AWS Cloud Foundation approach

Below approach provides designing and implementing Cloud Foundation in AWS that meets many best practices.

AWS Region selection:

Select the region where the data center is location and that meets the regulatory and compliance requirements. For Disaster Recovery, it is recommended to select another region or another Availability zone as needed.

Accounts and Organisation unit (OU) Structure:

Create separate AWS accounts for Sandbox, PoC and environments (Dev, QA, UAT, Production)

Create Separate OU for Security, Infrastructure, Application workloads, Suspended accounts, Policy staging and Sandbox.

Within Infra OU, split it into Prod. OU and non-prod OU. In each OU, have separate accounts for Security, Network, Monitoring tools etc.

For application workloads OU, split it into two OU, one for production and non-production. For each OU, create accounts for external facing apps, internal facing apps, Data platform apps etc based on the user base and security requirements.

AWS Accounts:

Create Master account and accounts for Security and monitoring tools, DevOps tools, audit, Logs, Production workloads, non-prod. workloads separately. AWS account factory can be used to provision accounts with necessary controls.

Direct Connect:

Calculate the network bandwith needed between data center and AWS. Provision Direct connect. For backup network connectivity, a backup DC or VPN can be provisioned as needed.

IPAM:

Plan for IP address allocation for various VPC and subnets based on purpose, future expansion needs etc. Amazon VPC IP Address Manager (IPAM) can be used to plan, track, and monitor IP addresses.

Transit Gateway:

Serverless Trasit Network orchestrator automates setting up and managing Transit gateway and network connectivity.

Single Sign-On:

If the customer has Active Directory and SSO enabled in on-prem, the users can access AWS SSO.

Golden Images:

It is recommended to create golden images with CIS benchmark controls.

DevOps tools:

Set up AWS native DevOps tools or customer preferred DevOps tools in DevOps account and VPC.

Security and other controls:

Enable necessary guardrails in control tower including Encryption at Rest, Access log controls, Enable Config, Disallow changes to logs, disallow public read / write to logs, disallow changes to AWS config, changes to cloudtrail, enable MFA for root users, disallow public access to S3 and RDS etc.

Encrypt data stored in S3, RDS and EBS volumes. Encrypt data in transit. Use KMS for encryption.

Enable detective controls using AWS services like AWS Security hub, Amazon Guard Duty, Amazon Inspector, AWS CloudTrail, Amazon Cloudwatch, VPC Flow logs.

Enable or use Identity controls like AWS Identity and Access Management, AWS Single Sign-On, AWS Secrets Manager, AWS Resource Access Manager.

Enable preventive services like AWS Shield, AWS WAF, AWS Firewall Manager, AWS Systems Manager.

Enable data protection services like AWS KMS (Key Management System), AWS CloudHSM, Amazon Macie, AWS Certification Manager.

For Patch management, use AWS Systems Manager

Enable AWS Backup and configure policies as per regulatory and compliance needs.

Create Tagging Policy and naming convention and align with customer.

Conclusion:

With above services as minimum, the cloud Foundation is ready start for implementation.