AWS Architecture

Multi-Account Strategy

Fast Foundation uses AWS Organizations to create a hierarchical account structure that provides isolation, security, and clear separation of concerns.

Organizational Units (OUs) and Accounts

Organizational Units are logical groupings of AWS accounts within an organization. They help you organize accounts based on business function, project, or environment, and allow you to apply policies to groups of accounts. AWS Accounts are the basic containers for your AWS resources. Each account provides isolation and has its own billing, security, and access controls.

Account Hierarchy

Organization Management Account (Root Account)

Centralized billing and account management
Organization-wide policies and guardrails

Security OU

Production OU → Log Archive Production Account

Centralized logging from all accounts
- AWS Services logs: Cloudtrail, VPC Flow logs, WAF, ALB, Cloudfront, etc
- Application log services: Opensearch

Production OU → Security Tooling Production Account

Centralized security stack management
Compliance monitoring
Security incident response

Infrastructure OU

Infrastructure Account

AWS IAM Identity Center (SSO) configuration
Shared services and tooling
CI/CD pipelines roles and OIDC

Workloads OU

Development OU → Workload Core Development Account

EKS/ECS clusters
Application workloads
Development databases

Production OU → Workload Core Production Account

EKS/ECS clusters
Application workloads
Production databases

Account Purposes

Account	Purpose	Typical Access
Workload Production	Live production environment	Strictly controlled roles, often read-only
Workload Development	Development environment mirroring production	Broader permissions for testing and validation
Security Production	Centralized security management	Limited to security engineers
Organization Management	Organization and billing	Restricted to owners and admins
Infrastructure	Core cloud infrastructure	Managed by the Cloud Engineering team

Networking Architecture

VPC Design

Each workload account contains one or more VPCs with the following structure:

VPC
└── Public Subnets
    ├── Internet Gateway
    ├── NAT Gateway
    └── Load Balancers
    └── Etc
└── Private Subnets
    ├── EKS/ECS Worker Nodes
    └── Application Workloasd
    └── Lambdas
    └── Etc
└── Database VPC (Peered)
    ├── RDS Instances
    └── ElastiCache Cluster
    └── Etc   

Cross-Account Connectivity

VPC Peering: Primary method for connecting workload accounts with the Infrastructure account for shared services access. VPC Endpoints: Private connectivity to AWS services without internet routing.

Security Architecture

Network Security

Fast Foundation enforces strong segmentation by combining multiple AWS networking controls. Together, these mechanisms reduce exposure and improve defense-in-depth:

Private Subnets

Application workloads run in private subnets with no direct internet access

Security Groups

Micro-segmentation with restrictive security group rules

NACLs

Network-level access control lists for additional security

VPC Endpoints

Private connectivity to AWS services without internet routing

Identity and Access Management

AWS IAM Identity Center (SSO):

Centralized user management
Multi-factor authentication enforcement
Role-based access control (RBAC)
Integration with external identity providers

IAM Roles:

Service-specific roles with least privilege
Cross-account access through assume role policies
Temporary credentials with expiration

Data Protection

Encryption:

At Rest: S3, RDS, EBS volumes encrypted with AWS KMS
In Transit: TLS 1.2+ for all communications
Application Level: Secrets managed through AWS Secrets Manager

Backup and Recovery:

Automated backups for RDS and EBS volumes
Point-in-time recovery capabilities
Cross-region replication available for critical data (optional)

Observability Architecture

Logging

Centralized Logging:

CloudTrail: API calls and account activity
VPC Flow Logs: Network traffic analysis
Application Logs: Container logs via CloudWatch
System Logs: EKS cluster and node logs

Log Aggregation:

Logs are collected in the Log Archive account
S3 for long-term storage
CloudWatch for real-time analysis
Optional: OpenSearch for advanced querying

Monitoring

Metrics Collection:

CloudWatch: AWS service metrics
Prometheus: Application and custom metrics
Grafana: Visualization and dashboards
AWS X-Ray: Distributed tracing

Alerting:

CloudWatch Alarms for critical metrics
SNS for notification delivery
Integration with Slack, PagerDuty, or email

Cost Optimization

Resource Management

Autoscaling:

EKS cluster autoscaling based on demand
RDS read replicas for read-heavy workloads
S3 lifecycle policies for cost optimization

Spot Instances:

Non-critical workloads on Spot instances
Mixed instance types for availability

Compliance and Governance

AWS Config

Organization-wide compliance monitoring:

Resource configuration drift detection
Compliance rules for security standards
Automated remediation workflows

Audit and Compliance

Compliance Tracking:

SOC 2 and HIPAA: Tracked through AWS Security Hub and Config
Network Segmentation: Isolated workloads in private subnets
Multi-Factor Authentication: Enforced for all user access
Least Privilege Access: Minimal required permissions
Encryption: Data encrypted in transit and at rest

Introduction & Key Concepts

AWS SSO Setup

IaC Management

User Management

Application Creation

ArgoCD UI

Workshops

Multi-Account Strategy

Organizational Units (OUs) and Accounts

Account Hierarchy

Account Purposes

Networking Architecture

VPC Design

Cross-Account Connectivity

Security Architecture

Network Security

Private Subnets

Security Groups

NACLs

VPC Endpoints

Identity and Access Management

Data Protection

Observability Architecture

Logging

Monitoring

Cost Optimization

Resource Management

Compliance and Governance

AWS Config

Audit and Compliance

Introduction & Key Concepts

AWS SSO Setup

IaC Management

User Management

Application Creation

ArgoCD UI

Workshops

​Multi-Account Strategy

​Organizational Units (OUs) and Accounts

​Account Hierarchy

​Account Purposes

​Networking Architecture

​VPC Design

​Cross-Account Connectivity

​Security Architecture

​Network Security

Private Subnets

Security Groups

NACLs

VPC Endpoints

​Identity and Access Management

​Data Protection

​Observability Architecture

​Logging

​Monitoring

​Cost Optimization

​Resource Management

​Compliance and Governance

​AWS Config

​Audit and Compliance

Multi-Account Strategy

Organizational Units (OUs) and Accounts

Account Hierarchy

Account Purposes

Networking Architecture

VPC Design

Cross-Account Connectivity

Security Architecture

Network Security

Identity and Access Management

Data Protection

Observability Architecture

Logging

Monitoring

Cost Optimization

Resource Management

Compliance and Governance

AWS Config

Audit and Compliance