Cloud Foundations

Everything you need to set up your Cloud Foundation Framework on AWS

Cloud Foundations provides a guided path to help customers deploy, configure, and secure their new workloads while ensuring they are ready for on-going operations in the cloud. Cloud Foundations helps customers navigate through the decisions they need to make through curated AWS Services, AWS Solutions, Partner Solutions, and Guidance. These solutions will support your cloud foundation journey, accelerating the deployment of a production-ready environment.

Cloud Foundations Capabilities and Categories

To support cloud adoption, AWS recommends that you have a foundational set of capabilities that enable you to deploy, operate, and govern your workloads. A capability includes a definition, scenarios, guidance, and supporting solutions to establish and operate a specific part of a cloud environment. Capabilities are designed to integrate into your overall technology environment.

The image on the right shows 29 capabilities that span six categories that AWS has defined to help you establish a cloud foundation.

For information on how to use this framework, see the Cloud Foundations Framework Overview. For in-depth technical information, see the Establishing your Cloud Foundation on AWS whitepaper. 

  • Governance, Risk, and Compliance
  • Click on each capability to learn more.
    Securely collect and store environment logs centrally within tamper resistant storage.
    Implement executive board policies that your cloud environment must adhere to.
    Group sets of cloud resources by assigning metadata to cloud resources for a variety of purposes. Tagging is fundamental to providing enterprise-level visibility and control.
    Deploy planned alterations to all configurable items that are in an environment within the defined scope, such as production and test.
    Store, retain, and secure your data according to your internal policies and regulatory requirements.
    Provides the ability to review and approve AWS services for use based on consideration of internal, compliance, and regulatory requirements.
    Provide analysis of log data and evidentially-captured images of potentially compromised resources, to determine whether a compromise occurred (and if so, how).
    Anonymize subsets of data and information as they are stored and processed to reduce their sensitivity, and when required, preserving the underlying data format.
    Gather and organize documentary evidence to enable internal or independent assessment of your cloud environment, and activities within it, against standards.
  • Operations
  • Click on each capability to learn more.
    Provide tools and processes required for developers to build and deploy workloads easily to the cloud.
    Gather and aggregate security and operational data about system and application activities.
    Deploy sets of changes to update, fix, and/or enhance the operation and security properties of infrastructure and workloads.
    Manage compute images throughout their entire lifecycle. This can involve the creation, acquisition, distribution, and storage of the images.
  • Security
  • Click on each capability to learn more.
    Efficiently build and centrally manage the access to your cloud platform environment.
    Centrally manage encryption keys for different workloads, and the ability to encrypt data at rest and in transit.
    Limit access to data at rest and in transit so that data is only accessible to appropriate, authorized entities.
    Manage secrets (access credentials) such as passwords, access keys, other API keys, X.509, or SSH private keys.
    Respond to a security incident. The response involves characterizing the nature of the incident and making changes.
    Assess the impact and scope (such as blast radius) of vulnerabilities and threats, and address/remediate them.
    Protect application software, and the detection of anomalous behavior in the context of the applications’ interactions with clients.
  • Business Continuity
  • Click on each capability to learn more.
    Automate mechanisms to resume processing of transactions hosted in one physical environment, in a different physical environment in the event that the physical environment where the transactions were originally being processed becomes unexpectedly unavailable.
    Make reliable copy of data in a reliable way for retrieval as needed to meet business and security goals, Recovery Point Objective (RPO), and Recovery Time Objective (RTO).
    Troubleshoot an environment, ask questions, submit tickets, integrate into existing ticketing systems, and escalate issues to an appropriate entity for a timely response depending on criticality and support level.
  • Finance
  • Click on each capability to learn more.
    Track, notify, and apply cost optimization techniques across your environment and resources.
    Visibility and configuration of cloud-based resources that make up an IT-level service or workload.
  • Infrastructure
  • Click on each capability to learn more.
    Design, build, and manage a secure and highly available network cloud infrastructure.
    Create and manage isolated environments to contain your newly created or migrated workloads.
    Design and implement security policies and controls across different levels of the networking stack to protect your resources from external or internal threats to ensure confidentiality, availability, integrity, and usability.
    Create and group reusable templates in a central repository to quickly deploy, manage, and update infrastructure, schemas, golden images, and resources across the environment.

Was this page helpful?