reference deployment

CJIS Security Policy on AWS

Deploy a security-focused baseline for CJIS Security Policy 5.6 in the AWS Cloud

This Quick Start deploys a standardized environment that helps organizations with workloads that fall in scope for the Criminal Justice Information Services (CJIS) Security Policy version 5.6. (Note that this Quick Start will help organizations get started, but additional effort will be needed for full alignment to the CJIS Security Policy.)

These requirements typically apply to systems that must go through a formal assessment and authorization process to ensure sufficient protection of confidentiality, integrity, and availability of information and information systems, based on the security category and impact level of the system (low, moderate, or high), and a risk determination.

The deployment is automated by customizable AWS CloudFormation templates and scripts that build and configure the environment in about 30 minutes. The Quick Start also includes a security controls matrix (Microsoft Excel spreadsheet), which shows how the Quick Start components and configuration map to CJIS requirements.

This Quick Start is part of a set of AWS compliance offerings, which provide security-focused architecture solutions to help Managed Service Providers (MSPs), cloud provisioning teams, developers, integrators, and information security teams follow strict security, compliance, and risk management controls. For additional Quick Starts in this category, see the Quick Start catalog.

This Quick Start was developed by AWS technical consultants and solutions architects.

This Quick Start supports only the AWS GovCloud (US) Region.
  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • Use this Quick Start to build a cloud architecture that supports CJIS-based assurance frameworks on AWS. The deployment includes the following components and features:

    • Basic AWS Identity and Access Management (IAM) configuration with custom IAM policies, with associated groups, roles, and instance profiles.
    • Standard, external-facing Amazon Virtual Private Cloud (Amazon VPC) Multi-AZ architecture with separate subnets for different application tiers and private (back-end) subnets for application and database. The Multi-AZ architecture helps ensure high availability.
    • Amazon Simple Storage Service (Amazon S3) buckets for encrypted web content, logging, and backup data.
    • Standard Amazon VPC security groups for Amazon Elastic Compute Cloud (Amazon EC2) instances and load balancers used in the sample application stack. The security groups limit access to only necessary services.
    • Three-tier Linux web application using Auto Scaling and Elastic Load Balancing, which can be modified and/or bootstrapped with customer application.
    • A secured bastion login host to facilitate command-line Secure Shell (SSH) access to EC2 instances for troubleshooting and systems administration activities.
    • Encrypted, Multi-AZ Amazon Relational Database Service (Amazon RDS) MySQL database.
    • Logging, monitoring, and alerts using AWS CloudTrail, Amazon CloudWatch, and AWS Config rules.
  •  How to deploy
  • Before deploying the Quick Start, you need to confirm that your AWS account is set up correctly by checking service limits and key pairs, and setting up AWS Config. You can then build your standardized AWS environment in about 30 minutes:

    1. Sign in to your AWS GovCloud (US) account.
    2. Launch the Quick Start and set the required parameters. To comply with CJIS standards, this Quick Start must be deployed in the AWS GovCloud (US) Region.
    3. Validate your deployment by connecting to the WordPress site, which the Quick Starts builds for testing purposes.

    Please know that we may share who uses AWS Quick Starts with the AWS Partner Network (APN) Partner that collaborated with AWS on the content of the Quick Start.

    The Quick Start is modular and customizable. It includes nested AWS CloudFormation templates that automate deploying and configuring resources for IAM, logging, production VPC, management VPC, AWS Config rules, NAT, and the web application. You can deploy the entire architecture, or customize or omit resources.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using. Prices are subject to change.