reference deployment

IBM Cloud Pak for Security on AWS

Accurately and effectively detect, investigate, and rapidly respond to internal and external threats

This Quick Start deploys IBM Cloud Pak for Security on the Amazon Web Services (AWS) Cloud. Cloud Pak for Security is a platform that helps you integrate your existing security teams and tools to generate deeper insights into threats and risks, orchestrate actions, and automate responses—all while leaving your data where it is.

Gain security insights with a unified console that provides visibility and analytics across IBM and third-party security tools, data, and clouds, and take action faster with built-in automation that simplifies operations and streamlines responses to save time and lower risk.

Cloud Pak for Security uses AWS services and features, including virtual private clouds (VPCs), Availability Zones, security groups, Amazon Elastic Block Store (Amazon EBS), Amazon Elastic Compute Cloud (Amazon EC2), and Elastic Load Balancing to build a more reliable and scalable cloud platform.

IBM logo

This Quick Start was developed by IBM in collaboration with AWS. IBM is an AWS Partner.


AWS Service Catalog administrators can add this architecture to their own catalog.  

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • The Quick Start sets up the following:

    • A highly available architecture that spans one or three Availability Zones.*
    • A VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
    • In the public subnets:
      • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
      • A boot node Amazon EC2 instance that also serves as a bastion host to allow inbound Secure Shell (SSH) access to EC2 instances in the private subnets.
    • In the private subnets:
      • Red Hat OpenShift Container Platform (OCP) master nodes in up to three Availability Zones.
      • OCP compute nodes with OpenShift auto scaling for hosting the Cloud Pak for Security capabilities.
      • Amazon EBS disks that are mounted on the compute nodes for container-persistent data.
    • A Classic Load Balancer spanning the public subnets for accessing Cloud Pak for Security from a web browser.
    • A Network Load Balancer spanning the public subnets for routing external OpenShift application programming interface (API) traffic to the OCP master instances.
    • A Network Load Balancer spanning the private subnets for routing internal OpenShift API traffic to the OCP master instances.
    • Amazon Route 53 as your public Domain Name System (DNS) for resolving domain names of the Cloud Pak for Security management console and applications deployed on the cluster.
    • Amazon S3 bucket used for OpenShift image registry.

    * The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To deploy IBM Cloud Pak for Security on AWS, follow the instructions in the deployment guide. A standard deployment takes about 90 minutes and includes these steps:

    1. This Quick Start requires a Red Hat OpenShift subscription. During the deployment of the Quick Start, provide your OpenShift installer-provisioned infrastructure pull secret. To obtain a 60-day evaluation license for OpenShift, follow the instructions at Evaluate Red Hat OpenShift Container Platform.
    2. Subscribe to Cloud Pak for Security. 
    3. Sign in to you AWS account. If you don't already have an AWS account, sign up at https://aws.amazon.com.
    4. Launch the Quick Start by choosing from the following options:
    5. Before using Cloud Pak for Security, define users and connect the platform to data sources in your environment. For post-installation instructions, see IBM Knowledge Center

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    This Quick Start deploys the Cloud Pak for Security environment by using an AWS CloudFormation template, which you can use to build a new VPC for your AWS cluster. The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, enable the AWS Cost and Usage Report to track costs associated with the Quick Start. This report delivers billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. It provides cost estimates based on usage throughout each month, and finalizes the data at the end of the month. For more information about the report, see What are AWS Cost and Usage Reports?

    For IBM Cloud Pak for Security product and pricing information, or to use your existing entitlements, contact your IBM sales representative at (877) 426-3774 or online at IBM Cloud Pak for Security

    For more information about licensing terms, see the Cloud Pak for Security software license agreement.