Sold by: Kriv AI
Kriv AI deploys a production AWS Control Tower multi-account landing zone pre-wired for Amazon Bedrock + SageMaker + AgentCore. Scope: 9 AI-specific Service Control Policies (DenyBedrockModelAccessWithoutApproval, DenyBedrockCrossRegionEgress, DenySageMakerTrainingDataEgress, DenyAgentCoreWithoutGuardrails, EnforceKMSForBedrockAndSageMaker, DenyPublicBedrockEndpoints, EnforceBedrockModelInvocationLogging, DenyUnencryptedModelRegistry, DenyCrossAccountModelSharingWithoutRAM). PHI/PII data boundaries via Macie + Config; Bedrock token + SageMaker endpoint-hour cost guardrails via AWS Budgets + EventBridge; KMS CMK baseline with BYOK/CloudHSM; PrivateLink-only Bedrock; Bedrock Guardrails org baseline; IAM Identity Center AI RBAC; AWS Config AI-workload conformance pack; Security Hub + GuardDuty + Macie + Inspector org-level; Well-Architected GenAI + ML Lens review. Three tiers: $75K/$125K/$175K. AWS Select + Anthropic CPN.
Overview
Generic AWS Control Tower landing zones are saturated on AWS Marketplace, Rackspace, Caylent, Slalom, SoftwareOne, BJSS, Storm Reply, Rebura, IO Connect, Copebit, Mission Cloud all sell them. None are AI-specific. Kriv AI deploys a Control Tower landing zone pre-configured for Amazon Bedrock + SageMaker + AgentCore from day one, with AI-specific Service Control Policies, PHI / PII data boundaries, token-spend cost guardrails, and industry-baseline Bedrock Guardrails already attached.
Only two notable direct competitors exist on AWS Marketplace today. Cortex Reply Landing Zone for AI and Version 1 AI Landing Zone (Public Sector / FS) are direct peers, Public Sector / FS framed, not healthcare. Every other Control Tower listing is generic, zero mention Bedrock, SageMaker, AgentCore, AI-specific SCPs, or AI cost guardrails. AWS's Landing Zone Accelerator (LZA) is the free option most partners resell, ships without AI opinions. 100% of competitor listings hide pricing. Kriv publishes $75K / $125K / $175K transparently. Amazon Bedrock AgentCore became HIPAA-eligible Feb 10, 2026, unlocking multi-account redesign for healthcare.
Landing zone deployed. Organizations: management + Security OU + Workload OU + Infrastructure OU + Sandbox OU; Control Tower mandatory + recommended guardrails. 9 AI-specific SCPs: DenyBedrockModelAccessWithoutApproval, DenyBedrockCrossRegionEgress, DenySageMakerTrainingDataEgress, DenyAgentCoreWithoutGuardrails, EnforceKMSForBedrockAndSageMaker, DenyPublicBedrockEndpoints, EnforceBedrockModelInvocationLogging, DenyUnencryptedModelRegistry, DenyCrossAccountModelSharingWithoutRAM. PHI / PII data boundaries (Macie + Config block cross-OU transfer; EventBridge alerts). Cost guardrails (AWS Budgets per-account for Bedrock + SageMaker + AgentCore; EventBridge to FinOps). KMS baseline (CMKs per data classification; BYOK / CloudHSM; annual rotation). VPC + PrivateLink (endpoints for Bedrock, SageMaker, S3, Secrets Manager, KMS; no public egress; Transit Gateway; Network Firewall). Bedrock Guardrails organization baseline (healthcare / life sciences / FS variants; integrates N28). IAM Identity Center with AI-specific permission sets + SAML/OIDC. Audit logging (CloudTrail org trail + Bedrock Model Invocation Logging + AgentCore logs → S3 Object Lock 7-yr HIPAA; Audit Manager). AI-workload Config conformance pack. Detection stack (Security Hub + GuardDuty + Macie + Inspector org-level). Multi-region DR (active-passive Foundation/Standard; active-active Enterprise). Cross-account model registry (SageMaker Model Registry + RAM approval; Bedrock Knowledge Bases via VPC endpoints).
Week-by-week. W1 Scoping (footprint inventory; OU design; SCP scoping; HIPAA / SOC 2 / FedRAMP decision). W2 Control Tower + Security OU (Audit + Log Archive + Security Tooling; baseline CloudTrail + Config). W3 Workload OU + AI SCPs + KMS + VPC + Identity Center (all 9 SCPs deployed + tested; KMS baseline; PrivateLink; SAML/OIDC). W4 Audit + Detection + Conformance packs, Foundation closes (30-day warranty). W5 Standard: Data boundaries + Cost guardrails + Guardrails baseline + Model Registry (45-day warranty). W6 Enterprise: Multi-region active-active DR + sibling integration (N23 / N27 / N28) + Well-Architected GenAI + ML Lens review (60-day hypercare).
Three tiers. Foundation $75K (4 wk; single OU; single region; core 5 of 9 SCPs; 3–5 accounts; 30-day warranty) for AI-native Series B–E + Fortune 1000 first pilot. Standard $125K (5 wk; multi-OU; multi-region active-passive DR; all 9 SCPs; PHI/PII boundaries; cost guardrails; Bedrock Guardrails org baseline; 5–10 accounts; 45-day warranty) for mid-sized scaling AI + SOC 2 expansion. Enterprise $175K (6 wk; 10+ accounts; full AI-governance SCPs + Config conformance pack; industry-variant Guardrails baseline; active-active DR; GenAI + ML Lens review; 60-day hypercare) for regulated, G-SIB banks, top-25 payers + pharmas. Optional Extra Account $25K each.
Important disclosures. Kriv does NOT migrate existing workloads (separate). Does NOT operate landing zone post-deployment (unless Managed Service retainer). Issues no SOC 2 / HIPAA / HITRUST / ISO / FedRAMP certifications: external CPA firms, HITRUST EAOs, 3PAOs required. No legal / regulatory / compliance advice. AWS + Anthropic + Bedrock consumption separate. No regulator-outcome guarantee. No Control Tower / Organizations API stability guarantee. Anthropic CPN membership does not constitute endorsement.
Highlights
- First AI-specific Control Tower landing zone on AWS Marketplace with published pricing, 9 curated AI SCPs pre-deployed: DenyBedrockModelAccessWithoutApproval, DenyBedrockCrossRegionEgress, DenySageMakerTrainingDataEgress, DenyAgentCoreWithoutGuardrails, EnforceKMSForBedrockAndSageMaker, DenyPublicBedrockEndpoints, EnforceBedrockModelInvocationLogging, DenyUnencryptedModelRegistry, DenyCrossAccountModelSharingWithoutRAM. PHI/PII boundaries via Macie + Config at OU edge.
- Bedrock Guardrails organization baseline + PrivateLink-only Bedrock + KMS-required + HIPAA-eligible region enforcement via SCPs + token-spend cost guardrails (per-account AWS Budgets + EventBridge alerts to FinOps). IAM Identity Center with AI-specific permission sets (MLOps, Data Scientist, AI Platform Engineer, AI Governance Officer, Compliance Officer, Auditor). CloudTrail org trail + Bedrock Model Invocation Logging + AgentCore logs → S3 Object Lock 7-year HIPAA retention.
- AWS Select + Anthropic CPN: 4–6 weeks, $75K / $125K / $175K published-price tiers (100% of competitors hide pricing). Enterprise tier adds multi-region active-active DR + Well-Architected Generative AI + Machine Learning Lens review. Only 2 notable direct competitors globally (Cortex Reply + Version 1, Public Sector / FS framed, not healthcare). AWS AgentCore HIPAA eligibility (Feb 10 2026) drives multi-account redesign for healthcare Customers, Kriv plants the flag.
Details
Sold by
Categories
Delivery method
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Pricing
Custom pricing options
Pricing is based on your specific requirements and eligibility. To get a custom quote for your needs, request a private offer.
Legal
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Resources
Support
Vendor support
Primary contact. info@kriv.ai · +1-732-433-5564 · https://kriv.ai/support
Response SLA. First response within 2 US business days (Mon–Fri 9 am – 6 pm ET, ex-US federal holidays). Active engagements: Engagement Lead within 4 business hours weekdays. CISO-blocked Bedrock production rollouts compress to same business day.
Onboarding SLA. First customer contact within 2 US business days of buyer inquiry / private-offer acceptance. Kickoff within 2–3 weeks of SOW; 5–10 business days when enforcement-driven.
Escalation. (1) Engagement Lead (named in SOW) → (2) Practice Director (info@kriv.ai ) → (3) CEO Abhinav Dangri (info@kriv.ai ).
Communication. Dedicated Microsoft Teams channel; weekly 60-min video checkpoint; Friday written status. Customer SMEs 4–6 hrs/week (CISO, Chief Cloud Architect, Head of Platform Engineering, Head of AI Platform, CIO, CAIO, HIPAA Privacy Officer, Head of FinOps, Head of Security Engineering, Compliance).
Handoff. Word/Excel/PDF in customer secure share; landing-zone architecture as .drawio + PNG; Organizations + SCPs as JSON + Terraform / CDK; KMS + permission sets as JSON + Excel; AI-workload Config conformance pack as CloudFormation; GenAI + ML Lens review (Enterprise) as PDF + Excel scorecard.
Out of scope. Does NOT migrate existing workloads (separate). Does NOT operate landing zone post-deployment (unless Managed Service retainer). Issues no SOC 2 / HIPAA / HITRUST / ISO / FedRAMP certifications. No legal / regulatory / compliance advice. No regulator-outcome guarantee. No Control Tower / Organizations API stability guarantee.
AWS + Anthropic-side billing. AWS infrastructure + Anthropic API + Bedrock Claude consumption separate.
Holiday coverage. Closed on US federal holidays.