What's included

• IAM baseline with strict password policy and Access Analyser
• CloudTrail multi-region logging with S3 storage and lifecycle policies
• GuardDuty threat detection with SNS alert notifications
• Security Hub with CIS AWS Foundations Benchmark and AWS Best Practices
• AWS Config with managed compliance rules (root MFA, encryption, S3 public access, default security groups)
• Budget alerts at 80% and 100% thresholds
• AWS Organizations with OUs (Security, Workloads, Sandbox)
• Service Control Policies - deny root, require S3 encryption, restrict regions
• Account vending module for self-service account provisioning
• Hub VPC with Transit Gateway, shared to the organisation via RAM
• Two egress patterns: centralised (NAT in hub) or distributed (NAT per spoke)
• Terraform remote state backend (S3 + DynamoDB lock table)
• Every module toggleable via variables - start simple, add complexity when ready
• Compatible with Terraform 1.5+

Who is this for?

Platform teams and cloud architects setting up a new AWS environment or hardening an existing one. Works for single-account setups that need a security baseline, and scales to multi-account organisations that need OUs, SCPs, and centralised networking. Also valuable for consultants delivering landing zone projects who want a proven, codified starting point.

How it works

After purchase, you receive an instant download link via email. The download is a ZIP containing Terraform files organised by service. Copy the example tfvars file, set your values, and run terraform apply. Start with the single-account baseline (IAM, CloudTrail, GuardDuty, Config, budgets), then enable Organizations, SCPs, VPC, and account vending when you are ready to go multi-account.

Architecture