reference deployment


ACSC ISM for sensitive government data

This Quick Start deploys Information Security Registered Assessors Program (IRAP) PROTECTED to the Amazon Web Services (AWS) Cloud. This Quick Start is for users who want to create cloud-based workloads that use AWS controls that meet the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) requirements for sensitive government data handling at the PROTECTED classification level. 

While this solution implements many of the controls that are outlined in the IRAP PROTECTED Reference Architecture, not all of the recommended controls are included in this Quick Start. Remember to follow the guidance in the IRAP PROTECTED package, available on AWS Artifact, before using this solution to store PROTECTED data.

Compliance IRAP PROTECTED icon

This Quick Start was developed by AWS.

  •  What you'll build
  • The Quick Start sets up the following:

    • A highly available architecture that spans three Availability Zones.
    • A virtual private cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.
    • In each public subnet:
      • A Network Load Balancer (NLB).
      • An Application Load Balancer (ALB).
      • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.
      • A bastion host.
    • In the private subnets:
      • The web app subnet contains an Auto Scaling group of Linux webservers running Apache.
      • The database subnet contains an Amazon Relational Database Service (Amazon RDS) instance running MySQL that is configured for multiple Availability Zones.
      • The Lambda subnet contains a Lambda function that synchronizes the NLB target group to the ALB. This pattern is only required if the customer wants to make the application available to other AWS environments through AWS PrivateLink.
    • Amazon CloudWatch for monitoring the webservers and Lambda functions.
    • AWS Identity and Access Management (IAM) for managing access to resources.
    • AWS Key Management Service (AWS KMS) for encryption.
    • AWS Web Application Firewall (AWS WAF) for layer 7 protections.
    • Amazon GuardDuty to perform continuous monitoring for malicious activity and unauthorized behavior.
  •  How to deploy
  • To deploy the Compliance IRAP PROTECTED environment, follow the instructions in the deployment guide. The deployment process takes about 1 hour and includes these steps:

    1. If you don’t already have an AWS account, create one at, and sign in to your account.
    2. Check the status of Amazon GuardDuty. If it's already enabled in your Region, either disable it or remove that section of the CloudFormation template. The deployment will fail if it attempts to deploy a GuardDuty detector in an account that already has a configured detector.
    3. Launch the Quick Start to deploy the IRAP PROTECTED Reference Architecture into a new VPC.
    4. Test the deployment.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation template for this Quick Start includes customizable configuration parameters. Some settings, such as instance type, will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using. Prices are subject to change.

    This Quick Start does not require any licenses.

    Tip: After you deploy the Quick Start, we recommend that you enable the AWS Cost and Usage Report to track costs associated with the Quick Start. This report delivers billing metrics to an S3 bucket in your account. It provides cost estimates based on usage throughout each month, and finalizes the data at the end of the month. For more information about the report, see the AWS documentation.