Architecture
Default AWS architecture deployed by ground deploy. Every diagram reflects what the CloudFormation stacks actually create.
Organization Unit Hierarchy
ground creates a five-tier OU structure. Each tier inherits its parent's SCPs and adds its own restrictions. The management account sits above the root — it runs ground and attest but never hosts research workloads.
ground deploy • attest init
no workloads"] ROOT["Root
baseline SCPs only"] SEC["Security OU
deny: disable CloudTrail/Config
deny: delete audit bucket"] INFRA["Infrastructure OU
deny: workload services
allow: TGW, VPC, Route53"] RESEARCH["Research OU
allow: FedRAMP Moderate services
deny: public S3 ACLs, non-US regions"] SENSITIVE["Sensitive Research OU
+ require KMS encryption
+ require MFA • deny non-FedRAMP"] DOD["DoD/CMMC OU
GovCloud only
us-gov-east-1 / us-gov-west-1"] LOGARCHIVE["Log Archive
S3 audit bucket
immutable, object-locked"] SECTOOLING["Security Tooling
GuardDuty findings
Security Hub aggregation"] NETHUB["Network Hub
Transit Gateway
VPC endpoints"] NIH["NIH Genomic Enclave
attest:data-classes=CUI,GENOMIC"] HIPAA["HIPAA Research
attest:data-classes=PHI"] CUI["CUI Research
attest:data-classes=CUI"] CMMC["CMMC CUI
GovCloud"] ITAR["ITAR/EAR
GovCloud • TCP required"] MGMT --> ROOT ROOT --> SEC ROOT --> INFRA ROOT --> RESEARCH ROOT --> SENSITIVE ROOT --> DOD SEC --> LOGARCHIVE SEC --> SECTOOLING INFRA --> NETHUB SENSITIVE --> NIH SENSITIVE --> HIPAA SENSITIVE --> CUI DOD --> CMMC DOD --> ITAR style MGMT fill:#dbeafe,stroke:#2563eb,color:#1e3a5f style SEC fill:#fef9c3,stroke:#d97706,color:#44300e style SENSITIVE fill:#fce7f3,stroke:#be185d,color:#4a0020 style DOD fill:#f0fdf4,stroke:#15803d,color:#052e16 style LOGARCHIVE fill:#fef9c3,stroke:#d97706,color:#44300e style SECTOOLING fill:#fef9c3,stroke:#d97706,color:#44300e
Figure 1 — Default OU hierarchy. Management account is above the root and never receives SCPs. Log Archive and Security Tooling accounts are in scope for every CUI/PHI assessment as security protection assets.
Network Architecture (Phase 2)
The network stack uses a hub-and-spoke model. The Network Hub account owns the Transit Gateway; spoke VPCs in each research account peer to it. All AWS service API calls route through VPC endpoints — no traffic leaves the VPC boundary.
us-east-1 • us-west-2"] VPE["VPC Endpoints
s3 • ec2 • ssm • sts
secretsmanager • kms"] end subgraph "Sensitive Research Account" SVPC["Research VPC
10.1.0.0/16"] SPRIV["Private Subnet
compute zone"] SMGMT["Management Subnet
head node / bastion"] SSTOR["Storage Subnet
S3 endpoint"] end subgraph "Open Research Account" OVPC["Research VPC
10.2.0.0/16"] end Internet["Internet
VPN / Direct Connect only"] TGW <-->|"VPC attachment"| SVPC TGW <-->|"VPC attachment"| OVPC VPE ---|"org condition
aws:PrincipalOrgID"| SVPC SVPC --> SPRIV SVPC --> SMGMT SVPC --> SSTOR Internet -.->|"no direct route
to private subnets"| TGW style TGW fill:#dbeafe,stroke:#2563eb,color:#1e3a5f style VPE fill:#dbeafe,stroke:#2563eb,color:#1e3a5f style SMGMT fill:#fce7f3,stroke:#be185d,color:#4a0020
Figure 2 — Hub-and-spoke networking. All VPC endpoint policies include aws:PrincipalOrgID conditions, verified by ground's policy unit tests before deployment.
Logging Protection & External Services
Ground deploys structural plumbing only. Security detection services are not deployed by ground — GuardDuty, Security Hub, and Macie are activated by attest apply after attest compile determines which standard matches your active compliance frameworks. Ground cannot know which standard applies without knowing which frameworks you're using.
ground.yaml under security.external_services. Ground exports these declarations to ground-meta.json; attest reads them to assess which compliance controls they satisfy. Ground does not deploy, configure, or verify these services.
Deny: cloudtrail:DeleteTrail
Deny: cloudtrail:StopLogging
Deny: config:StopConfigurationRecorder
Attached to org root"] end subgraph "ground deploy — logging stack" CT["CloudTrail
org-wide multi-region trail
data events: S3 objects
log validation enabled"] CONFIG["AWS Config
org-wide recorder
all resource types
24h delivery"] AUDIT["S3 Audit Bucket
KMS encrypted
object-locked (GOVERNANCE)
365-day retention"] end subgraph "ground.yaml declarations" EXT["External Services
Globus (data-transfer, BAA, high-assurance)
CrowdStrike (EDR, FedRAMP High)
Splunk (SIEM)
Palo Alto Prisma (CSPM)"] end subgraph "attest apply — after attest compile" GD["GuardDuty
activated by attest apply
standard: framework-appropriate"] SH["Security Hub
activated by attest apply
standard: framework-appropriate
(NIST 800-53, FSBP, FedRAMP, CIS)"] SCAN["attest scan
reads Config rules
reads Security Hub findings
computes posture"] end SCP -->|"protects"| CT SCP -->|"protects"| CONFIG CT -->|"logs to"| AUDIT CONFIG -->|"delivers to"| AUDIT EXT -->|"exported to ground-meta.json"| SCAN GD -->|"findings to"| SH SH --> SCAN CONFIG --> SCAN style SCP fill:#dbeafe,stroke:#2563eb,color:#1e3a5f style CT fill:#dbeafe,stroke:#2563eb,color:#1e3a5f style CONFIG fill:#dbeafe,stroke:#2563eb,color:#1e3a5f style AUDIT fill:#dbeafe,stroke:#2563eb,color:#1e3a5f style EXT fill:#f3e8ff,stroke:#7c3aed,color:#2e1065 style GD fill:#fef9c3,stroke:#d97706,color:#44300e style SH fill:#fef9c3,stroke:#d97706,color:#44300e style SCAN fill:#dcfce7,stroke:#15803d,color:#052e16
Figure 3 — Ground deploys logging plumbing and a protection SCP. Detection services (yellow) are activated by attest after framework selection. Non-AWS services (purple) are declared in ground.yaml and consumed by attest during compliance assessment.
IAM Identity Center & Permission Boundaries
ground deploys five permission sets in IAM Identity Center, tiered by OU. The sensitive-researcher set enforces FIDO2-only MFA — standard TOTP is not accepted for CUI/PHI environments.
Research OU
MFA required
1-hour session"] SU["GroundSensitiveUser
Sensitive Research OU
FIDO2 only • IP allowlist
1-hour session"] ADMIN["GroundSREAdmin
all OUs
phishing-resistant MFA
all sessions logged"] CO["GroundComplianceOfficer
attest + compliance tooling
4-hour session"] AUD["GroundAuditor
read-only
8-hour session"] end subgraph "Every IAM Role" PB["Permission Boundary
Deny: privilege escalation
Deny: org escape
Deny: logging disable
Deny: boundary removal"] end AU -->|"assigned to"| PB SU -->|"assigned to"| PB ADMIN -->|"assigned to"| PB style SU fill:#fce7f3,stroke:#be185d,color:#4a0020 style ADMIN fill:#fef9c3,stroke:#d97706,color:#44300e style PB fill:#fee2e2,stroke:#dc2626,color:#450a0a
Figure 4 — Permission sets and boundaries. The permission boundary on every IAM role is Deny-scoped (not Allow * which would be a no-op). Verified by policy unit tests before deploy.
Account Tagging Strategy
ground tags every account with attest:* tags at creation time. attest reads these during attest init to auto-discover environments and their compliance scope.
attest:environment-id = "chen-quantum-lab" # unique env identifier
attest:data-classes = "CUI,GENOMIC" # drives OU placement + SCP set
attest:compliance-tier = "sensitive" # open | sensitive | dod
attest:ou-path = "/SensitiveResearch/" # for SSP system boundary
attest:owner = "pi@mru.edu" # PI or team contact
Tag enforcement SCP denies ec2:RunInstances, s3:CreateBucket, and other resource-creation actions unless all five tags are present — using per-tag OR logic (separate Deny statements), so a missing single tag triggers a deny.