reference deployment

IBM Cloud Pak for Security on AWS

Detect, investigate, and respond to internal and external threats

This Partner Solution deploys IBM Cloud Pak for Security on the Amazon Web Services (AWS) Cloud. Cloud Pak for Security is a platform that helps you integrate your existing security teams and tools to generate deeper insights into threats and risks, orchestrate actions, and automate responses—all while leaving your data where it is.

Gain security insights with a unified console that provides visibility and analytics across IBM and third-party security tools, data, and clouds, and take action faster with built-in automation that simplifies operations and streamlines responses to save time and lower risk.

Cloud Pak for Security uses AWS services and features, including virtual private clouds (VPCs), Availability Zones, security groups, Amazon Elastic Block Store (Amazon EBS), Amazon Elastic Compute Cloud (Amazon EC2), and Elastic Load Balancing to build a more reliable and scalable cloud platform.

IBM logo

This Partner Solution was developed by IBM in collaboration with AWS. IBM is an AWS Partner.

AWS Service Catalog administrators can add this architecture to their own catalog.  

  •  What you'll build
  • The Partner Solution sets up the following:

    • A highly available architecture that spans one or three Availability Zones.*
    • A VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
    • In the public subnets:
      • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
      • A boot node Amazon EC2 instance that also serves as a bastion host to allow inbound Secure Shell (SSH) access to EC2 instances in the private subnets.
    • In the private subnets:
      • Red Hat OpenShift Container Platform (OCP) master nodes in up to three Availability Zones.
      • OCP compute nodes with OpenShift autoscaling for hosting the Cloud Pak for Security capabilities. Amazon EBS disks are mounted on the compute nodes for container-persistent data.
    • A Classic Load Balancer spanning the public subnets for accessing Cloud Pak for Security from a web browser.
    • A Network Load Balancer spanning the public subnets for routing external OpenShift application programming interface (API) traffic to the OCP master instances.
    • A Network Load Balancer spanning the private subnets for routing internal OpenShift API traffic to the OCP master instances.
    • Amazon Route 53 as your public Domain Name System (DNS) for resolving domain names of the Cloud Pak for Security management console and applications deployed on the cluster.
    • Amazon Simple Storage Service (Amazon S3) bucket used for OpenShift image registry.
    • AWS Secrets Manager to encrypt, store, and retrieve credentials and secrets for your IBM Cloud Pak for Security deployment.

    * The template that deploys the Partner Solution into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To deploy this Partner Solution, follow the instructions in the deployment guide, which includes these steps. A standard deployment takes about 90 minutes.

    1. This Partner Solution requires a Red Hat OpenShift subscription. During the deployment of the Partner Solution, provide your OpenShift installer-provisioned infrastructure pull secret. To obtain a 60-day evaluation license for OpenShift, follow the instructions at Evaluate Red Hat OpenShift Container Platform.
    2. Subscribe to Cloud Pak for Security. 
    3. Sign in to you AWS account. If you don't already have an AWS account, sign up at
    4. Launch the Partner Solution by choosing from the following options:
    5. Before using Cloud Pak for Security, define users and connect the platform to data sources in your environment. For post-installation instructions, refer to IBM Cloud Pak for Security 1.9 on the IBM Documentation site. 

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Costs and licenses
  • You are responsible for the cost of the AWS services and any third-party licenses used while running this Partner Solution reference deployment. There is no additional cost for using the Partner Solution.

    This Partner Solution deploys the Cloud Pak for Security environment by using an AWS CloudFormation template, which you can use to build a new VPC for your AWS cluster. The AWS CloudFormation template for this Partner Solution includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, refer to the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Partner Solution, create AWS Cost and Usage Reports to track costs associated with the Partner Solution. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information about the reports, refer to  What are AWS Cost and Usage Reports?

    For IBM Cloud Pak for Security product and pricing information, or to use your existing entitlements, contact your IBM sales representative at (877) 426-3774 or online at IBM Cloud Pak for Security

    For more information about licensing terms, refer to the Cloud Pak for Security software license agreement.