Introduction
Cloud Foundations is an Amazon Web Services solution that transforms enterprise cloud adoption by delivering a production-ready, multi-account cloud environment with comprehensive governance, security, and operational capabilities. Built on the Amazon Web Services Cloud Foundations whitepaper, it implements 30 essential cloud capabilities through automated infrastructure-as-code deployment, including centralized account management via Account Factory, automated security baselines with Amazon Config rules and remediation, and comprehensive logging with centralized storage. The solution provides advanced networking capabilities through VPC-sharing and TGW-sharing models with hub-spoke architectures, supporting centralized egress control, traffic inspection with Amazon Network Firewall and Gateway Load Balancer, multi-regional connectivity via transit gateway peering, and centralized VPC endpoint access for cost optimization. Cloud resource management is streamlined through Product Factory's infrastructure-as-definition approach with JSON-based provisioning across essential Amazon Web Services and automated deployment pipelines. With built-in multi-regional deployment, Amazon Control Tower integration, Amazon IAM Identity Center federation, automated backup management, and real-time security monitoring through GuardDuty and Security Hub integration, Cloud Foundations delivers up to 80% reduction in implementation time while providing a scalable foundation that maintains operational excellence and cost optimization from day one.
The Cloud Foundations Quick Start Pack
The Cloud Foundations Quick Start Pack provides two editions at present
|
|
Standard Edition
|
Lite Edition
|
|---|---|---|
|
Delivery mode
|
Amazon Web Services |
Amazon Web Services and partners |
|
Basic landing zone
|
Included |
Included |
|
Basic networking
|
Included |
Included |
|
Basic training
|
Included |
Included |
|
Backup and config rules
|
Included |
Included |
|
Account Factory
|
Included |
Not included |
|
Advanced capabilities
|
Included |
Not included |
|
Extended networking
|
Optional |
Not included |
|
Extended training
|
Optional |
Not included |
|
Cloud resource management
|
Optional |
Not included |
Major advantages
Accelerated Business Focus
Pre-built infrastructure foundation with standard 2-week delivery timeline eliminates months of setup work, allowing organizations to focus their IT resources on high-value initiatives like large-scale migrations, serverless applications, and business process innovation rather than foundational configuration.
Enterprise-Ready Network Architecture
Delivers sophisticated networking patterns including hub-spoke topologies, centralized traffic inspection, and multi-regional connectivity through transit gateway peering. The solution provides immediate access to advanced network security controls and comprehensive predefined network templates without requiring specialized networking expertise or extended implementation cycles.
Extensible Factory Architecture
Modular factory services enable rapid provisioning of new resources and accounts as business grows and evolves. The JSON-based infrastructure-as-definition approach allows teams to easily onboard new Amazon Web Services and customize deployments without rebuilding core foundations, ensuring long-term scalability and adaptability.
Architecture diagram
Page topics
About the architecture diagram
Open allIt centrally manages Amazon Web Services Accounts within an Amazon Organizations organization or a virtual organization. It enables an Amazon IAM Identity Center instance and also manages Amazon Control Tower.
It centrally manages parameters in Amazon Systems Manager parameter store, profiles in Amazon AppConfig applications, and Amazon Simple Notification Service (Amazon SNS) topics. It coordinates Amazon CodePipeline pipelines, Amazon CodeBuild projects and Amazon CodeCommit repositories with Amazon Step Functions state machines. It provisions Amazon Service Catalog products of Account Factory, Pipeline Factory, Product Factory, Package Factory and Repository Factory products. It is the delegated administrator of Amazon CloudFormation StackSets.
It centrally manages Amazon Key Management Service (Amazon KMS) customer-managed keys. It includes Amazon Identity and Access Management (Amazon IAM) predefined roles, Amazon IAM Identity Center predefined permission sets and groups. It is the delegated administrator of Amazon Account Management, Amazon Audit Manager, Amazon Backup, Amazon CloudTrail, Amazon Config, Amazon Detective, Amazon IAM centralized root access, Amazon IAM Access Analyzer, Amazon IAM Identity Center, Amazon Inspector, Amazon GuardDuty, Amazon Macie, Amazon Security Hub.
It centrally manages Amazon Simple Storage Service (Amazon S3) buckets for service logs storage. It includes an Amazon CloudFront distribution for user interface frontend. It is the delegated administrator of Amazon S3 Storage Lens.
It centrally manages Amazon Virtual Private Cloud (Amazon VPC), subnets and CIDR address ranges, route tables and routes, gateway and interface endpoints, security groups and egress and ingress rules, network address translation gateways, Internet gateways, Amazon Network Firewall and policies and rule groups, gateway load balancer, Amazon Transit Gateway and their route tables, transit gateway peering connections, attachments, associations and propagations, Amazon Route 53 resolvers, Amazon Direct Connect gateways. It provides frequently used network definition templates with common traffic inspection patterns.
Each account is bootstrapped and configured by select system-level and account-level security baselines according to best practices recommended by Amazon Web Services. For instance, each account is configured selectively with Amazon CloudTrail organizational trail, Amazon IAM password policy, Amazon IAM Identity Center account assignments, Amazon Elastic Block Store (Amazon EBS) default encryption, Amazon Backup vaults and plans, Amazon Config rules and remediation, Amazon CloudWatch alarms and metrics, Amazon Systems Manager Sessions Manager preferences, Amazon Elastic Compute Cloud (Amazon EC2) image public access block, Amazon S3 account public access block, Amazon VPC public access block, Amazon VPC default VPC deletion and many other important baseline configurations.
It deploys and governs other Amazon Web Services Regions. It provisions cross-regional networking connectivity based on transit gateway peering connection.
Select technical blog posts
1. Blog post: Use Cloud Foundations to holistically plan and one-click deploy two network sharing models in multi-account organizations on the cloud, February 2023
2. Blog post: Use Cloud Foundations to plan and design multi-regional hub-spoke network topology on the cloud and one-click deploy east-west south-north traffic inspection separated or combined, November 2023
3. Blog post: Use Cloud Foundations Product Factory to plan, design and one-click deploy infrastructural cloud resources such as multi-account access control and permission policies, March 2024
5. Blog post: Cloud Foundations demo videos part one: from deployment to daily operations, April 2025
6. Blog post: Manage Control Tower with Cloud Foundations: govern regions, manage organizations, create or enroll accounts, enable controls, May 2025