Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Skip to main content

Cloud Foundations

Cloud Foundations is an Amazon Web Services solution that transforms enterprise cloud adoption by delivering a production-ready, multi-account cloud environment with comprehensive governance, security, and operational capabilities.

Introduction

Cloud Foundations is an Amazon Web Services solution that transforms enterprise cloud adoption by delivering a production-ready, multi-account cloud environment with comprehensive governance, security, and operational capabilities. Built on the Amazon Web Services Cloud Foundations whitepaper, it implements 30 essential cloud capabilities through automated infrastructure-as-code deployment, including centralized account management via Account Factory, automated security baselines with Amazon Config rules and remediation, and comprehensive logging with centralized storage. The solution provides advanced networking capabilities through VPC-sharing and TGW-sharing models with hub-spoke architectures, supporting centralized egress control, traffic inspection with Amazon Network Firewall and Gateway Load Balancer, multi-regional connectivity via transit gateway peering, and centralized VPC endpoint access for cost optimization. Cloud resource management is streamlined through Product Factory's infrastructure-as-definition approach with JSON-based provisioning across essential Amazon Web Services and automated deployment pipelines. With built-in multi-regional deployment, Amazon Control Tower integration, Amazon IAM Identity Center federation, automated backup management, and real-time security monitoring through GuardDuty and Security Hub integration, Cloud Foundations delivers up to 80% reduction in implementation time while providing a scalable foundation that maintains operational excellence and cost optimization from day one.

The Cloud Foundations Quick Start Pack

The Cloud Foundations Quick Start Pack provides two editions at present
Standard Edition
Lite Edition
Delivery mode

Amazon Web Services

Amazon Web Services and partners
Basic landing zone

Included

Included
Basic networking

Included

Included
Basic training

Included

Included
Backup and config rules

Included

Included
Account Factory

Included

Not included
Advanced capabilities

Included

Not included
Extended networking

Optional

Not included
Extended training

Optional

Not included
Cloud resource management

Optional

Not included

Major advantages

Accelerated Business Focus

Pre-built infrastructure foundation with standard 2-week delivery timeline eliminates months of setup work, allowing organizations to focus their IT resources on high-value initiatives like large-scale migrations, serverless applications, and business process innovation rather than foundational configuration.

Enterprise-Ready Network Architecture

Delivers sophisticated networking patterns including hub-spoke topologies, centralized traffic inspection, and multi-regional connectivity through transit gateway peering. The solution provides immediate access to advanced network security controls and comprehensive predefined network templates without requiring specialized networking expertise or extended implementation cycles.

Extensible Factory Architecture

Modular factory services enable rapid provisioning of new resources and accounts as business grows and evolves. The JSON-based infrastructure-as-definition approach allows teams to easily onboard new Amazon Web Services and customize deployments without rebuilding core foundations, ensuring long-term scalability and adaptability.

Architecture diagram

Page topics

About the architecture diagram

Open all

It centrally manages Amazon Web Services Accounts within an Amazon Organizations organization or a virtual organization. It enables an Amazon IAM Identity Center instance and also manages Amazon Control Tower.

It centrally manages parameters in Amazon Systems Manager parameter store, profiles in Amazon AppConfig applications, and Amazon Simple Notification Service (Amazon SNS) topics. It coordinates Amazon CodePipeline pipelines, Amazon CodeBuild projects and Amazon CodeCommit repositories with Amazon Step Functions state machines. It provisions Amazon Service Catalog products of Account Factory, Pipeline Factory, Product Factory, Package Factory and Repository Factory products. It is the delegated administrator of Amazon CloudFormation StackSets.

It centrally manages Amazon Key Management Service (Amazon KMS) customer-managed keys. It includes Amazon Identity and Access Management (Amazon IAM) predefined roles, Amazon IAM Identity Center predefined permission sets and groups. It is the delegated administrator of Amazon Account ManagementAmazon Audit ManagerAmazon BackupAmazon CloudTrailAmazon ConfigAmazon Detective, Amazon IAM centralized root access, Amazon IAM Access AnalyzerAmazon IAM Identity CenterAmazon Inspector, Amazon GuardDutyAmazon MacieAmazon Security Hub.

It centrally manages Amazon Simple Storage Service (Amazon S3) buckets for service logs storage. It includes an Amazon CloudFront distribution for user interface frontend. It is the delegated administrator of Amazon S3 Storage Lens.

It centrally manages Amazon Virtual Private Cloud (Amazon VPC), subnets and CIDR address ranges, route tables and routes, gateway and interface endpoints, security groups and egress and ingress rules, network address translation gateways, Internet gateways, Amazon Network Firewall and policies and rule groups, gateway load balancerAmazon Transit Gateway and their route tables, transit gateway peering connections, attachments, associations and propagations, Amazon Route 53 resolvers, Amazon Direct Connect gateways. It provides frequently used network definition templates with common traffic inspection patterns.

Each account is bootstrapped and configured by select system-level and account-level security baselines according to best practices recommended by Amazon Web Services. For instance, each account is configured selectively with Amazon CloudTrail organizational trail, Amazon IAM password policy, Amazon IAM Identity Center account assignments, Amazon Elastic Block Store (Amazon EBS) default encryption, Amazon Backup vaults and plans, Amazon Config rules and remediation, Amazon CloudWatch alarms and metrics, Amazon Systems Manager Sessions Manager preferences, Amazon Elastic Compute Cloud (Amazon EC2) image public access block, Amazon S3 account public access block, Amazon VPC public access block, Amazon VPC default VPC deletion and many other important baseline configurations.

It deploys and governs other Amazon Web Services Regions. It provisions cross-regional networking connectivity based on transit gateway peering connection.