AWS
Landing Zone Accelerator
Reference Architecture — Infrastructure Portfolio
ACTIVE · HIPAA / HITRUST / CIS
🏛️
Management & Tooling — Root / Management Account
🔧
AWS CodePipeline
Source trigger
🏗️
CodeBuild
Build & validate
🗂️
CloudFormation
Stack deployment
☁️
Control Tower
Guardrails & SCPs
📦
S3 / CDK
Assets & IaC
Deploy SCPs & Baselines
🌐
AWS Organizations — Organizational Unit Structure
OU
Security
Log Archive
Audit
OU
Infrastructure
Network
Operations
OU
Sandbox
Dev Accounts
OU
Workloads
Dev
Staging
Prod
OU
Exceptions
Custom Baseline
Identity & Access Federation
🔑
IAM Identity Center (SSO) — Centralized Identity & Access
Microsoft Entra ID (SAML 2.0)
SCIM Provisioning
Permission Sets
Role-based Access
MFA Enforced
AWS Client VPN
Security Controls Enforcement
🛡️
Security & Compliance Services — Enabled Across All Accounts
AWS Security Hub
Aggregates findings across accounts. CIS, HIPAA, NIST controls.
Amazon GuardDuty
Threat detection — malicious IPs, DNS, CloudTrail anomalies.
AWS Config
Continuous resource compliance evaluation & drift detection.
AWS CloudTrail
Org-wide API audit logs centralized to Log Archive S3 bucket.
AWS Macie
S3 sensitive data discovery — PHI / PII classification.
CloudWatch + Alarms
CIS MetricFilters, threshold alarms, centralized log groups.
SCPs
Preventive controls — deny root, enforce regions, block public S3.
AWS KMS
CMKs for EBS, S3, RDS, EFS encryption at rest.
Amazon Inspector
EC2 / Lambda / ECR vulnerability assessments.
Network Segmentation
🔀
Network Account — Centralized Networking
Transit Gateway
TGW Peering
Route Tables
RAM Share
Inspection VPC
AWS Network Firewall
East-West
Egress
Endpoint VPC
PrivateLink
S3 GW
Route 53 Resolver
Client VPN
Entra ID AuthN
Split Tunnel
VPN Endpoint
On-Prem / DX
Direct Connect
Site-to-Site VPN
Workload Connectivity via TGW
⚡
Workload Accounts — Data & Compute
Amazon EFS
Amazon S3 (Lab Data)
Amazon RDS (PostgreSQL)
EC2 (HPC / Analysis)
ECS / App Runner
S3 Vendor Buckets
Secrets Manager
SharePoint Sync
Centralized Logging & Audit
✅
Compliance Frameworks & Audit Posture
HIPAA
HITRUST CSF
CIS AWS v1.4
NIST 800-53
SOC 2
Org-wide CloudTrail · Centralized Log Archive · Config Rules · Security Hub Aggregator