Solution overview
The Landing Zone Accelerator on AWS (LZA) for Canadian Centre for Cyber Security (CCCS) Cloud Medium is a specialized deployment designed in collaboration with national security entities and government agencies. It facilitates compliance with strict security requirements, offering a comprehensive AWS cloud architecture for handling sensitive workloads. The CCCS Medium Reference Architecture addresses identity and access management, governance, data security, logging, and network design in alignment with various security frameworks, including NIST 800-53, ITSG-33, FEDRAMP Moderate, CCCS-Medium, IRAP, and other medium-level security profiles.
Please refer to the CCCS Medium Reference Architecture document for the full detailed design.
Note: This solution will not, by itself, make you compliant. It provides the foundational infrastructure from which additional complementary solutions can be integrated.
Solution Detail
This version of the Landing Zone Accelerator on AWS (LZA) uses FortiGate firewalls to implement network security by segmenting and separating communications in the AWS environment using best practices sample configurations.
It will automatically deploy the FortiGate EC2 instances as part of the deployment pipeline. The FortiGate instances are deployed in an Active-Active architecture connected to an AWS Transit Gateway via VPN (IPSEC) attachments and BGP routes exchange. The FortiGate architecture is as it was deployed in the AWS Secure Environment Accelerator, the predecessor of the Landing Zone Accelerator.
This is accomplished by having the FortiGate instances bootstrapped (cloud-init/user data) with their respective configuration files. These configuration files contain the routing configuration as well as sample security policies best practices. An online version of these config files can be found at the following links:
Although the solution as configured uses stand-alone FortiGate instances, the security policies on the FortiGate instances can also be managed via the FortiManager following Fortinet’s recommended security best practice.
With regards to FortiGate traffic logs storage, this LZA deployment can also be configured with a FortiAnalyzer instance to follow Fortinet recommended best practices.
General deployment notes
These instructions will focus on deploying the LZA for CCCS Medium in a new AWS environment – also known as greenfield deployment.
First follow the standard LZA deployment instructions for CCCS Medium replacing the configuration files from the example located in the following GitHub link https://github.com/aws-samples/landing-zone-accelerator-on-aws-for-cccs-medium. There is a basic video of LZA deployment located at https://www.youtube.com/watch?v=yTkMqolv6T0
Fortinet specific instructions are located at https://github.com/aws-samples/landing-zone-accelerator-on-aws-for-cccs-medium/tree/main/reference-a... Use these instructions in addition to the cccs-medium instructions.
Please familiarize yourself with the costs associated with running LZA by looking at this page https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/cost.html Please note this does not include the additional components for the CCCS Medium configuration. Fortinet offers a free 30-day trial of FortiGate.
Confirming functionality
It is recommended you deploy an instance in the dev account and generate both egress and ingress traffic while looking at FortiGate traffic logs.
Detailed instructions are located at https://github.com/aws-samples/landing-zone-accelerator-on-aws-for-cccs-medium/blob/main/reference-a...
Conclusion
By using the Fortinet integrated version of the AWS LZA for CCCS Medium, customers can leverage the interconnected integrated nature of the Fortinet Fabric. This allows the leverage of the same skills and processes used on premise to be used applying security in the cloud.
About the Authors
Martin Giguere, Principal Cloud Architect, Fortinet
Olivier Gaumond, Sr Cloud Application Architect, AWS Professional Services – Canada
Martin Guy Lapointe, Sr Solutions Architect, AWS Worldwide Public Sector – Canada
