The Chinese version^[1] of this blog post was originally published on August 6, 2024. We updated the network definitions based on the latest specifications when translating and republishing it in English.

After over two years of development and improvement, the Cloud Foundations solution becomes increasingly rich in functions, covering most aspects of cloud environment infrastructure operation and maintenance, from security baseline configuration in the basic landing zone to cross-regional shared networks, automated management of cloud resources, and multi-faceted security governance. On the one hand, the solution spans a broad technical spectrum. On the other hand, some functionalities (such as shared networks) are pretty complex in the technical adaptation to related Amazon Web Services services and resources. Nevertheless, automation and simplification have always been two of the most important core principles and design ideas of this solution. This article specifically summarizes and demonstrates several important procedures and key steps in the Cloud Foundations lifecycle and operation management, so that you can have a more intuitive and detailed understanding. Future sequels will be published depending on the feedback.

The following is the list of 12 demo videos. The videos are annotated in chronological order, and the main features are shown in bold:

1. Install and automate the deployment of Cloud Foundations;
2. The automated provision state machine and provision pipelines;
3. Cloud Foundations user interface console;
4. Account Factory creates new Amazon Web Services accounts;
5. Define and deploy cross-account VPC-sharing network connectivity;
6. Add a new VPC and connect to the existing network through its transit gateway;
7. Product Factory creates a new account blueprint with permission sets and groups;
8. Create a new quarterly backup plan for all accounts;
9. Product Factory creates a new service control policy and attaches it to an organizational unit;
10. Turn off account bootstrapping baseline configurations, keeping the default VPC;
11. Product Factory creates a new managed config rule for all accounts;
12. Product Factory creates a new managed organizational config rule.

1. Install and automate the deployment of Cloud Foundations

This video demonstrates the main process of registering and launching the Cloud Foundations installation and deployment to the customer’s cloud environment. This process is carried out by Amazon Web Services consultants based on the assessment result of the project, i.e., the “Cloud Foundations Implementation Plan Table”. Demo video:

Click to watch video

Key steps:

1. [00'00"] Open the check-in automation document and choose Execute;
2. [00'25"] Fill in Singapore, the main region, and Hong Kong, the other governing regions;
3. [00'40"] Fill in the four core accounts, including Management, Infrastructure, Logs, and Security;
4. [01'10"] Fill in the password policy such as the expiry days and the minimum length;
5. [01'15"] Fill in the bucket and log group lifecycle management;
6. [01'30"] Select whether each security baseline configuration is on or off;
7. [01'55"] Choose Execute to install and deploy Cloud Foundations.

2. The automated provision state machine and provision pipelines

This video demonstrates the provision state machine and the major pipelines that undertake the automated deployment of Cloud Foundations. The process is performed by the consultant to assist the customer, or the customer authorizes the consultant to monitor the deployment status. Demo video:

Click to watch video

Key steps:

1. [00'00"] Open the IAM Identity Center access portal, log in the Infrastructure Account as the pipeline approver role;
2. [00'25"] Open the provision state machine in the Amazon Step Functions console;
3. [00'40"] Open the most recent successful execution, which took 14 minutes and 16 seconds;
4. [00'55"] Provision state machine coordinates the orderly execution of 4 pipelines;
5. [01'00"] Show the initial pipeline and its build projects;
6. [01'40"] Show the setup pipeline and its build projects;
7. [02'10"] Show the extra pipeline and its build projects;
8. [02'40"] Show the regional pipeline and its build projects;

3. Cloud Foundations user interface console

This video demonstrates Cloud Foundations built-in user interface console. Currently, the console mainly displays information while change management is not allowed. Changes are mainly carried out by other means, such as the Product Factory or the Amazon Web Services console. Demo video:

Click to watch video

Key steps:

1. [00'00"] Open the Amazon CloudFront distribution address of the user interface and log in as cf-viewer;
2. [00'20"] Show the dashboard information page, including main resource counts, deploying regions, component versions, etc.;
3. [00'40"] Show the installed and deployed pipeline products;
4. [01'00"] Show all governed accounts including core accounts;
5. [01'15"] Show the list of configuration rules detection and remediation;
6. [01'35"] Show the organizational tree structure, particularly helpful for virtual organizations;
7. [01'50"] Show the list of pre-built roles;
8. [02'10"] Show the list of backup plans;
9. [02'20"] Show the list of account bootstrapping baseline configurations;

4. Account Factory creates new Amazon Web Services accounts

This video demonstrates the main steps for creating Amazon Web Services accounts by the Cloud Foundations Account Factory, which requires deployment upon an Amazon Organizations organization. You can create up to 5 accounts at once. If AWS Control Tower is enabled, you can create only 1 account at a time. See section 10 of the “Cloud Foundations User Operation Manual” for details. Demo video:

Click to watch video

Key steps:

1. [00'00"] Open the IAM Identity Center access portal, log in the Infrastructure Account as the catalog user role;
2. [00'20"] Open products in the Amazon Service Catalog console;
3. [00'30"] Select Account Factory product and choose Launch product;
4. [00'40"] Enter the provisioned product name department-account-250214, which is unique and relevant to this task;
5. [00'55"] Enter the account name and email address, up to 5 new accounts at once;
6. [01'20"] Enter the name or ID of an existing organizational unit (OU), under which the new accounts will be placed after creation;
7. [01'25"] Enter environment variables, Account Factory can attach tags to the new accounts;
8. [01'45"] Choose Launch product;

Account environment variables used in the video:

{ "tags": { "DEPARTMENT": "clinic" } }

5. Define and deploy cross-account VPC-sharing network connectivity

This video demonstrates defining a network and deploying it with one-click by Cloud Foundations VPC-sharing network. The network definition consists of 1 transit gateway (TGW) and 2 VPCs (one hub and one spoke) deployed in one region. You can define more suitable and complex network architectures according to actual business requirement. Blog [3] discusses network sharing models in details and blog [4] summarizes common traffic inspection patterns with network definition and architecture examples. Also, see section 13 of the “Cloud Foundations User Operation Manual” for more information. Demo video:

Click to watch video

Key steps:

1. [00'00"] Open the IAM Identity Center access portal, log in the Infrastructure Account as the product manager role;
2. [00'20"] Open the Cloud Foundations application in the Amazon AppConfig console;
3. [00'35"] Choose Create configuration, select FreeForm Configuration, enter the profile name network-vpc, and choose Next;
4. [00'55"] Select JSON format, enter the network definition, choose Next, then choose Save and deploy later;
5. [01'50"] Open products in the Amazon Service Catalog console;
6. [02'00"] Select Pipeline Factory product and choose Launch product;
7. [02'15"] Enter the provisioned product name cf-network-vpc, which is unique and relevant to this task;
8. [02'20"] Enter pipeline product path network/vpc;
9. [02'30"] Select the One account mode, enter the deployment account as the Network Account, and choose Launch product;
10. [02'50"] Open the Provisioned products and check that the cf-network-vpc product status is available;
11. [03'00"] Open the Amazon CodePipeline console and open the network-vpc pipeline;
12. [03'20"] Choose Release change and manually approve the build, wait until it succeeded;
13. [03'50"] Log in the Network Account as the readonly role;
14. [04'10"] Open the Amazon VPC console and view the newly created VPCs and the flow logs;
15. [05'05"] View newly created subnets, route tables, NAT gateways;
16. [05'45"] View the newly created transit gateway, attachments, and route tables;
17. [06'50"] Log in the Sandbox Account as the readonly role;
18. [07'05"] Open the Amazon VPC console and view the newly shared VPCs and the flow logs;
19. [07'40"] View newly shared subnets;

Network definition used in the video (with minor adjustments):

{
  "vpcs": {
    "security": {
      "cidr": "192.168.0.0/16", 
      "is_hub": true, 
      "nat": {"enabled": true}, "igw": {"enabled": true},
      "subnets": [[[12, 0], [12, 1]], [[8, 1], [8, 2]]]
    },
    "sandbox": {
      "cidr": "10.0.0.0/16", "accounts": ["123456789013"],
      "subnets": [[[12, 0], [12, 1]], [], [[8, 3], [8, 4]]]
    }
  },
  "tgw": {
    "enabled": true,
    "cidr": "10.0.0.0/8",
    "tables": {
      "pre": {"associations": ["sandbox"], "routes": {"*": "security", "tgw": "blackhole"}},
      "post": {"associations": ["security"], "propagations": ["sandbox"]}
    }
  }
}

6. Add a new VPC and connect to the existing network through its transit gateway

This video demonstrates the main steps for adding a VPC to the existing network provisioned in section 5 of this article and connecting to its transit gateway. The new VPC will be created in the Network Account, and its subnets will be shared with the Logs Account. See section 13 of the “Cloud Foundations User Operation Manual” for details. Demo video:

Click to watch video

Key steps:

1. [00'00"] Open the IAM Identity Center access portal, log in the Infrastructure Account as the product manager role;
2. [00'15"] Open the Cloud Foundations application in the Amazon AppConfig console;
3. [00'40"] Open network-vpc configuration profile;
4. [00'50"] Choose Create to edit the network definition profile, add the new VPC, and change associations and propagations of the pre-inspection and post-inspection transit gateway route tables;
5. [01'35"] Choose Create hosted configuration version;
6. [01'45"] Open the Amazon CodePipeline console and open the network-vpc pipeline;
7. [02'05"] Choose Review in Manual-approval build, choose Approve, and Submit;
8. [02'40"] Log in the Logs Account as the readonly role;
9. [03'00"] Open the Amazon VPC console and view the newly shared VPCs;
10. [03'30"] View all newly shared subnets;

Network definition used in the video (with minor adjustments):

{
  "vpcs": {
    "security": {
      "cidr": "192.168.0.0/16", 
      "is_hub": true, 
      "nat": {"enabled": true}, "igw": {"enabled": true},
      "subnets": [[[12, 0], [12, 1]], [[8, 1], [8, 2]]]
    },
    "sandbox": {
      "cidr": "10.0.0.0/16", "accounts": ["123456789013"],
      "subnets": [[[12, 0], [12, 1]], [], [[8, 3], [8, 4]]]
    },
    "logs": {
      "cidr": "10.1.0.0/16", "accounts": ["123456789014"],
      "subnets": [[[12, 0], [12, 1]], [], [[8, 3],  [8, 4]]]
    }
  },
  "tgw": {
    "enabled": true,
    "cidr": "10.0.0.0/8",
    "tables": {
      "pre": {"associations": ["sandbox", "logs"], "routes": {"*": "security", "tgw": "blackhole"}},
      "post": {"associations": ["security"], "propagations": ["sandbox", "logs"]}
    }
  }
}

7. Product Factory creates a new account blueprint with permission sets and groups

This video demonstrates defining a new account blueprint to provision business-related IAM policies, roles, permission sets, and directory groups by the Cloud Foundations Product Factory. You can define other product templates similarly to build different new account blueprints that fit the actual business. Blog [2] discusses account creation blueprint as product definition in detail. Alternatively, you can define complex workload architectures to automatically deploy and manage the lifecycle of cloud resources. See section 11 of the “Cloud Foundations User Operation Manual” for details. Demo video:

Click to watch video

Key steps:

1. [00'00"] Open the IAM Identity Center access portal, log in the Infrastructure Account as the product manager role;
2. [00'10"] Open the product application in the Amazon AppConfig console;
3. [00'35"] Choose Create configuration, select FreeForm Configuration, enter the profile name product-blueprint-s3access, and choose Next;
4. [01'00"] Select JSON format, enter the product definition, choose Next, then choose Save and deploy later;
5. [01'30"] Open products in the Amazon Service Catalog console;
6. [01'45"] Select Product Factory product and choose Launch product;
7. [01'55"] Enter the provisioned product name product-blueprint-s3access-sandbox, which is unique and relevant to this task;
8. [02'05"] Enter the application profile name product-blueprint-s3access;
9. [02'10"] Enter environment variables department information, the stage is sandbox account, and choose Launch product;
10. [02'35"] Open the Provisioned products and check that the product-blueprint-s3access-sandbox product status is available;
11. [02'55"] Open the Amazon CodePipeline console and open the product-blueprint-s3access pipeline;
12. [03'15"] Choose Release change and manually approve the build, wait until it succeeded;
13. [04'15"] Log in the Sandbox Account as the readonly role;
14. [04'30"] Open the Amazon IAM console;
15. [04'50"] View the newly created IAM policy, roles for the clinic department;
16. [05'45"] Log in the Security Account as the sso manager role;
17. [05'55"] Open the IAM Identity Center console;
18. [06'10"] View the newly created directory group and permission set;

Product definition used in the video. In block [1, 1], we define a policy in both the target account and the Security Account to be refered.

[
  [{
    "accounts": ["${STAGE}", "$.account.security"],
    "service": "iam",
    "policies": {
      "s3-${DEPARTMENT}": {
        "statements": [{
            "actions": ["s3:ListBucket*", "s3:GetBucket*"],
            "resources": ["arn:${PARTITION}:s3:::my-${DEPARTMENT}-data-${STAGE}"]
          }, {
            "actions": ["s3:GetObject*"],
            "resources": ["arn:${PARTITION}:s3:::my-${DEPARTMENT}-data-${STAGE}/*"]
        }]
      }
    }
  }],
  [{
    "accounts": ["${STAGE}"],
    "service": "iam",
    "roles": {
      "ec2-${DEPARTMENT}": {
        "trusts": ["ec2"], "services": ["lambda"],       
        "policies": ["$.s3-${DEPARTMENT}"],
        "aws_policies": ["ViewOnlyAccess"]
      },
      "lambda-${DEPARTMENT}": { "trusts": ["lambda"], "customer": ["s3-${DEPARTMENT}"] }
    }
  },
  {
    "service": "sso",
    "permissions": {
      "s3-${DEPARTMENT}": {
        "policies": ["$.s3-${DEPARTMENT}"], "aws_policies": ["ViewOnlyAccess"]
      }
    },
    "groups": { 
      "s3-${DEPARTMENT}": { 
        "assigns": { "s3-${DEPARTMENT}": ["${STAGE}"] }
      }
    }
  }]
]

Environment variables used in the video:

{ "DEPARTMENT": "clinic" }

8. Create a new quarterly backup plan for all accounts

This video demonstrates creating a new quarterly backup plan by the extra pipeline. You can configure backup plans for all accounts through the backup vaults and plans pipeline product, or you may also deploy separate backup plans for specified accounts and regions through the Product Factory’s backup plan resource. In deed, the backup plans as provisioned by the extra pipeline are powered by Product Factory’s backup plan resource. See section 17 of the “Cloud Foundations User Operation Manual” for details. Demo video:

Click to watch video

Key steps:

1. [00'00"] Open the IAM Identity Center access portal, log in the Infrastructure Account as the parameter editor role;
2. [00'10"] Open the Parameter Store in the Amazon Systems Manager console;
3. [00'35"] Search for backup and open the backup plans parameter;
4. [00'45"] Choose Edit, add the quarterly backup plan, and choose Save changes;
5. [01'40"] Log in the Infrastructure Account as the pipeline approver role;
6. [01'50"] Open the Amazon CodePipeline console and open the extra pipeline;
7. [02'20"] Choose Release change, then choose Release, wait until the backup build is completed;
8. [02'45"] Log in the Infrastructure Account as the readonly role;
9. [02'55"] Open backup plans in the Amazon Backup console;
10. [03'15"] View the newly created quarterly backup plan;

The quarterly backup plan definition used in the video:

{
  "quarterly": {
    "cron": "cron(0 0 1 */3 ? *)", "lifecycle": [180, 365], "vault": "default"
  }
}

9. Product Factory creates a new service control policy and attaches it to an organizational unit

This video demonstrates defining a service control policy (SCP) and attaching it to an organizational unit by the Cloud Foundations Product Factory. You can define different service control policies in one or more products at an appropriate granularity, making full use of the stage and environment variables, to centrally and efficiently manage policies and their attachments to different organizational units. See the “Cloud Foundations Product Definition Specification” for details. Demo video:

Click to watch video

Key steps:

1. [00'00"] Open the IAM Identity Center access portal, log in the Infrastructure Account as the product manager role;
2. [00'10"] Open the product application in the Amazon AppConfig console;
3. [00'30"] Choose Create configuration, select FreeForm Configuration, enter the profile name product-scp-ec2, and choose Next;
4. [00'50"] Select JSON format, enter the product definition, choose Next, then choose Save and deploy later;
5. [01'25"] Open products in the Amazon Service Catalog console;
6. [01'35"] Select Product Factory product and choose Launch product;
7. [01'45"] Enter the provisioned product name product-scp-ec2-clinic, which is unique and relevant to this task;
8. [02'00"] Enter the application profile name product-scp-ec2;
9. [02'05"] Enter environment variables clinic department OU ID, the stage can be clinic, and choose Launch product
10. [02'20"] Open the Provisioned products and check that the product-scp-ec2-clinic product status is available;
11. [02'35"] Open the Amazon CodePipeline console and open the product-scp-ec2 pipeline;
12. [02'55"] Choose Review in Manual-approval build, choose Approve, and Submit;
13. [03'30"] Log in the Infrastructure Account as the readonly role;
14. [03'45"] Open the Amazon Organizations console, choose AWS accounts under Policy management;
15. [04'10"] Choose the Clinic department OU;
16. [04'15"] Choose the policies tab, choose the newly created and attached SCP to view its content;

Product definition used in the video (with minor adjustments):

{  
  "service": "organizations",
  "policies": {
    "ec2-deny-run-instances": {
      "statements": [{ "effect": "Deny", "actions": ["ec2:*"] }],
      "attaches": ["${DepartmentOuId}"]
    }
  }
}

Corresponding environment variables:

{ "DepartmentOuId": "ou-1234-12345678" }

10. Turn off account bootstrapping baseline configurations, keeping the default VPC;

This video demonstrates turning off a baseline configuration of an account by the setup pipeline to achieve granular management of account configuration. Cloud Foundations each baseline configuration can be turned on or off as needed to best suit the customer’s cloud environment deployment and building needs, minimizing the impact on existing accounts or environments. See section 4 of the “Cloud Foundations User Operation Manual” for details. Demo video:

Click to watch video

Key steps:

1. [00'00"] Open the IAM Identity Center access portal, log in the Infrastructure Account as the parameter editor role;
2. [00'15"] Open the Parameter Store in the Amazon Systems Manager console;
3. [00'35"] Search for baseline and open the account bootstrapping baseline configurations parameter;
4. [00'45"] Choose Edit, skip deleting the default VPC for the Infrastructure Account, and choose Save changes;
5. [01'25"] View the modified account bootstrapping baseline configurations parameter;
6. [01'40"] Log in the Infrastructure Account as the pipeline approver role;
7. [01'55"] Open the Amazon CodePipeline console and open the setup pipeline;
8. [02'15"] Choose Release change, then choose Release, wait until the baseline build is completed;
9. [02'30"] Check that the baseline build of the Infrastructure Account has indeed skipped deleting the default VPC;

The baseline configuration switch definition used in the video:

{ "vpc_delete_default": ["123456789012"] }

11. Product Factory creates a new managed config rule for all accounts

This video demonstrates defining a managed config rule and deploying it across all accounts by the Cloud Foundations Product Factory. Here, a wildcard asterisk (*) indicates to provision the containing block to all active accounts, and the allowed days parameter is flexibly set through environment variables rather than hardcoded in the definition. Combining section 7 and 9 of this article and the blog [1, 2], it can be inferred that flexible use of Product Factory helps meaningfully and efficiently manage cloud resources in different scenarios and specific fields. Demo video:

Click to watch video

Key steps:

1. [00'00"] Open the IAM Identity Center access portal, log in the Infrastructure Account as the product manager role;
2. [00'15"] Open the product application in the Amazon AppConfig console;
3. [00'30"] Choose Create configuration, select FreeForm Configuration, enter the profile name product-rule-ec2-stopped, and choose Next;
4. [00'55"] Select JSON format, enter the product definition, choose Next, then choose Save and deploy later;
5. [01'20"] Open products in the Amazon Service Catalog console;
6. [01'30"] Select Product Factory product and choose Launch product;
7. [01'40"] Enter the provisioned product name product-rule-ec2-stopped, which is unique and relevant to this task;
8. [01'45"] Enter the application profile name product-rule-ec2-stopped;
9. [01'50"] Enter environment variables the allowed 14 days, the stage can be all, and choose Launch product;
10. [02'00"] Open the Provisioned products and check that the product-rule-ec2-stopped product status is available;
11. [02'15"] Open the Amazon CodePipeline console and open the product-rule-ec2-stopped pipeline;
12. [02'35"] Choose Release change, then choose Release, wait until the pipeline is completed;
13. [02'45"] Log in the Infrastructure Account as the readonly role;
14. [03'05"] Open rules in the Amazon Config console;
15. [03'15"] View the newly created managed config rule, where the name and allowed days are from environment variables;
16. [03'40"] Log in the Logs Account as the readonly role;
17. [04'00"] Open rules in the Amazon Config console;
18. [04'10"] View the newly created managed config rule, where the name and allowed days are from environment variables;

Product definition used in the video:

{
  "service": "config",
  "accounts": ["*"],
  "rules": {
    "ec2-stopped-${AllowedDays}d": {
      "rule": "EC2_STOPPED_INSTANCE",
      "types": ["AWS::EC2::Instance"],
      "parameters": { "AllowedDays": "${AllowedDays}" }
    }
  }
}

Environment variables used in the video:

{ "AllowedDays": 14 }

12. Product Factory creates a new managed organizational config rule

This video demonstrates, by the Cloud Foundations Product Factory, defining a managed organizational rule and provisioning it to the Security Account, i.e., the delegated administrator for Amazon Config multi-account management. Amazon Config automatically deploys organizational rules to all active accounts within the organization. This section achieves the similar goal as the previous section, but using a different resource of the Product Factory. You can make specific choices according to the actual situation. Demo video:

Click to watch video

Key steps:

1. [00'00"] Open the IAM Identity Center access portal, log in the Infrastructure Account as the product manager role;
2. [00'20"] Open the product application in the Amazon AppConfig console;
3. [00'30"] Choose Create configuration, select FreeForm Configuration, enter the profile name product-orgrule-ec2-stopped, and choose Next;
4. [00'50"] Select JSON format, enter the product definition, choose Next, then choose Save and deploy later;
5. [01'10"] Open products in the Amazon Service Catalog console;
6. [01'25"] Select Product Factory product and choose Launch product;
7. [01'35"] Enter the provisioned product name product-orgrule-ec2-stopped, which is unique and relevant to this task;
8. [01'40"] Enter the application profile name product-orgrule-ec2-stopped;
9. [01'45"] Enter environment variables the allowed 14 days, the stage can be blank, and choose Launch product;
10. [01'55"] Open the Provisioned products and check that the product-orgrule-ec2-stopped product status is available;
11. [02'05"] Open the Amazon CodePipeline console and open the product-orgrule-ec2-stopped pipeline;
12. [02'25"] Choose Release change, then choose Release, wait until the pipeline is completed;
13. [02'40"] Log in the Infrastructure Account as the readonly role;
14. [02'55"] Open rules in the Amazon Config console;
15. [03'10"] View the newly created managed organizational config rule, where the name and allowed days are from environment variables;
16. [03'30"] Log in the Logs Account as the readonly role;
17. [03'50"] Open rules in the Amazon Config console;
18. [04'00"] View the newly created managed organizational config rule, where the name and allowed days are from environment variables;

Product definition used in the video:

{
  "service": "config",
  "org-rules": {
    "ec2-stopped-${AllowedDays}d": {
      "rule": "EC2_STOPPED_INSTANCE",
      "types": ["AWS::EC2::Instance"],
      "parameters": { "AllowedDays": "${AllowedDays}" }
    }
  }
}

Environment variables used in the video:

{ "AllowedDays": 14 }

Conclusion

This article demonstrates several important aspects of Cloud Foundations lifecycle, from installation and deployment to daily operation and maintenance through 12 demo videos, from which you can obtain a detailed overview of the major components and important functions. In particular, the Product Factory can be transformed into a richer, more practical, and professional cloud environment management tool if used flexibly, such as account creation blueprints, service control policies, and management of managed (organizational) config rules. Owing to limited space, more practical functions and in-depth applications of this solution cannot be presented thoroughly. Nonetheless, practical sequels will be posted in the future based on readers’ feedback and project summaries, so stay tuned.

References

1. Blog post: “Deploy elastic bastion hosts in one-click for secure session management and port forwarding with Cloud Foundations”, September 2023
2. Blog post: “Use Cloud Foundations Product Factory to plan, design and one-click deploy infrastructural cloud resources such as multi-account access control and permission policies”, March 2024
3. Blog post: “Use Cloud Foundations to holistically plan and one-click deploy two network sharing models in multi-account organizations on the cloud”, February 2023
4. Blog post: “Use Cloud Foundations to plan and design multi-regional hub-spoke network topology on the cloud and one-click deploy east-west south-north traffic inspection separated or combined”, November 2023

Authors