reference deployment

Standardized Architecture for UK-OFFICIAL on AWS

A cloud architecture that supports NCSC and CIS for UK-OFFICIAL workloads

This Quick Start sets up a standardized Amazon Web Services (AWS) Cloud environment that supports workloads that are classified as United Kingdom (UK) OFFICIAL. This data classification is associated with guidance and controls that help public sector organizations manage risks and ensure security when handling information assets.

The AWS environment built by the Quick Start aligns with the following guidelines that fall in scope with UK-OFFICIAL:

The Quick Start template automatically configures the AWS resources and deploys a multitier, Linux-based web application. The security controls matrix (Microsoft Excel spreadsheet) shows how the Quick Start components map to NCSC and CIS security requirements.

This Quick Start is part of a set of AWS compliance offerings, which provide security-focused architecture solutions to help Managed Service Providers (MSPs), cloud provisioning teams, developers, integrators, and information security teams follow strict security, compliance, and risk management controls. For additional deployments in this category, see the Quick Start catalog.

This Quick Start was developed by AWS.

  •  What you'll build
  • This Quick Start deploys the following components and features:

    • Four Amazon virtual private clouds (VPCs), each with a mutiple Availability Zones (Multi-AZ) architecture:
      • A production VPC for application workloads with private subnets to support shared services.
      • A shared-services VPC with private subnets to support shared services (e.g., Active Directory).
      • An internet VPC for controlled internet access with separate public and private communication channels.
      • An endpoint VPC with private subnets to allow direct access to AWS services.
    • AWS Transit Gateway for inter-VPC communication and virtual private network (VPN) termination.
    • A peering connection for inter-VPC traffic between the internet VPC and endpoint VPC.
    • Outbound proxies to handle external requests for logging and compliance.
    • Standard Amazon VPC security groups (not shown) for Amazon Elastic Compute Cloud (Amazon EC2) instances, load balancers, and endpoints.
    • (Not shown) A LAMP (Linux Apache MySQL PHP) application using Auto Scaling and Elastic Load Balancing, which can be modified or bootstrapped using customer applications.
    • Amazon GuardDuty for capture and analysis of security events and compliance.
    • Logging, monitoring, and alerting using AWS Config rules, Amazon CloudWatch, and AWS CloudTrail.
    • A basic AWS Identity and Access Management (IAM) configuration with custom IAM policies, associated groups, roles, and instance profiles.
    • AWS Security Hub for audit compliance.
    • Amazon Route 53, a resolver to manage the shared private Domain Name System (DNS) for shared services and endpoints across VPCs.
    • AWS Systems Manager, a sessions manager for administrative access to production-VPC instances.
    • AWS Certificate Manager (ACM) to store and deploy Secure Sockets Layer (SSL) certificates to endpoints (to enable encryption in transit).
  •  How to deploy
  • Before you deploy the Quick Start, confirm that your AWS account is set up correctly by checking service limits and SSH key pairs, and setting up AWS Config. After you complete these prerequisites, you can build the Quick Start reference environment by following the instructions in the deployment guide. The deployment process includes these steps:

    1. Sign in to your AWS account at
    2. Launch the Quick Start. The deployment takes about 30 minutes.
    3. Test your deployment by connecting to the WordPress site built by this Quick Start.

    The Quick Start is modular and customizable. It includes nested AWS CloudFormation templates that automate deploying and configuring resources for IAM, logging, production VPC, management VPC, AWS Config rules, NAT, and the web application. You can deploy the entire architecture, or customize or omit resources.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start. There is no additional cost for using the Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, enable the AWS Cost and Usage Report to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. It provides cost estimates based on usage throughout each month and aggregates the data at the end of the month. For more information about the report, see What are AWS Cost and Usage Reports?