TAC AWS Foundations is an orchestration engine that deploys your AWS organisation using the settings you define.

TAC AWS Foundations gives you a secure, scalable, multi-account, multi-region AWS environment aligned to AWS best practice and Well-Architected principles, and evolves as AWS advances.

What Foundations Includes

A complete, enterprise-grade AWS organisation built using proven, modular patterns.

Organisational Base

AWS Control Tower landing zone
Service control policies (SCPs), guardrails and governance boundaries
Centralised logging (AWS CloudTrail, AWS Config and S3 logging buckets)

Security and Compliance

AWS Config rules and conformance packs
CloudTrail organisation trails
AWS Security Hub, GuardDuty, Macie, Detective, Inspector, Audit Manager
AWS KMS key management aligned to least-privilege patterns

Management and Governance

Backup policies and central backup monitoring
Cost and usage visibility
AWS License Manager integration
Health, Trusted Advisor and Resource Explorer alignment
Systems Manager integration

Networking

AWS Transit Gateway, including region peering
VPC architectures for core, shared services and workloads
AWS Network Firewall
AWS VPC endpoints for private access to AWS services
Route 53 Resolver endpoints and forwarding
Public and private DNS zones and delegated subdomains
Integration support for AWS Site-to-Site VPN and AWS Direct Connect Gateway

Identity & Access

AWS IAM Identity Center
Permission set definitions for common roles and access patterns
Optional integration with external identity providers such as Active Directory

Workload Environment Foundations

Dev / Test / Prod account structures aligned to your operating model
Shared services VPCs and foundational networking for common platform services
S3 patterns for logs, backups and data storage
A catalogue-driven approach to enabling AWS services inside workload accounts using TAC AWS Foundations modules, configured through settings rather than ad-hoc scripts

How It Works

You define settings: Configure how your organisation should behave - networking, security, governance, identity, backup, logging and more.
Foundations orchestrates your configuration into deployed infrastructure: Your settings are orchestrated into deployed AWS resources using Infrastructure as Code modules maintained by TAC.
Foundations plans run with read-only access: Foundations generates a change plan inside your environment using a read-only role.
You approve changes for each build: Nothing applies automatically. Changes only occur when you explicitly approve them for that build.
TAC never receives write access: No operational access, no ability to modify workloads, and no long-lived admin roles. The environment remains under your control at all times.

Continuous Modernisation

AWS changes continuously. TAC AWS Foundations gives you a secure, scalable, multi-account AWS environment aligned to best practice from day one, and it keeps evolving as AWS advances.

TAC maintains the underlying Terraform modules so new AWS capabilities can be exposed as additional settings or configuration options. Your environments benefit from continuous improvements without the operational burden, and you retain full control over which changes are planned and applied.

Who It's For

TAC AWS Foundations is for organisations that want consistent, specialist-level AWS infrastructure without needing to build and maintain that capability internally.

It complements your existing cloud and platform teams by handling the complex, organisation-level deployment and lifecycle. Your teams can focus on operating the cloud, running workloads and delivering business value, while Foundations takes care of the specialised, large-scale infrastructure patterns that are difficult and time-consuming to maintain by hand.

What's Included, What's Not

We provide:

Automated, settings-driven AWS organisation deployments
Ongoing module updates as AWS evolves
A consistent, repeatable IaC-based delivery model
Clear, auditable plans for you to review and approve

We do not:

Operate your environment
Manage applications or workloads
Hold write access to your accounts
Perform changes without explicit customer authorisation