Out-of-the-Box Account Security
One of the most common security gaps in multi-account AWS environments is configuration drift — new accounts that miss critical security settings because someone forgot a manual step. Fast Foundation eliminates this entirely. When a new account is added to your organization, it automatically receives a full security baseline: compliance monitoring, encryption defaults, and DDoS protection. No tickets, no checklists, no human intervention required.Automatic Compliance Baselines
Every account in the organization is automatically configured with:AWS Config
Continuous configuration recording and compliance monitoring across all accounts and regions
Encryption Defaults
EBS volumes encrypted by default, S3 public access blocked at the account level
Password Policy
Organization-standard IAM password policy enforced consistently
Centralized Alerting
EventBridge rules forward security events to a central alerting bus for unified monitoring
DDoS Protection with Shield Advanced
Fast Foundation deploys organization-wide AWS Shield Advanced protection through centralized Firewall Manager policies. Resources are automatically enrolled as they are created — no per-resource setup needed. What gets protected automatically:| Resource Type | Scope |
|---|---|
| CloudFront distributions | All accounts (global) |
| Application Load Balancers | All accounts (regional) |
| Classic Load Balancers | All accounts (regional) |
| Elastic IPs | All accounts (regional) |
Why This Matters
- No configuration gaps — Every account meets the security baseline from day one, regardless of who created it or when
- Scales with your organization — Adding a new account or workload requires zero security setup work
- Always in compliance — AWS Config tracks configuration continuously, ensuring audit readiness at all times
- Defense in depth — DDoS protection is automatic and organization-wide, not dependent on individual teams remembering to enable it
- Everything as code — All security configurations are managed through Terragrunt, versioned in Git, and fully reproducible