This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.

# Capabilities
<a name="capabilities"></a>

 To support cloud adoption, AWS recommends that you have a foundational set of capabilities that enable you to deploy, operate, and govern your workloads. 

 A *capability* includes a definition, scenarios, opinionated guidance, and supporting automation to establish and operate a specific part of a cloud environment. Capabilities are components that can help you plan, implement, and operate your cloud environment, and include *people*, *process*, and *technology* considerations. Capabilities are designed to integrate into your overall technology environment. 

 In addition to technology implementation guidance, capabilities include operational guidance (for instance, notifications, event handling, and remediation, as well as team resource skills and processes) needed to stand up and operate each capability. For an example of what a capability should offer, refer to [Appendix A](appendix-a-capability-structure-and-example.md). 

AWS has defined a set of 29 capabilities that span six categories to help you establish a cloud foundation. 

 Table 1 - Cloud Foundations capabilities by categories 


|  [Governance, Risk, and Compliance](governance.md)  |  [Security](security.md)  |  [Operations](operations.md)  |  [Infrastructure](infrastructure.md)  |  [Finance](finance.md)  |  [Business Continuity](business-continuity.md)  | 
| --- | --- | --- | --- | --- | --- | 
| Log Storage | Identity Management & Access Control  | Developer Experience & Tools  | Network Connectivity  | Cloud Financial Management  | Backup & Recovery  | 
| Governance | Secrets Management  | Image Management  | Network Security  | Resource Inventory Management  | Disaster Recovery  | 
| Audit & Assessment | Security Incident Response | Observability | Workload Isolation | Support |   | 
| Tagging | Encryption & Key Management  | Patch Management | Template Management |  |  | 
| Service Onboarding | Vulnerability & Threat Management  |  |  |  |  | 
| Change Management  | Application Security  |  |  |  |  | 
| Forensics | Data Isolation  |  |  |  |  | 
| Data De-identification  |   |  |  |  |  | 
| Records Management |  |  |  |  |  | 

 Each capability includes stages of maturity that enable you to implement based on where you are in your cloud journey, including your governance and operational requirements. As your cloud environment grows and matures, the *capabilities* can be enhanced to meet your new requirements. 

## Capabilities definitions
<a name="capabilities-definitions"></a>

 This section includes high-level definitions for each foundational capability organized by their category. For a deeper dive into a specific capability and what it includes, refer to [Appendix A](appendix-a-capability-structure-and-example.md). 

![\[A chart showing which capabilities fall under each category.\]](http://docs.aws.amazon.com/whitepapers/latest/establishing-your-cloud-foundation-on-aws/images/category.png)


Topics
+ [Governance, Risk Management, and Compliance](governance.md)
+ [Operations](operations.md)
+ [Security](security.md)
+ [Business Continuity](business-continuity.md)
+ [Finance](finance.md)
+ [Infrastructure](infrastructure.md)

# Governance, Risk Management, and Compliance
<a name="governance"></a>

Governance, Risk Management, and Compliance (GRC) helps organizations set the foundation for meeting security and compliance requirements and define the overall policies your cloud environment should adhere to. The capabilities within this area help you define what needs to happen, defines your risk appetite, and informs alignment of internal policies. 

![\[A chart showing which capabilities fall under each category.\]](http://docs.aws.amazon.com/whitepapers/latest/establishing-your-cloud-foundation-on-aws/images/governance-category.png)


 Governance, Risk Management, and Compliance capabilities include: 
+  **Tagging** enables you to group sets of resources by assigning metadata to cloud resources for a variety of purposes. These purposes include access control (such as ABAC), cost reporting, and automation (such as patching for select tagged instances). Tagging can also be used to create new resource constructs for visibility or control (such as grouping together resources that make up a microservice, application, or workload). Tagging is fundamental to providing enterprise-level visibility and control. 
+  **Log storage** enables you to collect and store your environment logs centrally and securely. This will enable you to evaluate, monitor, alert, and audit access and actions performed on your cloud resources and objects. 
+  **Forensics** involves the analysis of log data and evidentially-captured images of potentially compromised resources, to determine whether a compromise occurred (and if so, how). Outcomes of root cause analysis resulting from forensic investigations are typically used to produce and motivate the application of preventative measures. 
+  **Service Onboarding** provides the ability to review and approve AWS services for use based on consideration of internal, compliance, and regulatory requirements. This capability includes risk assessment, documentation, implementation patterns, and the change communication aspects of service consumption. 
+  **Data De-Identification ** enables you to discover and protect sensitive data as it is stored and processed (for example, national ID numbers, trade data, healthcare information). 
+  **Governance** enables you to define and enforce business and regulatory policies for your cloud environment. Policies can include rules for your environment or risk definitions. A portion of your governance policies is embedded in other capabilities across your environment to ensure that you meet your requirements. 
+  **Audit & Assessment ** provides the ability to gather and organize documentary evidence to enable internal or independent assessment of your cloud environment. This capability allows you to validate assertions that all changes were performed in accordance with policy. 
+  **Change Management** enables you to deploy planned alterations to all configurable items that are in an environment within the defined scope, such as production and test. An approved change is an action which alters resource configuration that is implemented with a minimized and accepted risk to existing IT infrastructure. 
+  **Records Management** enables you to store, retain, and secure your data according to your internal policies and regulatory requirements. Some examples may include financial records, transactional data, audit logs, business records, and personally identifiable information (PII). 

# Operations
<a name="operations"></a>

Enable your developers and operations teams to innovate faster, while ensuring the quality of application and infrastructure updates. The capabilities within this area enable you to build, deploy, and operate, workloads with ease in the cloud with developer experience and tools capabilities.

![\[A chart showing which capabilities fall under each category.\]](http://docs.aws.amazon.com/whitepapers/latest/establishing-your-cloud-foundation-on-aws/images/operations-category.png)


 Operations capabilities include: 
+  **Observability** enables you to gather and analyze operational data about system and application activities. This includes the analysis of data to identify anomalies, indicators of compromise, performance, and configuration changes. 
+  **Image Management ** enables you to manage compute images throughout their entire lifecycle. This can involve the creation, acquisition, distribution, and storage of the images. 
+  **Patch Management** is the ability to deploy sets of changes to update, fix, and/or enhance the operation and security properties of infrastructure and workloads. This includes addressing security vulnerabilities, bug fixes, and other related work. The scope of patch management includes operating systems, applications, and any relevant software systems. 
+  **Developer Experience and Tools** enables you to provide the tools and processes required for developers to build and deploy workloads. This capability includes managing code, building workflows, and promoting workloads into production environments. 

# Security
<a name="security"></a>

Create a secure, high-performing, and resilient foundation for your cloud environment. The capabilities within this area enable you to design and implement security policies and controls across different levels of the stack to protect your resources from external or internal vulnerabilities and threats. They ensure confidentiality, availability, integrity, and usability, while providing priorities and advice to assist with remediation.

![\[A chart showing which capabilities fall under each category.\]](http://docs.aws.amazon.com/whitepapers/latest/establishing-your-cloud-foundation-on-aws/images/security-category.png)


 Security capabilities include: 
+  **Identity Management & Access Control** helps you build and monitor permissions in your environment. Use this capability to structure access to your resources within defined isolated groups following the principal of least privilege (PoLP). This capability will help your team develop a framework to manage your environment and provide access to your services. 
+  **Data Isolation** enables you to limit access to data at rest and in transit so that data is only accessible to appropriate and authorized entities. This capability also includes the ability to detect misuse and/or unauthorized access, leak, and theft of data. 
+  **Application Security** enables the protection of application software, and the detection of anomalous behavior in the context of the applications’ interactions with customers. Threats to be addressed include unauthorized access, privilege escalation, and other application-level threats typically characterized in threat frameworks. 
+  **Encryption and Key Management** enables you to implement a key management strategy. This includes the ability to encrypt data at rest and in transit, provide least privileged access to keys, report on anomalies, and rotate keys based on requirements. 
+  **Secrets Management** enables you to manage secrets such as passwords, access keys, other API keys, X.509, or SSH private keys. This capability includes storage, access control, access logging, revocation, and rotation aspects for managing secrets. 
+  **Security Incident Response** enables you to effectively respond to a security incident based on decisions specified in policy. The response involves characterizing the nature of the incident and making changes (which may involve activities including restoration of operational status, identification and remediation of root cause, and gathering evidence pursuant to civil or criminal prosecution). 
+  **Vulnerability & Threat Management** is the ability to identify vulnerabilities that can affect the environment (availability, performance, or security). This capability enables you to assess the impact and scope (such as blast radius) of vulnerabilities and threats, and address/remediate them. 

# Business Continuity
<a name="business-continuity"></a>

Resilience is critical, it affects the quality of service your users experience. The capabilities within this area enable you to have a strategy in place to continue operations during a time of inefficiency or crisis, including Disaster Recovery, Backups and Support. Having this in place can help avoid downtime during outages or unprecedented situations.

![\[A chart showing which capabilities fall under each category.\]](http://docs.aws.amazon.com/whitepapers/latest/establishing-your-cloud-foundation-on-aws/images/business-category.png)


 Business Continuity capabilities include: 
+  **Backups** is the ability to make reliable copy of data in a reliable way for retrieval as needed to meet business and security goals, Recovery Point Objective (RPO), and Recovery Time Objective (RTO). Content to be backed up includes: orchestration framework data and configuration, application data, logs, and customer data. 
+  **Disaster Recovery** enables you to plan for and respond to a disaster scenario to ensure continuity of systems and to minimize the impact to the business. This includes the backup or replication of data and systems, failing over, testing, and executing against a DR plan. 
+  **Support** enables you to troubleshoot your cloud environment, submit tickets, integrate into existing ticketing systems, and escalate issues to an appropriate entity for a timely response depending on criticality and support level. 

# Finance
<a name="finance"></a>

The capabilities within this area enable you to establish and enhance your existing finance processes to be cloud ready in order to establish and operate with cost transparency, control, planning, and optimization. Additionally, manage your records and resource inventory while meeting compliance and regulatory needs.

![\[A chart showing which capabilities fall under each category.\]](http://docs.aws.amazon.com/whitepapers/latest/establishing-your-cloud-foundation-on-aws/images/finance-category.png)


 Finance capabilities include: 
+  **Cloud Financial Management** provides the ability to manage and optimize your expense for cloud services. This capability enables you to track, notify, and apply cost optimization techniques across your environment and resources. Expense information is centrally managed and consumed, and access to critical stakeholders can be provided for targeted visibility and decision making. 
+  **Resource Inventory Management** enables the collection, visibility, tracking, configuration validation, and service mapping of cloud resources. 

# Infrastructure
<a name="infrastructure"></a>

The capabilities within this area enable you to design, build, and manage a secure and highly available cloud infrastructure. Use practices such as Network Security to design and implement security policies and controls across different levels of the networking stack, and Workload Isolation to isolate environments that contain your newly migrated workloads. If you are migrating apps from on premises or building them natively in the cloud, the infrastructure that you build on should be both secure and reliable. 

![\[A chart showing which capabilities fall under each category.\]](http://docs.aws.amazon.com/whitepapers/latest/establishing-your-cloud-foundation-on-aws/images/infrastructure-category.png)


 Infrastructure capabilities include: 
+  **Network Security** enables you to design and implement security policies and controls across different levels of the networking stack to protect your resources from external or internal threats to ensure confidentiality, availability, integrity, and usability. This capability includes the prevention, detection, and blocking of anomalous network traffic based on monitoring of ingress/egress and lateral data movement. 
+  **Network Connectivity** enables you to create, manage, and monitor secure, scalable, and highly available networks for your applications and workloads. This includes connectivity within the cloud, Hybrid connectivity, IP address management, network logging and monitoring, and DNS management. 
+  **Template Management** enables you to create and group reusable templates in a central repository to quickly deploy, manage, and update infrastructure, schemas, and resources across the environment. This capability includes the necessary processes to create, test, update, and validate the templates when required. These templates are pre-approved implementation patterns using approved cloud services, and are ready to be used by different teams based on requirements. 
+  **Workload Isolation** enables you to create and manage isolated environments for your workloads. This approach reduces the impact of vulnerabilities and threats, and eases the complexity of compliance by providing mechanisms to isolate access to resources.