Docs-first reference architecture and operating model for AWS foundations (Control Tower, Identity Center/SSO, org logging, guardrails, and baseline networking). Opinionated, designed to scale across many accounts and teams.

This repo describes target state, decisions, and operational workflows. It is not a full Terraform implementation of every component.

• Multi-account model (OUs, account archetypes, ownership)
• IAM Identity Center (SSO) model (groups, permission sets, break-glass)
• Centralized logging & audit baseline (org CloudTrail, retention, integrity checks)
• Guardrails baseline (SCP intent + rollout strategy)
• Networking reference (segmentation intent, TGW by default / Cloud WAN when required)
• Operating model (change workflows, exception process, health checks)
• Delivery phases (sequenced plan from discovery → handover)

• Blueprint index: docs/README.md
• Account model: docs/20-account-ou-model.md
• SSO model: docs/30-identity-center-sso.md
• Logging baseline: docs/40-logging-audit.md
• Guardrails: docs/50-guardrails-scp.md
• Networking: docs/60-networking-overview.md
• Operating model: docs/80-operating-model.md
• Delivery phases: docs/90-delivery-phases.md

• Discovery questionnaire: templates/discovery-questionnaire.md
• Account request example: templates/account-request.yaml
• Monthly health check: templates/landing-zone-health-check.md

See docs/adr for decision records (multi-account, Identity Center, TGW vs Cloud WAN).

• AWS Organizations is used (single org unless explicitly required otherwise)
• Identity Center is the default for interactive access
• Foundations changes are PR-reviewed and applied via IaC/pipelines (ClickOps only for bootstrap/emergencies)

See LICENSE.