Appealing features of cloud services motivate consumers to migrate their core businesses to them. However, there are challenges about security, privacy, and compliance. Building compliant systems is difficult because of the complex nature of regulations and cloud systems. In addition, the lack of reference architectures (RAs) makes compliance even harder. RAs should be complete, precise, abstract, vendor neutral, platform independent, with no implementation details, however, their levels of detail and abstraction are still debatable and there is no accepted definition about what an RA should contain. Existing approaches used to build RAs lack structured templates and systematic procedures. In addition, most approaches do not take full advantage of patterns and best practices that promote architectural qualities such as modularity, reusability, flexibility and usability. We propose here a five-step approach to build an RA that can improve the quality of the concrete architectures derived from it and from which we can derive more specialized RAs. These RAs take advantage of patterns and best practices that promote software quality.