# Plan your deployment
This section describes the Region, cost, security, quota, and other considerations for planning your deployment.
## Supported AWS Regions
This solution uses numerous services, which aren’t currently available in all AWS Regions. We recommend using AWS Control Tower and AWS Organizations when launching this solution in an AWS Region where these services are available. For the most current availability of AWS services by Region, refer to the [AWS Regional Services List](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).
# Cost
You are responsible for the cost of AWS services used while running this solution. As of November 2025, costs primarily depend on the resources used, data processed, transferred, and stored.
S3 costs vary based on storage class, data volume, request types, data retrieval, transfer rates, and additional features. IAM is provided at no additional cost. For KMS, costs depend on the encryption type: SSE-S3 (default encryption) incurs no additional charge, while SSE-KMS incurs both a monthly fee (\$11/month per key) and per-request charges (\$10.03 per 10,000 requests). If using SSE-KMS, enabling S3 Bucket Keys can reduce KMS costs by up to 99%.
For detailed pricing information and to estimate costs for your specific implementation, we recommend using the [AWS Pricing Calculator](https://calculator.aws/#/).
**Note**
The cost for running the Modern Data Architecture Accelerator in the AWS Cloud depends on the deployment configuration you choose. The following examples provide cost breakdown for some of the sample configurations deployed in the US East (N. Virginia) Region. AWS services listed in the example tables below are billed on a monthly basis.
We recommend creating a [budget](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-create.html) through [AWS Cost Explorer](https://aws.amazon.com/aws-cost-management/aws-cost-explorer/) to help manage costs. Prices are subject to change. For full details, refer to the pricing webpage for each AWS service used in this solution.
## Example cost tables
The following samples are based on the options from the installer CloudFormation template.
### Basic Data Lake
| Resources | Monthly cost [USD] |
| --- | --- |
| **Glue Catalog** - Configures the Encryption at Rest settings for Glue Catalog at the account level. Additionally, configures Glue catalogs for cross account access required by a Data Mesh architecture. | \$11 |
| **Audit** - Configures and deploys Audit resources to use as target for audit data and for querying audit data via Athena | \$11 |
| **Audit Trail** - Configures and deploys resources to define a secure S3-based Audit Trail on AWS | \$10 |
| **Datalake KMS and Buckets** - Configures and deploys a set of encrypted data lake buckets and bucket policies. Bucket policies are suitable for direct access via IAM and/or federated roles, as well as indirect access via LakeFormation/Athena. | \$10 |
| **Athena Workgroup** - Configures and deploys Athena Workgroups for use on the Data Lake | \$11 |
| **LakeFormation Settings** - Configures LakeFormation to automatically generate IAMAllowedPrincipal grants on new databases and tables, delegating Glue resource access controls to IAM. | \$10 |
| **DataOps Project** - Deploys Glue databases and related resources to support data operations | \$10 |
| **DataOps Crawler** - Deploys Glue Crawler resources for data discovery and cataloging | \$10 |
| **Roles** - Deploys IAM roles and managed policies for data access control | \$10 |
| **Total** | **\$13**\$1 |
### Data Science setup
| Resources | Monthly cost [USD] |
| --- | --- |
| **Glue Catalog** - Configures the Encryption at Rest settings for Glue Catalog at the account level. Additionally, configures Glue catalogs for cross account access required by a Data Mesh architecture. | \$11 |
| **Audit** - Configures and deploys Audit resources to use as target for audit data and for querying audit data via Athena | \$11 |
| **Audit Trail** - Configures and deploys resources to define a secure S3-based Audit Trail on AWS | \$10 |
| **Datalake KMS and Buckets** - Configures and deploys a set of encrypted data lake buckets and bucket policies. Bucket policies are suitable for direct access via IAM and/or federated roles, as well as indirect access via LakeFormation/Athena. | \$10 |
| **Athena Workgroup** - Configures and deploys Athena Workgroups for use on the Data Lake | \$11 |
| **LakeFormation Settings** - Configures LakeFormation to automatically generate IAMAllowedPrincipal grants on new databases and tables, delegating Glue resource access controls to IAM. | \$10 |
| **Data Science Team/Project** - Deploys resource to support a team’s Data Science activities | \$10 |
| **Roles** - Deploys IAM roles and managed policies for data access control | \$10 |
| **Total** | **\$13**\$1 |
\$1Your final cost depends the usage of the resources. Estimates above does not account for customer’s workloads.
# Security
When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit the [AWS Security Center](https://aws.amazon.com/security/).
## Security Controls and Compliance
MDAA implements multiple security controls and compliance measures:
+ Compliance with multiple AWS CDK Nag rulesets:
+ AWS Solutions ruleset
+ NIST 800-53 Rev 5 ruleset
+ HIPAA ruleset
+ PCI-DSS ruleset
+ Adherence to ITSG-33 PBMM Security Control Requirements
+ Implementation of security best practices across all deployed resources
### Encryption
MDAA enforces comprehensive encryption measures:
+ Ubiquitous encryption at rest for all data storage components
+ Mandatory encryption in transit for all data transfers
+ Integration with AWS KMS for key management
### Access Control
The solution implements the principle of least privilege:
+ Least-privileged permissions by default for all deployed resources
+ Role-based access control (RBAC) implementation
+ Secure self-service deployments through AWS Service Catalog (optional)
### Governance Controls
MDAA provides several governance mechanisms:
+ AWS CloudFormation as the single deployment mechanism through CDK
+ Consistent resource naming conventions across all deployments
+ Standardized tagging strategy for all generated resources
+ Centralized change management through Infrastructure as Code
### Resource Management
Security is enforced through:
+ Consistent deployment patterns across all MDAA modules
+ Standardized SSM parameter publication for secure resource reference
+ Compliant resource configurations by default
### Monitoring and Metrics
The solution includes:
+ Anonymous operational metrics collection (with opt-out capability)
+ Integration with AWS native security monitoring services
+ Compliance validation capabilities
# Quotas
Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account.
## Quotas for AWS services in this solution
Make sure you have sufficient quota for the services to be deployed by your configuration. For more information, see [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html).
Use the following links to go to the page for that service. To view the service quotas for all AWS services in the documentation without switching pages, view the information in the [Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/aws-general.pdf#aws-service-information) page in the PDF instead.
| | |
| --- |--- |
| [Amplify](https://docs.aws.amazon.com/general/latest/gr/amplify.html) | [Amazon ECR](https://docs.aws.amazon.com/general/latest/gr/ecr.html) |
| [Athena](https://docs.aws.amazon.com/general/latest/gr/athena.html) | [Lambda](https://docs.aws.amazon.com/general/latest/gr/lambda-service.html) |
| [CloudFront](https://docs.aws.amazon.com/general/latest/gr/cf_region.html) | [OpenSearch Service](https://docs.aws.amazon.com/general/latest/gr/opensearch-service.html) |
| [Cognito](https://docs.aws.amazon.com/general/latest/gr/cognito_identity.html) | [Neptune](https://docs.aws.amazon.com/general/latest/gr/neptune.html) |
| [Config](https://docs.aws.amazon.com/general/latest/gr/awsconfig.html) | [Amazon S3](https://docs.aws.amazon.com/general/latest/gr/s3.html) |
| [Amazon ECS](https://docs.aws.amazon.com/general/latest/gr/ecs-service.html) | |
## AWS CloudFormation quotas
Your AWS account has AWS CloudFormation quotas that you should be aware of when launching this solution. By understanding these quotas, you can avoid limitation errors that would prevent you from deploying this solution successfully. For more information, see [AWS CloudFormation quotas](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html) in the in the *AWS CloudFormation User’s Guide*.
## AWS Lambda quotas
Your account has an AWS Lambda concurrent execution quota of 1000. If the solution is used in an account where there are other workloads running and using Lambda, then set this quota to an appropriate value. This value is adjustable; for more information, see [AWS Lambda quotas](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-limits.html) in the *AWS Lambda User’s Guide*.
**Note**
This solution requires 150 executions from the concurrent execution quota to be available in the account to which the solution is being deployed. If there are fewer than 150 executions available in that account, the CloudFormation deployment will fail.
## Amazon VPC quotas
Your AWS account can contain five VPCs and two Elastic IPs (EIPs). If the solution is used in an account with other VPCs or EIPs, this could prevent you from deploying this solution successfully. If you are at risk of reaching this quota, you may provide your own VPC for deployment by providing it in your configuration. For more information, see [Amazon VPC quotas](https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html) in the * [Amazon VPC User’s Guide](https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html).*