reference deployment

Standardized Architecture for NIST High-Impact Controls on AWS

Deploy an AWS Cloud architecture for NIST high-impact security controls, featuring Trend Micro Deep Security

This Quick Start extends the NIST Quick Start to help support:

  • NIST SP 800-53 (Rev. 4) high-impact security controls baseline
  • CNSS Instruction 1253
  • NIST SP 800-171
  • FedRAMP and TIC Overlay (pilot)
  • DoD Cloud Computing SRG

The Quick Start template automatically configures the AWS resources and deploys a multi-tier, Linux-based web application in a few simple steps, in about an hour. The Quick Start features Deep Security from Trend Micro for host-based protection. The security controls matrix (Microsoft Excel spreadsheet) shows how the Quick Start components map to security requirements.

This Quick Start is part of a set of AWS compliance offerings, which provide security-focused architecture solutions to help Managed Service Providers (MSPs), cloud provisioning teams, developers, integrators, and information security teams follow strict security, compliance, and risk management controls. For additional Quick Starts in this category, see the Quick Start catalog.

This Quick Start was developed by AWS technical consultants and solutions architects.

This Quick Start supports the AWS GovCloud (US) Region.

Watch this webinar to see how the
Quick Start works.

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • Use this Quick Start to build a cloud architecture that supports NIST-based assurance frameworks on AWS. The deployment includes the following components and features:

    • Basic AWS Identity and Access Management (IAM) configuration with custom IAM policies, with associated groups, roles, and instance profiles.
    • Standard, external-facing Amazon Virtual Private Cloud (Amazon VPC) Multi-AZ architecture with separate subnets for different application tiers and private (back-end) subnets for application and database. The Multi-AZ architecture helps ensure high availability.
    • Amazon Simple Storage Service (Amazon S3) buckets for encrypted web content, logging, and backup data.
    • Standard Amazon VPC security groups for Amazon Elastic Compute Cloud (Amazon EC2) instances and load balancers used in the sample application stack. The security groups limit access to only necessary services.
    • Three-tier Linux web application using Auto Scaling and Elastic Load Balancing, which can be modified or bootstrapped with customer applications.
    • A secured bastion login host to facilitate command-line Secure Shell (SSH) access to Amazon EC2 instances for troubleshooting and systems administration activities.
    • Encrypted, Multi-AZ Amazon Relational Database Service (Amazon RDS) MySQL database.
    • Logging, monitoring, and alerts using AWS CloudTrail, Amazon CloudWatch, and AWS Config rules (where available).
    • Policies for Deep Security proactive host-based protection to include preventing, monitoring, logging, and alerting for anti-malware, web reputation, file integrity, IPS/IDS, and host firewall 
  •  How to deploy
  • Before you deploy the Quick Start, you need to confirm that your AWS account is set up correctly by checking service limits and SSH key pairs, and setting up AWS Config, where available. You can then build your standardized NIST high-impact environment by following the instructions in the deployment guide. The deployment process includes these steps:

    1. Sign in to your AWS account at
    2. Subscribe to Trend Micro Deep Security in AWS Marketplace. You can choose from two options: Per Protected Instance Hour and Bring Your Own License (BYOL). If you're using a BYOL license, contact Trend Micro for a license key.
    3. Launch the Quick Start. The deployment takes about one hour. You can choose from two options:
    4. Test your deployment by connecting to the WordPress site built by the Quick Start.

    The Quick Start is modular and customizable. It includes nested AWS CloudFormation templates that automate deploying and configuring resources for IAM, logging, production VPC, management VPC, AWS Config rules, NAT, and the web application. You can deploy the entire architecture, or customize or omit resources.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type and storage, will affect the cost of deployment. See the pricing pages for each AWS service you will be using for cost estimates. Prices are subject to change.

    Because this Quick Start uses Trend Micro AMIs from the AWS Marketplace, you must be subscribed to Trend Micro Deep Security for AWS Marketplace before you launch the Quick Start. There are two licensing options: Per Protected Instance Hour and Bring Your Own License (BYOL).