Establishing Your Cloud Foundation on AWS

​When developing a cloud adoption strategy, organizations may typically prioritize greater agility, innovation, and scalability. However, the process of making numerous decisions to create a production-ready cloud environment can be somewhat  challenging. 

​These decisions have the potential to impact an organization's scalability and its ability to enhance the environment in the future. To simplify this complexity, customers are actively seeking prescriptive guidance across a wide range of AWS services that can be utilized to create a solid foundational environment.

The key to establishing a successful cloud foundation on AWS lies in tailoring the guidance to the unique business needs of each organization. By adopting a capability-based approach, organizations can create an environment that enables them to efficiently deploy, operate, and govern their workloads. Furthermore, this approach allows them to enhance their capabilities and expand their environment as their requirements evolve and additional workloads are deployed to the cloud.
​
A standardized, prescriptive set of capabilities spanning different functional areas can serve as a structured approach for swiftly building or expanding an AWS Cloud environment. Organizations can adopt and implement these capabilities based on their operational and governance needs. As their business requirements mature, the capability-based approach can be utilized to ensure that their cloud environment is prepared to support their workloads and scale accordingly.

Cloud Foundations

​
To address these needs, AWS has created Cloud Foundations which provides a guided path to help organisations deploy, configure, and secure their new workloads while ensuring they are ready for on-going operations in the cloud. Using Cloud Formations can help support your cloud foundation journey, accelerating the deployment of a production-ready environment.

​When it comes to embracing the cloud, AWS advises having a solid set of foundational capabilities that empower you to effortlessly deploy, manage, and govern your workloads. These capabilities serve as the building blocks for establishing and operating various aspects of your cloud environment. Think of them as the tools and guidelines that assist you in planning, implementing, and effectively running your cloud infrastructure. They encompass considerations for people, processes, and technology, seamlessly integrating with your overall technology ecosystem.

But it's not just about the technical implementation. These capabilities also encompass operational guidance, ensuring you have the necessary resources and skills to set up and maintain each capability. This includes notifications, event handling, remediation processes, and the expertise of your team members. In other words, it's all about equipping you with the knowledge and support needed to successfully leverage each capability.

So, whether you're diving into the cloud for the first time or enhancing your existing environment, these foundational capabilities and categories provide you with a comprehensive framework to navigate the complexities of cloud adoption. With their guidance and automation, you can confidently establish and operate a robust cloud environment that meets your specific needs and helps you achieve your business goals.
 
AWS has defined a set of 30 capabilities that span six categories to help you establish a cloud foundation.

Table 1: Cloud Foundations capabilities by categories

​Each capability includes stages of maturity that enable you to implement based on where you are in your cloud journey, including your governance and operational requirements. As your cloud environment grows and matures, the capabilities can be enhanced to meet your new requirements.

Capabilities Definitions

This section includes high-level definitions for each foundational capability organized by their category as shown in the figure below.

Figure 1: Cloud Foundations Categories

Governance, Risk Management, and Compliance

​When it comes to Governance, Risk Management, and Compliance (GRC), it's all about establishing a solid foundation for meeting security and compliance requirements while defining the policies that should govern your cloud environment. These capabilities play a crucial role in determining what needs to be done, defining your risk tolerance, and ensuring alignment with internal policies.

Figure 2: Governance, Risk Management, and Compliance Category

 
Within the Governance, Risk Management, and Compliance category, you'll find a range of capabilities designed to empower you in your GRC efforts:
​

• Tagging: This capability allows you to group resources by assigning metadata to them, serving various purposes such as access control, cost reporting, and automation. Tagging also offers visibility and control by grouping resources together, like microservices, applications, or workloads.
• Log Storage: Securely collecting and storing environment logs in tamper-resistant storage is vital. This capability enables you to evaluate, monitor, alert, and audit access and actions performed on your AWS resources and events.
• Forensics: In the event of a potential compromise, forensics involves analyzing log data and captured images to determine if a breach occurred and identify the root cause. This information helps drive the application of preventative measures.
• Service Onboarding: This capability enables you to review and approve AWS services for use, considering internal, compliance, and regulatory requirements. It involves risk assessment, documentation, implementation patterns, and communication regarding service consumption.
• Data De-Identification: Anonymizing sensitive data subsets during storage and processing is crucial. This capability reduces sensitivity for specific data types (e.g., national ID numbers, trade data, healthcare information) and may involve tokenization of sensitive data (e.g., credit card numbers, physical addresses, healthcare records) to minimize the need for direct access.
• Governance: This capability allows you to implement executive board policies that govern your AWS Cloud environment. It includes defining environment rules, identifying risks, and ensuring alignment with internal policies. As your cloud foundation evolves, elements of governance are integrated into all other capabilities to maintain compliance.
• Audit & Assessment: Gathering and organizing documentary evidence is essential for internal or independent assessment of your cloud environment. This capability provides information about access, changes, and helps validate that all actions align with policies and follow appropriate workflows.
• Change Management: This capability focuses on deploying planned alterations to configurable items within a defined scope, such as production and test environments. Approved changes are implemented with minimized risk, ensuring the stability of your existing IT infrastructure.

These capabilities within the Governance, Risk Management, and Compliance category offer you the necessary tools and guidance to establish a secure and compliant cloud environment. By leveraging them effectively, you can confidently navigate the complexities of GRC and safeguard your organization's interests.

Operations

​
When it comes to Operations, the goal is to enable your developers and operations teams to innovate at a rapid pace while maintaining the quality of application and infrastructure updates. The capabilities within this category empower you to effortlessly build, deploy, and operate workloads in the cloud, enhancing the developer experience and leveraging powerful tools.

​Figure 3: Operations Category

Let's explore the capabilities within the Operations category that can revolutionize the way you manage your cloud environment:
​

• Rollout/Rollback: This capability involves having a well-defined strategy for rolling out application or configuration changes to your environment. It also includes the ability to roll back these changes if any issues or failures occur. Whether it's updating permissions, implementing new policies, configuring networks, or deploying new versions of applications or software development kits, this capability ensures smooth and reliable changes to your infrastructure.
• Logging & Monitoring: Gathering and aggregating security and operational data about your system and application activities is crucial. This capability allows for near-real-time analysis of data, enabling you to identify anomalies, indicators of compromise, performance issues, and configuration changes. With comprehensive logging and monitoring, you can proactively address any issues and ensure the smooth operation of your workloads.
• Metadata Sorting/Searching: The ability to search and filter resources based on applied metadata within your environment is invaluable. By leveraging this capability, you can efficiently locate and manage resources, whether they are specific accounts or resources within those accounts. It simplifies resource management and enhances visibility across your cloud environment.
• Patching: Keeping your infrastructure and workloads up to date is essential for optimal operation and security. This capability enables you to deploy sets of changes that address security vulnerabilities, apply bug fixes, and enhance the overall performance of your systems. From operating systems to applications and other relevant software systems, patching ensures that your environment remains secure and up to date.
• Developer Experience and Tools: To empower your developers, you need to provide them with the right tools and processes for building and deploying workloads seamlessly in the cloud. This capability covers everything from storing code to building workflows and facilitating the promotion of workloads from the testing phase to the production environment. By streamlining the developer experience, you can boost productivity and foster innovation within your teams.

With these Operations capabilities at your disposal, you can revolutionize how you manage your cloud environment. By enhancing the developer experience, ensuring effective rollout and rollback strategies, implementing robust logging and monitoring, simplifying resource management, and keeping your systems patched, you can drive efficiency, reliability, and innovation throughout your operations.

Security

​
When it comes to Security, the focus is on creating a secure, high-performing, and resilient foundation for your cloud environment. The capabilities within this category allow you to design and implement robust security policies and controls at different levels of the stack, protecting your valuable resources from both external and internal vulnerabilities and threats. These capabilities ensure confidentiality, availability, integrity, and usability, while providing guidance and recommendations for effective remediation.

Figure 4: Security Category

Let's delve into the capabilities within the Security category that empower you to establish a strong and reliable security framework for your cloud environment:
​

• Identity Management & Access Control: This capability enables your teams to efficiently build and centrally manage access to your cloud platform environment. It allows you to structure your organization, organize your accounts, and establish access based on the principle of least privilege. With effective identity management and access control, you can ensure that only authorized entities can access your resources, enhancing security and reducing the risk of unauthorized access.
• Data Isolation: Protecting your data is of utmost importance, and this capability enables you to limit access to data at rest and in transit. By implementing data isolation measures, you ensure that sensitive data is only accessible to authorized entities. Furthermore, this capability includes the ability to detect any misuse, unauthorized access, leaks, or theft of data, providing an additional layer of security for your valuable information.
• Application Security: Safeguarding your application software is crucial, and this capability focuses on protecting your applications from threats such as unauthorized access, privilege escalation, and other application-level vulnerabilities. It also involves detecting and responding to anomalous behavior in the context of application interactions with clients. By prioritizing application security, you can mitigate risks and ensure the integrity and reliability of your applications.
• Encryption and Key Management: This capability revolves around centrally managing encryption keys for different workloads and implementing encryption for data at rest and in transit. Access to keys follows the principle of least privilege, and usage is monitored to detect any anomalies. Additionally, encryption and key management provide various patterns for key rotation based on specific requirements, ensuring the ongoing security of your data.
• Secrets Management: Managing secrets, such as passwords, access keys, and API keys, is crucial for maintaining the security of your environment. This capability encompasses storage, access control, access logging, revocation, and rotation aspects of managing secrets. By effectively managing secrets, you can prevent unauthorized access and reduce the risk of credential misuse.
• Security Incident Response: In the event of a security incident, this capability enables you to respond effectively. It involves characterizing the nature of the incident and implementing appropriate changes, such as restoring operational status, identifying and remediating the root cause, and gathering evidence for potential legal actions. By having a well-defined incident response process, you can minimize the impact of security incidents and swiftly mitigate any potential risks.
• Vulnerability & Threat Management: Identifying and addressing vulnerabilities is a crucial aspect of maintaining a secure environment. This capability allows you to identify vulnerabilities that can affect the availability, performance, or security of your environment. It includes assessing the impact and scope of vulnerabilities and threats, and implementing necessary measures to address and remediate them. By effectively managing vulnerabilities and threats, you can enhance the overall security posture of your cloud environment.

By leveraging these Security capabilities, you can establish a robust security framework for your cloud environment, safeguarding your resources, and mitigating risks. From identity management and access control to data isolation, application security, encryption and key management, secrets management, incident response, and vulnerability management, these capabilities provide a comprehensive approach to protecting your cloud environment from a wide range of threats and vulnerabilities.

Business Continuity

​When it comes to Business Continuity, resilience is key as it directly impacts the quality of service your users experience. The capabilities within this category empower you to establish a comprehensive strategy to ensure the continuity of operations during times of inefficiency or crisis. By implementing Disaster Recovery, Backups, and Support, you can proactively mitigate the impact of disruptions, minimize downtime during outages, and navigate unprecedented situations more effectively.

Figure 5: Business Continuity Category

Let's explore the capabilities within the Business Continuity category that enable you to maintain uninterrupted operations and mitigate potential disruptions:
​

• Backups: This capability focuses on creating reliable copies of data in a secure and efficient manner, ensuring that data can be retrieved when needed to meet business and security goals. Backups encompass a variety of content, including orchestration framework data and configuration, application data, logs, and customer data. By implementing effective backup strategies, you can establish appropriate Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO), minimizing data loss and facilitating timely recovery.
• Disaster Recovery: Disruptions can occur unexpectedly, and this capability addresses the need to swiftly resume transaction processing in an alternative physical environment when the original environment becomes unavailable. Disaster Recovery involves the use of automated mechanisms to seamlessly transfer and resume processing, ensuring continuity of critical operations. By implementing robust Disaster Recovery measures, you can minimize the impact of unforeseen events and maintain business operations with minimal downtime.
• Support: In times of inefficiency or crisis, it is crucial to have reliable support available to address any issues or concerns that may arise. This capability enables you to access troubleshooting resources, submit tickets, integrate with existing ticketing systems, and escalate critical issues for timely responses. Support may involve granting appropriate access to relevant resources for troubleshooting and remediation activities. By having reliable support mechanisms in place, you can swiftly address challenges and ensure a prompt resolution, minimizing the impact on business operations.

By leveraging these Business Continuity capabilities, you can establish a resilient foundation that ensures the continuity of your operations, even in the face of disruptions. Whether it's implementing robust backup strategies, enabling efficient Disaster Recovery processes, or having reliable support mechanisms, these capabilities enable you to navigate challenges and maintain business continuity. Proactively addressing potential inefficiencies and preparing for unforeseen events can help you avoid downtime, minimize service disruptions, and ultimately deliver a seamless experience to your users.

Finance

​When it comes to Finance, it's essential to establish and enhance your existing finance processes to be cloud-ready. By leveraging the capabilities within this area, you can effectively manage costs, ensure transparency and control, optimize spending, and meet compliance and regulatory requirements. Additionally, these capabilities enable you to efficiently manage your records and resource inventory, ensuring accurate financial management within your cloud environment.

Figure 6: Finance Category

Let's explore the capabilities within the Finance category that empower you to establish robust financial processes and optimize your cloud operations:
​

• Cloud Financial Management: This capability focuses on managing and optimizing your variable expenses associated with cloud services. With near real-time visibility and comprehensive cost and usage analysis, you gain valuable insights to support decision-making processes. From spend dashboards and optimization techniques to implementing spend limits and chargeback mechanisms, this capability enables you to proactively manage costs and detect anomalies. It also includes budgeting and forecasting features, allowing you to design a cost-optimized architecture for your workloads, select the right pricing models, and attribute costs to relevant teams. By centralizing expense information and providing targeted visibility to critical stakeholders, you can effectively track, notify, and apply cost optimization techniques across your environment and resources.
• Resource Inventory Management: This capability provides visibility and configuration management of the cloud-based resources that form an integral part of your IT-level services or workloads. By tracking resources and associated configurations in the environment, you can establish a system of record, such as a Configuration Management Database (CMDB) for IT Service Management (ITSM)-managed environments. This system of record facilitates visibility and configuration management of all software, hardware, and firmware resources within your cloud environment. With resource inventory management, you can effectively track and manage your cloud resources, ensuring accurate accounting and streamlined operations.
• Records Management: Records management is crucial for maintaining compliance and meeting internal policies and regulatory requirements. This capability enables you to define data retention policies, including the transition of data to archival storage before deletion. It encompasses various types of data, such as financial records, transactional data, audit logs, business records, and personally identifiable information (PII). By implementing effective records management practices, you can ensure proper data retention, meet compliance obligations, and maintain the integrity and security of sensitive information.

By leveraging these Finance capabilities, you can establish a cloud-ready finance framework that promotes cost transparency, control, planning, and optimization. From effectively managing variable expenses to maintaining accurate resource inventories and meeting regulatory requirements, these capabilities provide the foundation for efficient financial operations within your cloud environment. By embracing cloud financial management, resource inventory management, and records management, you can drive financial efficiency, ensure compliance, and optimize your cloud investments.

Infrastructure

​When it comes to Infrastructure, it's crucial to design, build, and manage a secure and highly available cloud infrastructure. By leveraging the capabilities within this area, you can ensure the reliability and security of your infrastructure while accommodating the migration of applications from on-premises environments or building them natively in the cloud. Let's explore the key capabilities within the Infrastructure category that empower you to create a robust and resilient cloud infrastructure.

Figure 7: Infrastructure Category

• Network Security: This capability focuses on designing and implementing security policies and controls across different levels of the networking stack. By leveraging network security practices, you can safeguard your resources from external and internal threats, ensuring confidentiality, availability, integrity, and usability. This capability encompasses measures such as monitoring ingress/egress and lateral data movement, detecting and blocking anomalous network traffic, and implementing preventive security measures.
• Network Connectivity: Network connectivity is essential for building a secure and highly available cloud infrastructure. This capability provides best practices and resources to design, build, and manage a network infrastructure that ensures reliable connectivity. From automating network infrastructure provisioning and configuration to facilitating expansion and scaling, network connectivity capabilities empower you to establish a robust and resilient network foundation for your cloud environment.
• Template Management: Template management enables you to streamline infrastructure deployment, management, and updates by creating and organizing reusable templates in a centralized repository. These templates encompass infrastructure configurations, schemas, golden images, and resources that can be readily deployed across your environment. With template management, you can expedite the provisioning process, ensure consistency, and easily manage updates and changes. These pre-approved templates follow established implementation patterns and leverage AWS services that have been onboarded and approved, providing teams with ready-to-use resources tailored to their specific requirements.
• Workload Isolation Boundary: This capability allows you to create and manage isolated environments to contain your newly created or migrated workloads. By implementing a workload isolation boundary, you minimize the impact and blast radius of vulnerabilities and threats. This approach simplifies compliance efforts by providing mechanisms to isolate access to resources, ensuring that workloads operate within defined boundaries while maintaining the necessary security and control measures.

By leveraging these Infrastructure capabilities, you can design, build, and manage a secure and highly available cloud infrastructure. From implementing robust network security measures to ensuring reliable network connectivity, template management, and workload isolation, these capabilities provide the foundation for a secure and scalable infrastructure. By prioritizing infrastructure security and reliability, you can create a resilient environment that supports the migration and development of applications in the cloud with confidence.

​Summary

In today's rapidly evolving technological landscape, establishing a solid foundation for your cloud environment is essential. The capabilities within different categories, such as Governance, Risk Management, and Compliance; Operations; Security; Business Continuity; Finance; and Infrastructure, enable organizations to leverage the full potential of the cloud while ensuring security, efficiency, and resilience.

By strategically leveraging these capabilities, organizations can design, build, and manage their cloud environment with confidence. From defining policies and managing risks to optimizing costs, securing applications, ensuring business continuity, and establishing a robust infrastructure, these capabilities provide the necessary tools and frameworks to navigate the complexities of the cloud.