Cloud Foundations

Everything you need to set up your Cloud Foundation

Cloud Foundations provides a guided path to help customers deploy, configure, and secure their new workloads while ensuring they are ready for on-going operations in the cloud. Cloud Foundations helps customers navigate through the decisions they need to make through curated AWS Services, AWS Solutions, Partner Solutions, and Guidance. These solutions will support your cloud foundation journey, accelerating the deployment of a production-ready environment.

Cloud Foundations Capabilities & Categories

To support cloud adoption, AWS recommends that you have a foundational set of capabilities that enable you to deploy, operate, and govern your workloads. A capability includes a definition, scenarios, guidance, and supporting solutions to establish and operate a specific part of a cloud environment. Capabilities are designed to integrate into your overall technology environment.

The image on the right shows 30 capabilities that span six categories that AWS has defined to help you establish a cloud foundation.

For information on how to use this framework, see Planning Your Journey. For in-depth technical information, see the Establishing your Cloud Foundation on AWS whitepaper. 

  • Governance, Risk, and Compliance
  • Click on each of the available capabilities to learn more.
    Securely collect and store environment logs centrally within tamper resistant storage.
    Implement executive board policies that your cloud environment must adhere to.
    Group sets of cloud resources by assigning metadata to cloud resources for a variety of purposes. Tagging is fundamental to providing enterprise-level visibility and control.
    Deploy planned alterations to all configurable items that are in an environment within the defined scope, such as production and test.
    Coming soon to Cloud Foundations on AWS

    Service Onboarding 

    Review and approve AWS services for use based on consideration of internal, compliance, and regulatory requirements.


    Provide analysis of log data and evidentially-captured images of potentially compromised resources, to determine whether a compromise occurred (and if so, how).

    Audit & Assessment

    Gather and organize documentary evidence to enable internal or independent assessment of your cloud environment, and activities within it, against standards.

    Data De-identification

    Anonymize subsets of data and information as they are stored and processed to reduce their sensitivity, and when required, preserving the underlying data format.
  • Operations
  • Click on each capability to learn more.
    Provide tools and processes required for developers to build and deploy workloads easily to the cloud.
    Gather and aggregate security and operational data about system and application activities.
    Deploy sets of changes to update, fix, and/or enhance the operation and security properties of infrastructure and workloads.
    Roll out application or configuration changes to the environment, or roll back these changes in case of failure.
    Search and filter based on metadata applied to tagged resources within your environment.
  • Security
  • Click on each capability to learn more.
    Efficiently build and centrally manage the access to your cloud platform environment.
    Limit access to data at rest and in transit so that data is only accessible to appropriate, authorized entities.
    Protect application software, and the detection of anomalous behavior in the context of the applications’ interactions with clients.
    Centrally manage encryption keys for different workloads, and the ability to encrypt data at rest and in transit.
    Respond to a security incident.
    Assess the impact and scope (such as blast radius) of vulnerabilities and threats, and address/remediate them.
    Manage secrets (access credentials) such as passwords, access keys, other API keys, X.509, or SSH private keys.
  • Business Continuity
  • Click on each capability to learn more.
    Automate mechanisms to resume processing of transactions hosted in one physical environment, in a different physical environment in the event that the physical environment where the transactions were originally being processed becomes unexpectedly unavailable.


    Make reliable copy of data in a reliable way for retrieval as needed to meet business and security goals, Recovery Point Objective (RPO), and Recovery Time Objective (RTO).
    Troubleshoot an environment, ask questions, submit tickets, integrate into existing ticketing systems, and escalate issues to an appropriate entity for a timely response depending on criticality and support level.
  • Finance
  • Click on each capability to learn more.
    Track, notify, and apply cost optimization techniques across your environment and resources.
    Visibility and configuration of cloud-based resources that make up an IT-level service or workload.
    Set retention of data according to your internal policies and regulatory requirements, including how to transition data to archive before it is deleted.
  • Infrastructure
  • Click on each capability to learn more.
    Design, build, and manage a secure and highly available network cloud infrastructure.
    Create and manage isolated environments to contain your newly created or migrated workloads.
    Design and implement security policies and controls across different levels of the networking stack to protect your resources from external or internal threats to ensure confidentiality, availability, integrity, and usability.
    Create and group reusable templates in a central repository to quickly deploy, manage, and update infrastructure, schemas, golden images, and resources across the environment.

Planning Your Journey

  • Based on your evaluation, a sample outcome path can be a mix of 10 full capabilities, or just certain scenarios within the capabilities. As your requirements evolve, you can include new capabilities and solve for additional scenarios to enhance your cloud environment over time.
  • Before you begin building your Cloud Foundation on AWS it is important to identify the stakeholders responsible, accountable, or that need to be informed, so when decisions are made, they can all be present. This will help reduce the time it takes to identify who is responsible or accountable for the decisions if you involve them from the beginning. For example, we find that most customers have identified an owner for the Networking team.

    There are functional areas within each capability to help identify owners and stakeholders. Each capability has one primary functional area, which indicates the owner accountable for the capability. However, most capabilities are also relevant to other functional areas, which indicate the stakeholders responsible for providing input, and help make decisions for that capability.

  • Creating a project plan will enable you to track the progress for the capabilities, and iterate and expand the capabilities as your environment grows. This plan can include items such as necessary trainings, setting up automation, tracking time to implement and maintain capabilites, and more. For information about a sample timeline, see the whitepaper.

Did this page help you?