> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fastfoundation.nimble.la/llms.txt
> Use this file to discover all available pages before exploring further.

# Account Security

> How Fast Foundation automatically configures security baselines and DDoS protection for every AWS account in your organization

## Out-of-the-Box Account Security

One of the most common security gaps in multi-account AWS environments is **configuration drift** -- new accounts that miss critical security settings because someone forgot a manual step. Fast Foundation eliminates this entirely.

When a new account is added to your organization, it automatically receives a full security baseline: compliance monitoring, encryption defaults, and DDoS protection. No tickets, no checklists, no human intervention required.

***

## Automatic Compliance Baselines

Every account in the organization is automatically configured with:

<CardGroup cols={2}>
  <Card title="AWS Config" icon="magnifying-glass-chart">
    Continuous configuration recording and compliance monitoring across all accounts and regions
  </Card>

  <Card title="Encryption Defaults" icon="lock">
    EBS volumes encrypted by default, S3 public access blocked at the account level
  </Card>

  <Card title="Password Policy" icon="key">
    Organization-standard IAM password policy enforced consistently
  </Card>

  <Card title="Centralized Alerting" icon="bell">
    EventBridge rules forward security events to a central alerting bus for unified monitoring
  </Card>
</CardGroup>

New accounts placed in standard Organizational Units receive these configurations automatically through **OU-based auto-enrollment**. The system is fully managed as code -- every configuration is versioned, auditable, and reproducible.

***

## DDoS Protection with Shield Advanced

Fast Foundation deploys organization-wide **AWS Shield Advanced** protection through centralized Firewall Manager policies. Resources are automatically enrolled as they are created -- no per-resource setup needed.

**What gets protected automatically:**

| Resource Type              | Scope                   |
| -------------------------- | ----------------------- |
| CloudFront distributions   | All accounts (global)   |
| Application Load Balancers | All accounts (regional) |
| Classic Load Balancers     | All accounts (regional) |
| Elastic IPs                | All accounts (regional) |

Every new CloudFront distribution, load balancer, or EIP is protected from the moment it is created. Shield Advanced provides always-on DDoS detection with automatic Layer 7 mitigation -- your applications stay available during attacks without manual response.

***

## Why This Matters

<Check>
  * **No configuration gaps** -- Every account meets the security baseline from day one, regardless of who created it or when
  * **Scales with your organization** -- Adding a new account or workload requires zero security setup work
  * **Always in compliance** -- AWS Config tracks configuration continuously, ensuring audit readiness at all times
  * **Defense in depth** -- DDoS protection is automatic and organization-wide, not dependent on individual teams remembering to enable it
  * **Everything as code** -- All security configurations are managed through Terragrunt, versioned in Git, and fully reproducible
</Check>
