 Center for Internet Security (CIS) Critical Security Controls

The Quick Start template automatically configures the AWS resources and deploys a multi-tier, Linux-based web application in a few simple steps, in about 30 minutes. The security controls matrix (Microsoft Excel spreadsheet) shows how the Quick Start components map to NCSC and CIS security requirements.

  • What you'll build

    Use this Quick Start to build a cloud architecture that supports UK-OFFICIAL workloads on AWS. The deployment includes the following components and features:

    • Basic AWS Identity and Access Management (IAM) configuration with custom IAM policies, with associated groups, roles, and instance profiles
    • Standard, external-facing Amazon Virtual Private Cloud (Amazon VPC) Multi-AZ architecture with separate subnets for different application tiers and private (back-end) subnets for application and database
    • Amazon Simple Storage Service (Amazon S3) buckets for encrypted web content, logging, and backup data
    • Standard Amazon VPC security groups for Amazon Elastic Compute Cloud (Amazon EC2) instances and load balancers used in the sample application stack
    • Three-tier Linux web application using Auto Scaling and Elastic Load Balancing, which can be modified and/or bootstrapped with customer application
    • A management VPC hosting a secured bastion login host to facilitate command-line Secure Shell (SSH) access to Amazon EC2 instances for troubleshooting and systems administration activities. This VPC can be used for any other centralized governance and security tools, such as operational monitoring, long-term user credentials management, vulnerability management, configuration management source repositories, etc.
    • Encrypted, Multi-AZ Amazon Relational Database Service (Amazon RDS) MySQL database
    • Logging, monitoring, and alerts using AWS CloudTrail, Amazon CloudWatch, and AWS Config rules

    For details, see the Quick Start deployment guide.

  • Deployment details

    Before deploying the Quick Start, check the prerequisites and confirm that your AWS account is set up correctly by checking service limits and SSH key pairs, and setting up AWS Config, where available. You can then build your standardized UK-OFFICIAL environment in about 30 minutes:

    1. Sign in to your AWS account.
    2. Launch the Quick Start and set the required parameters.
    3. Test your deployment.  

    For complete instructions, see the Quick Start deployment guide.

    The Quick Start is modular and customizable. It includes nested AWS CloudFormation templates that automate deploying and configuring resources for IAM, logging, production VPC, management VPC, AWS Config rules, NAT, and the web application. You can deploy the entire architecture, or customize or omit resources; see template details.

  • Cost and licenses

    You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using or the AWS Simple Monthly Calculator. Prices are subject to change.