Introduction to AWS GoldBase A Solution to Automate Security, Compliance, and Governance in AWS
September 2015
Amazon Web Services – Introduction to AWS GoldBase September 2015
Page 2 of 17
© 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Notices This document is provided for informational purposes only. It represents AWS’s
current product offerings and practices as of the date of issue of this document,
which are subject to change without notice. Customers are responsible for
making their own independent assessment of the information in this document
and any use of AWS’s products or services, each of which is provided “as is”
without warranty of any kind, whether express or implied. This document does
not create any warranties, representations, contractual commitments, conditions
or assurances from AWS, its affiliates, suppliers or licensors. The responsibilities
and liabilities of AWS to its customers are controlled by AWS agreements, and
this document is not part of, nor does it modify, any agreement between AWS
and its customers.
Amazon Web Services – Introduction to AWS GoldBase September 2015
Page 3 of 17
Contents
Abstract 3
Architecting for Compliance in AWS 4
Compliance in the Enterprise 4
Compliance Standards 4
AWS GoldBase in AWS 5
Benefits 5
AWS GoldBase Package 6
AWS GoldBase Delivery 8
Automating Compliance with AWS GoldBase 9
Example Use Case: Tiered Web Application 12
Conclusion 16
Contributors 17
Notes 17
Abstract This document describes the AWS GoldBase offering from Amazon Web Services
(AWS) and the benefits it can provide to customers. AWS GoldBase is a joint
offering from AWS Risk & Compliance and AWS Professional Services to provide
customers with pre-validated, deployable AWS configurations which adhere to
specific customer compliance requirements. This solution can streamline and
simplify application deployment in AWS. It allows you to automate standardized
reference architectures that meet AWS best practices and customer compliance
requirements. This approach allows for a repeatable process that you can use to
ensure compliant configuration of AWS resources in the cloud while reducing the
time needed to approve applications for production use.
Amazon Web Services – Introduction to AWS GoldBase September 2015
Page 4 of 17
Architecting for Compliance in AWS
Compliance in the Enterprise
Compliance is a broad term used within technology and business. The simplest
definition of comply is to “meet specified standards.”1 Ensuring compliance in the
enterprise includes adhering to the following standards:
Third Party Assurance Frameworks
Standards established within the customer organization
AWS best practices
Within the context of deploying applications on AWS, compliance will
incorporate the concepts of secure, available, and scalable technology.
Compliance Standards
The AWS Shared Responsibility Model2 puts the final responsibility for system
security on the customer. AWS provides many different options and controls for
building a highly secure application in the cloud. Customers must be able to
ensure their architectures meet the compliance requirements of their
organization.
Examples of compliance standards that have unique requirements include the
following:
NIST SP 800-533–The Special Publication (SP) published by the
National Institute of Standards and Technology (NIST) is a catalog of
security controls that most U.S. federal agencies must comply with and that
are widely used within private-sector enterprises.
ICD 503–The security requirements and accreditation of this Intelligence
Community Directive (ICD) apply to the intelligence community; it’s based
on NIST SP 800-53 security controls.
Amazon Web Services – Introduction to AWS GoldBase September 2015
Page 5 of 17
FedRAMP4–The Federal Risk and Authorization Program (FedRAMP) is
a U.S. Government program for ensuring standards in security assessment,
authorization, and continuous monitoring.
DoD Cloud Security Model (CSM)5–Standards for cloud computing
issued by the Defense Information Systems Agency (DISA) and
documented in the U.S. Department of Defense (DoD) Security
Requirements Guide (SRG).
HIPAA6–The Health Insurance Portability and Accountability Act
(HIPAA) standards must be followed by any organization processing or
storing Protected Health Information (PHI).
ISO 270017–International Organization for Standardization (ISO) 27001
is a widely adopted global security standard that outlines the requirements
for information security management systems.
CJIS Security Policy8–Criminal Justice Information Services (CJIS)
security policies are guidelines for state, local, and federal law enforcement
agencies that follow the NIST SP 800-53 standards.
PCI DSS9–Payment Card Industry (PCI) Data Security Standard (DSS) are
standards for merchants who process credit card payments that require
strict security standards to protect cardholder data.
AWS GoldBase in AWS In AWS, AWS GoldBase is a packaged solution to help customers streamline,
automate, and implement the entire process of application deployment on AWS–
from initial design to operational readiness. AWS GoldBase incorporates the
expertise of AWS solutions architects that is required to build a secure and
reliable architecture in an easy-to-implement package that automates the
process.
Benefits Security controls compliance
Reduced time to production deployment
Transparency and support for continuous monitoring
Amazon Web Services – Introduction to AWS GoldBase September 2015
Page 6 of 17
Ease of deployment through automation
Decreased level of effort in architectural decisions
Standardization based on best practices
AWS GoldBase Package
The AWS GoldBase package includes the following four items for customer use:
Security Controls Implementation Matrix
Architecture diagrams
AWS CloudFormation templates
User Guide with deployment instructions
Security Controls Implementation Matrix
The AWS GoldBase package includes an Excel formatted security controls
implementation matrix that maps features and resources to specific controls
based on the required compliance standard of a customer. Security and risk
evaluators use this document as a reference that makes accrediting a system
easier when it is deployed in AWS. The matrix describes which controls a
reference architecture meets and reduces the number of total security controls for
which the application owner is ultimately responsible.
Figure 1: Snippet of a section of the matrix that describes how a reference
architecture applies to sections of the NIST SP 800-53 controls
Amazon Web Services – Introduction to AWS GoldBase September 2015
Page 7 of 17
Architectural Diagrams
Architectural diagrams in PowerPoint or Visio are included with the package.
These diagrams illustrate and document the design of the use case. They provide
a visual reference that demonstrates the components deployed by the AWS
CloudFormation templates. This accompanies the description of security features
implemented by the AWS GoldBase templates.
Figure 2: Sample architectural diagrams showing base AWS components deployed
by the templates
AWS CloudFormation Templates
The AWS GoldBase AWS CloudFormation templates allow for a fully automated
deployment of a compliant architecture. The default AWS CloudFormation
package consists of four JSON template files (AWS CloudFormation stacks):
Amazon Web Services – Introduction to AWS GoldBase September 2015
Page 8 of 17
Figure 3: AWS CloudFormation stacks
An additional template file, main.json, is the entry point from which the set of
stacks are launched. This design provides modularity, which enables the ability to
deploy a subset of resources if needed. The design facilitates reusability of
templates for multiple use cases. A AWS GoldBase use case package consists of a
main.json along with all required nested stacks.
User Guide with Deployment Instructions
The AWS GoldBase package includes a user guide that provides step-by-step
instructions on how to deploy an application in AWS using the AWS
CloudFormation templates. The user guide also contains information on how to
customize the package to meet customer requirements.
AWS GoldBase Delivery
Existing AWS GoldBase packages can be provided directly to customers and used
as a starting point. The AWS GoldBase packages can be customized to meet the
deployment needs of specific applications. The existing AWS CloudFormation
Amazon Web Services – Introduction to AWS GoldBase September 2015
Page 9 of 17
templates and related documentation can be updated to match specific use cases
within the customer organization.
Custom Built Packages
The AWS GoldBase package can be offered as a customized deliverable to
customers working with AWS Professional Services or a qualified Amazon
Partner Network (APN) partner. AWS or partner resources can work with the
customers to accomplish all the following necessary steps for providing a
complete working solution:
1. Identifying common use cases along with security and compliance
requirements.
2. Designing a base architecture based on one or more common use cases.
3. Building an automated solution using AWS CloudFormation templates,
documentation, security controls matrix, and related artifacts.
4. Validating and testing the AWS GoldBase package.
Automating Compliance with AWS GoldBase
AWS provides customers with the capability to develop and manage
“infrastructure as code.” The AWS GoldBase solution automates the deployment
of compliant architectures. It can be used in conjunction with other services and
solutions to deliver a truly automated infrastructure that meets the compliance
and governance requirements of the customer organization.
Multiple Layers of Compliance
The AWS GoldBase package provides for the ability to customize levels of
automation beyond AWS resources. The following additional layers of
compliance can be integrated with AWS GoldBase:
Custom AMIs–The AWS GoldBase package provides the capability to enforce
the use of pre-built “golden” baseline AMIs when deploying applications. Custom
Amazon Web Services – Introduction to AWS GoldBase September 2015
Page 10 of 17
Amazon Machine Images (AMIs) can be centrally managed and updated based on
compliance requirements related to Configuration Management (CM).
Configuration Management–EC2 instances deployed by the Trusted
Architect templates can be bootstrapped to automatically integrate with centrally
managed Configuration Management (CM) solutions such as Chef, Puppet, or
Ansible which can apply hardening scripts upon deployment and ensure a
consistent instance-level configuration which meets compliance requirements.
Containerization–Containers allow one or more applications to run
independently on a single instance within an isolated user space. Security-
hardened containers used by the Amazon EC2 Container Service (Amazon ECS)
or Docker can be deployed using the Trusted Architect template package through
additional customization at the instance level.
Continuous Monitoring–Trusted Architect can automate and enforce the use
of features such as AWS CloudTrail, Amazon CloudWatch, and centralized
logging of applications to Amazon S3 buckets. It can also ensure instances are
using the Host Based Security System (HBSS) and application VPCs are
accessible via peering to centrally managed security VPCs for additional
monitoring capabilities.
AWS GoldBase and AWS Service Catalog
The AWS Service Catalog allows administrators to create and manage approved
catalogs of resources that end users can access via a personalized portal.10 AWS
Service Catalog allows the creation of portfolios of one or more products that
AWS end users and workload owners can launch. The AWS GoldBase template
package can be delivered to workload owners and application developers as an
AWS Service Catalog product.
Product–Each template package, based on a use case, can be a product in the
form of a single AWS CloudFormation template which can include additional
nested templates to deploy and automate the configuration of an AWS
architecture or application.
Amazon Web Services – Introduction to AWS GoldBase September 2015
Page 11 of 17
Portfolios–A portfolio consists of one or more products, which can have
common tags and constraints applied. Portfolios can include products for
different types of use cases and can be organized by compliance type.
Permissions–End users and workload owners specified in the AWS Identity
and Access Management (IAM) service can be given permission to access
portfolios based on the level of access that they need and what they need to
deploy.
Constraints–Constraints are granular controls applied at a portfolio or product
level that restrict the ways that resources can be deployed. Constraints can be
used to allow templates to deploy all resources at an administrator level of access
while limiting permissions to certain resources for workload owners.
Tags–Tagging can be enforced at the portfolio or product level, by providing
custom tags for controlling access to resources or for cost allocation.
Benefits of using AWS GoldBase with AWS Service Catalog include the following:
A complete storefront capability for delivering applications to end users
and workload owners
Ease of use in deployment and management of AWS Service Catalog
products
Enforcement of existing separation of duties and access controls which
adhere to the customer’s governance model
Standardization in design of AWS Service Catalog products
Simplification of developing and updating AWS Service Catalog products
Continuous Integration/Continuous Delivery (CI/CD) capabilities of AWS
Service Catalog products that meet compliance and best practices
AWS GoldBase and DevOps
DevOps incorporates principles, practices, and methods that allow integration
between software development and IT operations.11 Tools and methods for
automation, continuous delivery, monitoring, and security are key to developing
DevOps practices. AWS GoldBase provides a use case package for both
Amazon Web Services – Introduction to AWS GoldBase September 2015
Page 12 of 17
infrastructure and application components that can be developed, deployed, and
managed with the same DevOps principles as any software application.
Example: AWS GoldBase Lifecycle Using AWS Service Catalog
The example in Figure 4 illustrates the concept of CI/CD in a centralized
governance model using AWS Service Catalog and AWS GoldBase. The workload
owners use the AWS Service Catalog portal as a storefront to deploy complete
workloads. AWS Service Catalog products are AWS GoldBase template packages
that are managed by a central provisioning team.
Figure 4: CI/CD using AWS Service Catalog and AWS GoldBase
AWS GoldBase is managed using a source code repository such as Git or AWS
CodeCommit while integration is handled by a continuous integration (CI) server,
such as Jenkins. A new commit triggers an automated build of the architecture
and/or application in a test account that can be fully validated for compliance
and security before being pushed as an update to the AWS Service Catalog
product.
Example Use Case: Tiered Web Application In the example in Figure 5, a AWS GoldBase package has been designed for the
reusable deployment of a three-tier web application. In this simple use case, the
Amazon Web Services – Introduction to AWS GoldBase September 2015
Page 13 of 17
application consists of Amazon Virtual Private Cloud VPCs for both production
and management use. Instances are placed in separate private and public subnets
depending on where they will be accessed. An Internet gateway allows application
end users access to the web instances from the Internet. The management VPC is
strictly for developer and administrator use and is accessed through the customer
network via a virtual private network (VPN) gateway.
Figure 5: Example three-tier web application
Deployment
AWS CloudFormation templates provide automation. For configuration at the
Amazon Elastic Compute Cloud (EC2) level, specify user data in the templates to
bootstrap additional application configuration. In this example, Amazon EC2
configuration takes place by simply using user data scripts. Alternatively,
instances can be bootstrapped to pull configuration from another source, such as
a Chef server.
Deployment of the entire package follows an organized sequence automatically by
how the CloudFormation templates are structured. Deployment of this sample
package follows these steps:
1. IAM users, roles, groups, and policies are created; CloudTrail and logging
to an Amazon S3 bucket are enabled.
2. Amazon VPC architecture is deployed complete with subnets, gateways,
NACLs, route tables, and NAT instances.
Amazon Web Services – Introduction to AWS GoldBase September 2015
Page 14 of 17
3. Security groups, Amazon S3 buckets, and Elastic Load Balancing (ELB)
load balancers are created.
4. EC2 instances and an Amazon Relational Database Service (RDS) database
are deployed.
a. EC2 instances are launched using user-specified Amazon Machine
Images (AMIs).
b. An Amazon RDS database is created with user-specified size, type, and
capacity.
c. User data scripts install the latest version and configuration of software
on EC2 instances.
d. App instances are configured to connect to the Amazon RDS database.
Deployment Options
Workload owners can use parameters to customize the architecture on
deployment based on their specific application requirements. The templates are
designed so that different applications with similar architectures can be deployed
using the same package.
Amazon Web Services – Introduction to AWS GoldBase September 2015
Page 15 of 17
Parameter Description Conditional
createVPCManagement Option to specify whether or not
to create Management VPC
If true, creates Management VPC.
createVPCDevelopment Option to specify whether or not
to create Development VPC
If true, creates Development VPC.
Stack1URL S3 URL of Stack1 template If blank, existing IAM/security config
already deployed.
Stack2URL S3 URL of Stack2 template If blank, VPC networking already
deployed.
Stack3URL S3 URL of Stack3 template If blank, does not deploy Stack3
resources.
Stack4URL S3 URL of Stack4 template If blank, does not deploy any instance-
level resources.
Example of parameter-specified deployment options
Compliance with Third Party Assurance Frameworks
In this example, the customer must comply with the NIST SP 800-53 control set.
The 800-53 controls provide requirements that must be met from the system
(application) level or from the use of common services.
The following is an example control from the Boundary Protection NIST control
family:
SC-07(2) BOUNDARY PROTECTION
(2) The information system prevents public access into the
organization’s internal networks except as appropriately
mediated by managed interfaces employing boundary
protection devices.
Amazon Web Services – Introduction to AWS GoldBase September 2015
Page 16 of 17
The documentation included with this automation package provides the
following description, including the names of AWS CloudFormation resources, of
how this control works at the AWS architecture level:
ROUTE TABLES (rtbProductionPublic, rtbManagement) and security
groups limit public traffic to the public subnet and private traffic to the
private subnet.
Conclusion
Developing an automated solution for compliance can reduce the cost, time, and
effort to deploy applications in AWS while minimizing risk and simplifying
architectural design. AWS GoldBase provides enterprise customers with an easy-
to-use, customized solution that alleviates the challenges of architecting for the
cloud while reducing the level of effort normally required to build such a solution
from scratch.
Amazon Web Services – Introduction to AWS GoldBase September 2015
Page 17 of 17
Contributors The following individuals contributed to this document:
Mike Dixon, Consultant, AWS Public Sector
Lou Vecchioni, Senior Consultant, AWS Public Sector, Pro Serve
Brett Miller, Senior Consultant, AWS Public Sector, Pro Serve
Notes
1 http://www.merriam-webster.com/dictionary/comply
2 http://aws.amazon.com/compliance/shared-responsibility-model/
3 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
4 http://d0.awsstatic.com/whitepapers/compliance/aws-architecture-and-
security-recommendations-for-fedramp-compliance.pdf
5 http://iase.disa.mil/cloud_security/Documents/u-
cloud_computing_srg_v1r1_final.pdf
6 http://aws.amazon.com/compliance/hipaa-compliance/
7 http://www.27000.org/iso-27001.htm
8 http://www.fbi.gov/about-us/cjis/csp-v5_3-to-nist-sp800-53r4-
mapping_20150527.pdf
9 http://aws.amazon.com/compliance/pci-dss-level-1-faqs/
10 http://aws.amazon.com/servicecatalog/
11 https://d0.awsstatic.com/whitepapers/AWS_DevOps.pdf