Cloud Foundation Assessment Tool
Generated on: Thu, 06 Nov 2025 08:53:56 GMT 


Incomplete Requirements:
    INCOMPLETE: AWS Organization created
    INCOMPLETE: Management Account created
    INCOMPLETE: CloudTrail Trail created
    INCOMPLETE: CloudTrail Organization Service enabled
    INCOMPLETE: CloudTrail Org Trail deployed
    INCOMPLETE: Config Recorder in Management Account configured
    INCOMPLETE: Config Delivery Channel in Management Account configured
    INCOMPLETE: Top-level Security OU deployed
    INCOMPLETE: IAM IdC Organization service enabled
    INCOMPLETE: IAM IdC configured
    INCOMPLETE: Service Control Policies enabled
    INCOMPLETE: Organization Tag Policy enabled
    INCOMPLETE: Control Tower deployed
    INCOMPLETE: Control Tower not drifted
    INCOMPLETE: Log Archive account deployed
    INCOMPLETE: Audit account deployed

====================================

Foundation Status: INCOMPLETE
Estimate of Required Level of Effort (LOE): 31 hours
CFAT Score: 8 out of 158

====================================

Foundation Checks:
┌─────────┬────────────────────────────────────────────────────────────┬───────────────────────────────────────────────────────────────────────────────────────────┬──────────────┬──────────┬────────┬─────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ (index) │ check                                                      │ description                                                                               │ status       │ required │ weight │ loe │ remediationLink                                                                                                                                 │
├─────────┼────────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────┼──────────────┼──────────┼────────┼─────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ 0       │ 'AWS Organization created'                                 │ 'AWS Organization is enabled.'                                                            │ 'incomplete' │ true     │ 6      │ 1   │ 'https://aws.amazon.com/organizations/getting-started/'                                                                                         │
│ 1       │ 'Management Account created'                               │ 'AWS Management account exists.'                                                          │ 'incomplete' │ true     │ 6      │ 1   │ 'https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-creating.html'                                                               │
│ 2       │ 'Management Account IAM users removed'                     │ 'IAM Users should not exist in Management Account.'                                       │ 'complete'   │ false    │ 4      │ 1   │ 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html#id_users_deleting'                                                       │
│ 3       │ 'Management Account EC2 instances removed'                 │ 'EC2 Instances should not exist in Management Account.'                                   │ 'incomplete' │ false    │ 4      │ 1   │ 'https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html'                                                                │
│ 4       │ 'Management Account VPCs removed'                          │ 'Management Account should not have any VPCs.'                                            │ 'complete'   │ false    │ 4      │ 1   │ 'https://github.com/cloud-foundations-on-aws/cloud-foundations-templates/blob/main/network/network-default-vpc-deletion/README.md'              │
│ 5       │ 'CloudTrail Trail created'                                 │ 'CloudTrail should be enabled within the account.'                                        │ 'incomplete' │ true     │ 6      │ 3   │ 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html'                                                   │
│ 6       │ 'CloudTrail Organization Service enabled'                  │ 'CloudTrail should be enabled on the Organization.'                                       │ 'incomplete' │ true     │ 6      │ 1   │ 'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudtrail.html'                                        │
│ 7       │ 'CloudTrail Org Trail deployed'                            │ 'At least one CloudTrail Organization Trail should be enabled.'                           │ 'incomplete' │ true     │ 6      │ 1   │ 'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html'                                                   │
│ 8       │ 'Config Recorder in Management Account configured'         │ 'Config Recorder in the Management Account should be enabled.'                            │ 'incomplete' │ true     │ 6      │ 2   │ 'https://aws.amazon.com/blogs/mt/managing-aws-organizations-accounts-using-aws-config-and-aws-cloudformation-stacksets/'                        │
│ 9       │ 'Config Delivery Channel in Management Account configured' │ 'Config Delivery Channel in Management Account should be enabled.'                        │ 'incomplete' │ true     │ 6      │ 2   │ 'https://aws.amazon.com/blogs/mt/managing-aws-organizations-accounts-using-aws-config-and-aws-cloudformation-stacksets/'                        │
│ 10      │ 'CloudFormation StackSets activated'                       │ 'CloudFormation StackSets should be activated in the CloudFormation console.'             │ 'incomplete' │ false    │ 5      │ 1   │ 'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudformation.html#integrate-enable-ta-cloudformation' │
│ 11      │ 'GuardDuty Organization service enabled'                   │ 'GuardDuty Organization services should be enabled.'                                      │ 'incomplete' │ false    │ 4      │ 1   │ 'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html#integrate-enable-ta-guardduty'           │
│ 12      │ 'RAM Organization service enabled'                         │ 'Resource Access Manager (RAM) trusted access should be enabled in the AWS Organization.' │ 'incomplete' │ false    │ 4      │ 1   │ 'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-ram.html#integrate-enable-ta-ram'                       │
│ 13      │ 'Security Hub Organization service enabled'                │ 'Security Hub trusted access should be enabled in the AWS Organization.'                  │ 'incomplete' │ false    │ 4      │ 1   │ 'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-securityhub.html#integrate-enable-ta-securityhub'       │
│ 14      │ 'IAM Access Analyzer Organization service enabled'         │ 'IAM Access Analyzer trusted access should be enabled in the AWS Organization.'           │ 'incomplete' │ false    │ 4      │ 1   │ 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#access-analyzer-enabling'                                │
│ 15      │ 'Config Organization service enabled'                      │ 'AWS Config trusted access should be enabled in the AWS Organization.'                    │ 'incomplete' │ false    │ 4      │ 1   │ 'https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-config.html#integrate-enable-ta-config'                 │
│ 16      │ 'CloudFormation Organization service enabled'              │ 'CloudFormation trusted access should be enabled in the AWS Organization.'                │ 'incomplete' │ false    │ 5      │ 1   │ 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-activate-trusted-access.html'                                    │
│ 17      │ 'Top-level Infrastructure OU deployed'                     │ 'Top-level Infrastructure OU should exist.'                                               │ 'incomplete' │ false    │ 5      │ 2   │ 'https://catalog.workshops.aws/control-tower/en-US/introduction/manage-ou'                                                                      │
│ 18      │ 'Top-level Security OU deployed'                           │ 'Top-level Security OU should exist.'                                                     │ 'incomplete' │ true     │ 6      │ 2   │ 'https://catalog.workshops.aws/control-tower/en-US/introduction/manage-ou'                                                                      │
│ 19      │ 'Top-level Workloads OU deployed'                          │ 'Top-level Workloads OU should exist.'                                                    │ 'incomplete' │ false    │ 5      │ 2   │ 'https://catalog.workshops.aws/control-tower/en-US/introduction/manage-ou'                                                                      │
│ 20      │ 'IAM IdC Organization service enabled'                     │ 'IAM Identity Center trusted access should be enabled in the AWS Organization'            │ 'incomplete' │ true     │ 6      │ 1   │ 'https://docs.aws.amazon.com/singlesignon/latest/userguide/get-set-up-for-idc.html'                                                             │
│ 21      │ 'IAM IdC configured'                                       │ 'IAM Identity Center should be configured.'                                               │ 'incomplete' │ true     │ 6      │ 3   │ 'https://docs.aws.amazon.com/singlesignon/latest/userguide/tutorials.html'                                                                      │
│ 22      │ 'Service Control Policies enabled'                         │ 'Service Control Policy should be enabled within the AWS Organization.'                   │ 'incomplete' │ true     │ 6      │ 1   │ 'https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html'                                           │
│ 23      │ 'Organization Tag Policy enabled'                          │ 'Tag Policy should be enabled within the AWS Organization.'                               │ 'incomplete' │ true     │ 6      │ 1   │ 'https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html'                                           │
│ 24      │ 'Organization Backup Policy enabled'                       │ 'Backup Policy should be enabled within the AWS Organization.'                            │ 'incomplete' │ false    │ 5      │ 1   │ 'https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html'                                           │
│ 25      │ 'Control Tower deployed'                                   │ 'Control Tower should be deployed.'                                                       │ 'incomplete' │ true     │ 6      │ 6   │ 'https://catalog.workshops.aws/control-tower/en-US/prerequisites/deploying'                                                                     │
│ 26      │ 'Control Tower latest version'                             │ 'Control Tower should be the latest version.'                                             │ 'incomplete' │ false    │ 5      │ 2   │ 'https://docs.aws.amazon.com/controltower/latest/userguide/update-controltower.html'                                                            │
│ 27      │ 'Control Tower not drifted'                                │ 'Control Tower should not be drifted.'                                                    │ 'incomplete' │ true     │ 6      │ 2   │ 'https://docs.aws.amazon.com/controltower/latest/userguide/resolve-drift.html'                                                                  │
│ 28      │ 'Log Archive account deployed'                             │ 'Log Archive account should exist.'                                                       │ 'incomplete' │ true     │ 6      │ 2   │ 'https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-from-console.html'                                                   │
│ 29      │ 'Audit account deployed'                                   │ 'Audit/Security Tooling account should exist.'                                            │ 'incomplete' │ true     │ 6      │ 2   │ 'https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-from-console.html'                                                   │
└─────────┴────────────────────────────────────────────────────────────┴───────────────────────────────────────────────────────────────────────────────────────────┴──────────────┴──────────┴────────┴─────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘


Start Detailed Report:


*********************************************************
                   MANAGEMENT ACCOUNT
*********************************************************

AWS ACCOUNT TYPE

  Is in AWS Organization: false
  Assessing AWS Management Account: false

IAM USERS CHECK

  No IAM Users found.

EC2 INSTANCE CHECK

  No EC2 instances found.

VPC CHECK

  No VPCs found.

AWS CONFIG CHECK

  No AWS Config resource discovered

MANAGEMENT ACCOUNT TASKS:

*********************************************************
                    GOVERNANCE
*********************************************************

AWS ORGANIZATION POLICY TYPES

  Service Control Policies (SCP) enabled: undefined
  Tag Policies enabled: undefined
  Backup Policies enabled: undefined

AWS ORGANIZATION CLOUDFORMATION

  AWS CloudFormation Organization stack sets status : undefined

CLOUDTRAIL CHECK

  No AWS CloudTrail resource discovered

GOVERNANCE SERVICES ENABLED IN AWS ORGANIZATION:

  No governance service enabled

GOVERNANCE TASKS:
  Enable AWS CloudTrail - Governance - Enable AWS CloudTrail in AWS Organization
  Enable AWS Config - Governance - Enable AWS Config in AWS Organization
  Enable SCP - Governance - Enable SCP in AWS Organization
  Enable Tag Policy - Governance - Enable Tag Policy in AWS Organization
  Enable Backup Policy - Governance - Enable Backup Policy in AWS Organization

*********************************************************
                FINANCIAL MANAGEMENT
*********************************************************

Legacy CUR
  Is legacy CUR setup: undefined

CLOUD FINANCIAL MANAGEMENT TASKS:
  Setup legacy CUR - Cloud Financial Management - Setup legacy CUR in AWS Organization

*********************************************************
                MULTI-ACCOUNT STRATEGY
*********************************************************

AWS ORGANIZATION DETAILS

  AWS Organization Id: undefined
  AWS Organization ARN: undefined
  AWS Organization Root OU Id: undefined

AWS ORGANIZATION CLOUDFORMATION

  AWS CloudFormation Organization stack sets status : undefined

AWS ORGANIZATION MEMBER ACCOUNTS
No member accounts found which is amazing as this is running from one.

AWS ORGANIZATION ENABLED SERVICES

  The following AWS Services are enabled within your AWS Organization:
    No trusted access enabled in the AWS Organization

AWS ORGANIZATION INTEGRATED SERVICE REGISTERED DELEGATED ADMINS

  No delegated admin accounts in AWS Organization

MULTI-ACCOUNT STRATEGY TASKS:
  Review Account Email Addresses - Multi-Account Strategy - Review Account Email Addresses in AWS Organization
  Enable Service Control Policy - Multi-Account Strategy - Enable Service Control Policy in AWS Organization
  Deploy Transitional OU - Multi-Account Strategy - Deploy Transitional OU in AWS Organization
  Deploy Suspended OU - Multi-Account Strategy - Deploy Suspended OU in AWS Organization
  Deploy Workloads OU - Multi-Account Strategy - Deploy Workloads OU in AWS Organization
  Deploy Security OU - Multi-Account Strategy - Deploy Security OU in AWS Organization
  Deploy Infrastructure OU - Multi-Account Strategy - Deploy Infrastructure OU in AWS Organization

*********************************************************
                  LANDING ZONE
*********************************************************

AWS CONTROL TOWER

  AWS Control Tower is not deployed in the AWS Organization

LANDING ZONE TASKS:
  Deploy AWS Control Tower - Landing Zone - Deploy AWS Control Tower in AWS Organization
  Enable AWS CloudFormation - Landing Zone - Enable AWS CloudFormation in AWS Organization

*********************************************************
                    IDENTITY
*********************************************************

AWS IAM IDENTITY CENTER NOT FOUND


IDENTITY TASKS:
  Enable AWS Single Sign-On - Identity - Enable AWS Single Sign-On in AWS Organization
  Delegate administration to AWS IAM Identity Center - Identity - Delegate administration to AWS IAM Identity Center
  Enable AWS Single Sign-On - Identity - Enable AWS Single Sign-On in AWS Organization

*********************************************************
                    SECURITY
*********************************************************

AWS SECURITY SERVICES ENABLED IN AWS ORGANIZATION:


SECURITY TASKS:
  Enable AWS Single Sign-On - Security - Enable AWS Single Sign-On in AWS Organization
  Delegate administration to AWS GuardDuty - Security - Delegate administration to AWS GuardDuty
  Delegate administration to AWS Security Hub - Security - Delegate administration to AWS Security Hub
  Delegate administration to AWS IAM Access Analyzer - Security - Delegate administration to AWS IAM Access Analyzer
  Delegate administration to AWS CloudTrail - Security - Delegate administration to AWS CloudTrail
  Delegate administration to AWS Config - Security - Delegate administration to AWS Config
  Delegate administration of AWS Security Hub - Security - Delegate administration to AWS Security Hub
  Delegate administration of AWS GuardDuty - Security - Delegate administration to AWS GuardDuty
  Delegate administration of AWS Config - Security - Delegate administration to AWS Config
  Delegate administration of AWS IAM Access Analyzer - Security - Delegate administration to AWS IAM Access Analyzer
  Delegate administration of Amazon S3 Storage Lens - Security - Delegate administration to Amazon S3 Storage Lens

*********************************************************
                    NETWORK
*********************************************************

NETWORK TASKS:
  Enable AWS GuardDuty - Network - Enable AWS GuardDuty in AWS Organization
  Enable AWS IPAM - Network - Enable AWS IPAM in AWS Organization
  Enable AWS Resource Access Manager - Network - Enable AWS Resource Access Manager in AWS Organization
  Delegate administration of AWS IPAM - Network - Delegate administration to AWS IPAM
  Enable AWS Service Control Policy - Network - Enable AWS Service Control Policy in AWS Organization

*********************************************************
                  OBSERVABILITY
*********************************************************

OBSERVABILITY TASKS:
  Enable AWS Account - Observability - Enable AWS Account in AWS Organization
  Delegate administration of AWS Account - Observability - Delegate administration to AWS Account

*********************************************************
               BACKUP AND RECOVERY
*********************************************************

BACKUP AND RECOVERY TASKS:
  Enable AWS Backup - Backup and Recovery - Enable AWS Backup in AWS Organization
  Delegate administration of AWS Backup - Backup and Recovery - Delegate administration to AWS Backup
  Enable AWS Backup Policy - Backup and Recovery - Enable AWS Backup Policy in AWS Organization
  Enable AWS Service Control Policy - Backup and Recovery - Enable AWS Service Control Policy in AWS Organization


  END REVIEW