reference deployment

SWIFT Client Connectivity on AWS—Terraform module

A standardized environment for connecting to the SWIFT network

View instructions on registry
Download security controls matrix

This solution uses a Terraform module to deploy SWIFT Client Connectivity in the Amazon Web Services (AWS) Cloud. It creates a standardized environment for organizations with backend payment applications that need to interface with the SWIFT financial-messaging network.

This module's default configuration follows the SWIFT Customer Security Programme (CSP) controls and the SWIFT Customer Security Controls Framework (CSCF), which comprises mandatory and advisory security controls for all SWIFT users. These templates do not replace the need for customer guidance when implementing SWIFT security controls in the cloud.

AWS is responsible for complying with certain SWIFT CSP requirements. A certificate of AWS compliance with SWIFT CSP controls is available through AWS Artifact. Certification is provided by DiXio.

AWS has also published a solution for deploying SWIFT Client Connectivity using AWS Cloud Development Kit (AWS CDK).

Deploying this solution does not guarantee an organization’s compliance with any laws, certifications, policies, or other regulations.

AWS logo

This solution was developed by AWS.

  •  What you'll build

  • This solution deploys into an existing virtual private cloud (VPC). It sets up the following:

    • An architecture that spans two Availability Zones.
    • A VPC configured with private subnets according to AWS best practices and following SWIFT CSP guidance.
    • In the private subnets:
      • An Amazon Elastic Compute Cloud (Amazon EC2) instance that runs Alliance Messaging Hub (AMH) and SWIFT Alliance Access (SAA) or Lite2.
      • An EC2 instance that runs SWIFT Alliance Gateway (SAG) and SWIFTNet Link (SNL).
      • An Amazon Relational Database Service (Amazon RDS) Oracle instance running in active or standby mode to store configuration and message data for AMH.
      • (Optional) An Amazon MQ instance to handle communication for AMH.
    • AWS Systems Manager, which removes the need for a jump server.
    • Amazon CloudWatch, which provides the mechanism to store, access, and monitor SWIFT activities.
    • AWS Secrets Manager, which encrypts, stores, and retrieves passwords.
    • A virtual private network (VPN) gateway with load balancing, which connects the VPC to AWS Direct Connect.*
    • AWS Direct Connect, which establishes private connectivity between AWS and data centers or colocation environments.*

    * The Terraform module that deploys this solution does not include the components marked by asterisks because they require design decisions on how to connect to the SWIFT network.

  •  Costs and licenses

  • This deployment requires a SWIFT account and software license. To register for a SWIFT account, refer to How to become a swift.com user?

    You are responsible for the cost of the AWS services and any third-party licenses used while running this solution. There is no additional cost for using the solution.

    This solution includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, refer to the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy a solution, create AWS Cost and Usage Reports to track associated costs. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, refer to What are AWS Cost and Usage Reports?