Skip to main content

Out-of-the-Box Account Security

One of the most common security gaps in multi-account AWS environments is configuration drift — new accounts that miss critical security settings because someone forgot a manual step. Fast Foundation eliminates this entirely. When a new account is added to your organization, it automatically receives a full security baseline: compliance monitoring, encryption defaults, and DDoS protection. No tickets, no checklists, no human intervention required.

Automatic Compliance Baselines

Every account in the organization is automatically configured with:

AWS Config

Continuous configuration recording and compliance monitoring across all accounts and regions

Encryption Defaults

EBS volumes encrypted by default, S3 public access blocked at the account level

Password Policy

Organization-standard IAM password policy enforced consistently

Centralized Alerting

EventBridge rules forward security events to a central alerting bus for unified monitoring
New accounts placed in standard Organizational Units receive these configurations automatically through OU-based auto-enrollment. The system is fully managed as code — every configuration is versioned, auditable, and reproducible.

DDoS Protection with Shield Advanced

Fast Foundation deploys organization-wide AWS Shield Advanced protection through centralized Firewall Manager policies. Resources are automatically enrolled as they are created — no per-resource setup needed. What gets protected automatically:
Resource TypeScope
CloudFront distributionsAll accounts (global)
Application Load BalancersAll accounts (regional)
Classic Load BalancersAll accounts (regional)
Elastic IPsAll accounts (regional)
Every new CloudFront distribution, load balancer, or EIP is protected from the moment it is created. Shield Advanced provides always-on DDoS detection with automatic Layer 7 mitigation — your applications stay available during attacks without manual response.

Why This Matters

  • No configuration gaps — Every account meets the security baseline from day one, regardless of who created it or when
  • Scales with your organization — Adding a new account or workload requires zero security setup work
  • Always in compliance — AWS Config tracks configuration continuously, ensuring audit readiness at all times
  • Defense in depth — DDoS protection is automatic and organization-wide, not dependent on individual teams remembering to enable it
  • Everything as code — All security configurations are managed through Terragrunt, versioned in Git, and fully reproducible