The Establishing Your Cloud Foundation on AWS section of the AWS Architecture Center is an excellent starting point for doing this. It contains guidance on how to establish foundational practices as part of a capability-based approach for the applications you build on AWS. This can be thought of as a stripped-down, AWS-specific version of something such as the Information Technology Infrastructure Library (ITIL).
Examples of such capabilities you should include in your architecture are discussed next.
Identity Management and Access Control
The Identity Management and Access Control (IMAC) capability guides you in implementing and monitoring your configuration of AWS Identity and Access Management (IAM) – something that is used in every single architecture built on AWS.
This may well represent the most difficult thing to get right the first time, and you will benefit greatly from the guidance found here. It covers things such as how to use AWS IAM Identity Center for multi-factor authentication (MFA) and federation with other identity sources such as Active Directory, Google Workspace, or Okta.
Workload isolation
The Workload Isolation capability includes best practices for organizing your AWS environment using a multi-account structure using AWS Organizations and service control policies (SCPs).
Log storage
One of the most important things you must be able to do is quickly produce detailed reports on the flow of data through your application – especially who accessed what data and when. This might be to answer an auditor’s questions or to cooperate with authorities when a breach is suspected.
The Log Storage capability involves using things such as VPC Flow Logs to monitor traffic at the network level, AWS CloudTrail to log access to the AWS API or Management Console, or AWS CloudWatch to centrally aggregate logs from within your applications.
Governance
The Governance capability helps you to define your organizational policies for business and regulatory compliance. This includes using services such as AWS Artifact to find published compliance reports for AWS’ portion of the shared responsibility model. To assist with customer responsibilities, AWS publishes extensive guidance on how to manage risk and compliance for your applications running in the cloud.
Change management
The Change Management capability helps you manage risk and minimize the impact of planned changes to your production applications. This includes organizational processes such as sending planned changes that have an unknown risk profile to a Change Advisory Board (CAB) as Requests for Change (RFCs). This, in turn, could be informed by using AWS Config as a configuration management database (CMDB) for your resources in the cloud.