Single region basic pattern¶
The single region basic AFT pattern provides a foundational cloud architecture, covering key services and configurations to establish a secure, multi-environment landing zone in a single AWS Region. See the high-level target state diagram below.
Network¶
The network design features a centralized egress Amazon Virtual Private Cloud (VPC) using a NAT Gateway, along with segregated environments for shared services, production, staging, and development. Ingress traffic is distributed and managed within each workload VPC on its public subnet.
The traffic between the workload environments (prod, stage, dev) is isolated and not routed, while traffic to/from the shared services environment is routed to all other environments. All VPCs make use of a local VPC Flow Logs mechanism, sending traffic logs to a CloudWatch Log Group, and optionally can send traffic logs to an S3 bucket in the Control Tower's Log Archive account.
Additionally, to enable effective IP management integrated with AWS services, the Network account is used as the delegated administrator of the AWS VPC IP Address Manager (IPAM) for the entire organization. Different IP pools are created for each environment mentioned above, making it easier to control and manage IP addresses and routing domains.
See more details in the Network Basic architecture page.
Backup¶
The pattern also includes a centralized backup architecture with local vaults and a central vault in a dedicated AWS Backup account, providing consolidated backup management and recovery across the environments.
See more details in the Centralized AWS Backup architecture page.
Identity Management¶
Additionally, the pattern sets up a delegated administrator account for the AWS IAM Identity Center and IAM Access Analyzer services. This includes a Terraform-based pipeline to dynamically deploy and manage Permission Sets, and an analyzer for external access analysis at organization level.
See more details in the Identity Management architecture page.
Security¶
All the patterns include the same configuration for basic AWS Security services, such as AWS Security Hub and Amazon GuardDuty.
See more details in the Security Services architecture page.
Global Customizations¶
This pattern also includes global customizations that are applied across all accounts. These encompass the definition of the password policy for IAM users, as well as account-level configurations such as S3 Block Public Access, AMI Block Public Access, EBS account-level encryption enforcement, and IMDSv2 account-level enforcement.
Account Provisioning Customizations¶
No account provisioning customizations other than the AFT default are available for this pattern.