Tools and Best Practices for Governance on AWS

Develop a Plan

Implementing cloud governance strategies on AWS will involve defining policies, procedures, and control functions.  These functions are to keep AWS resources that are in use aligned with business priorities, compliant with regulations and standards, and able to reasonably balance those resources with risks in an effective manner.  As we pointed out in our article on the best practices for Well-Architected Framework, there are some methods developers should focus on in regard to governance.

Develop a Plan

Implementing cloud governance strategies on AWS will involve defining policies, procedures, and control functions.  These functions are to keep AWS resources that are in use aligned with business priorities, compliant with regulations and standards, and able to reasonably balance those resources with risks in an effective manner.  As we pointed out in our article on the best practices for Well-Architected Framework, there are some methods developers should focus on in regard to governance.

Define a Governance Framework

The framework should define multiple features including structure, roles, responsibilities between users, policies, procedures, and controls.  These will be largely user-defined by the organization’s IT strategy and its business objectives on AWS.  On a separate note, do not sacrifice the budget to maintain unrealistic functionality goals.

Using Identity Access Management

Controlling what users have access to and what data and functions are important pillars of enforcing security and compliance policies in AWS.  The default solution is AWS Identity Access Management (IAM) for directly managing user accounts, roles, permissions, and access logs.  If there are multiple accounts with different users, AWS Organizations can help centralize permissions across multiple AWS accounts.

Network and Infrastructure Security

AWS Security Groups, Network ACLs, and VPCs are necessary tools for controlling the flow of network traffic and monitoring activity.  Along with watching for suspicious activity within an environment, this helps ensure infrastructure resources are configured correctly.

Data Protection

An AWS environment can handle plenty of data, including personal information on certain customers.  It would be ideal to avoid doxing customers by implementing data encryption, access controls as mentioned above, and data retention policies for otherwise maintaining confidentiality, integrity, and controlling data availability.  As a result, it is important to keep track of what encryption keys are being used in the environment.

Define a Governance Framework

The framework should define multiple features including structure, roles, responsibilities between users, policies, procedures, and controls.  These will be largely user-defined by the organization’s IT strategy and its business objectives on AWS.  On a separate note, do not sacrifice the budget to maintain unrealistic functionality goals.

Using Identity Access Management

Controlling what users have access to and what data and functions are important pillars of enforcing security and compliance policies in AWS.  The default solution is AWS Identity Access Management (IAM) for directly managing user accounts, roles, permissions, and access logs.  If there are multiple accounts with different users, AWS Organizations can help centralize permissions across multiple AWS accounts.

Network and Infrastructure Security

AWS Security Groups, Network ACLs, and VPCs are necessary tools for controlling the flow of network traffic and monitoring activity.  Along with watching for suspicious activity within an environment, this helps ensure infrastructure resources are configured correctly.

Data Protection

An AWS environment can handle plenty of data, including personal information on certain customers.  It would be ideal to avoid doxing customers by implementing data encryption, access controls as mentioned above, and data retention policies for otherwise maintaining confidentiality, integrity, and controlling data availability.  As a result, it is important to keep track of what encryption keys are being used in the environment.

Monitoring Cost Expenditures and Managing Them

While AWS is designed to utilize resources in the most cost-effective ways possible, it does require some degree of manual input to ensure costs do reach optimal levels.  Fortunately, AWS does provide Costs Explorer for free to calculate and project budgets and monitor resource usage.

Compliance and Auditing

Another key component of compliance is the ability to audit logs and capture data concerning activity in an environment.  If security is compromised or performance is suffering, it can be helpful to take a snippet out of environmental history to investigate what happened in order to get a better understanding of what actions can be done to repair any damage and prevent repeat incidents.

Disaster Recovery and Backup Plans

Incidents will inevitably happen in some capacity and it is necessary to draft plans on how to recover from any damage done.  This will usually incorporate recovering any data that might have been lost or stolen during the event and restarting any operations that were halted as a result.  Plans for physical backups and contingencies for shifting instances to continue running the environment should be made.

Monitoring Cost Expenditures and Managing Them

While AWS is designed to utilize resources in the most cost-effective ways possible, it does require some degree of manual input to ensure costs do reach optimal levels.  Fortunately, AWS does provide Costs Explorer for free to calculate and project budgets and monitor resource usage.

Compliance and Auditing

Another key component of compliance is the ability to audit logs and capture data concerning activity in an environment.  If security is compromised or performance is suffering, it can be helpful to take a snippet out of environmental history to investigate what happened in order to get a better understanding of what actions can be done to repair any damage and prevent repeat incidents.

Disaster Recovery and Backup Plans

Incidents will inevitably happen in some capacity and it is necessary to draft plans on how to recover from any damage done.  This will usually incorporate recovering any data that might have been lost or stolen during the event and restarting any operations that were halted as a result.  Plans for physical backups and contingencies for shifting instances to continue running the environment should be made.

Integrated Compliance Tools

To help simplify compliance for developers on AWS, there are a number of services integrated that provide many of the necessary functions for compliance.  There are plenty of moving parts to worry about in order to remain compliant, so here is a general list of services that will contribute.

AWS CloudFormation

This will help with the automation of deploying and managing AWS resources.  Automated operations can be repeated and scanned.  Billing is dependent on how many operations are initiated, the first thousand operations per month per account are free.

AWS Service Catalog

This lets users compose and manage catalogs of AWS resources and services that comply with governance policies.  These catalogs compose of infrastructure as code (IaC) templates that can be shared and are very capable of adjusting to any project at scale.

AWS Organizations

AWS Organizations is helpful for users that own multiple accounts and need something that will centralize all controls, whether it be for scaling, simplifying permissions, optimizing costs, or auditing security.

AWS Control Tower

Along with AWS Organizations, building environments that will be used across multiple accounts can be done from AWS Control Tower.  Everything can be specially tailored for regulation and compliance requirements and even be integrated with any third-party software.  Pricing is rather complicated and depends on which services utilize this service.

AWS Config

Once everything is established, Config helps monitor and evaluate resource configurations so everything continues to meet compliance requirements through monitoring any changes made.  Pricing is based on the number of evaluations done.

AWS CloudTrail

Any API calls made on an AWS environment are tracked here.  Pricing is dependent on stored logs, but there are some features that are free with a month-long trial for the data lakes feature.

AWS Trusted Advisor

This service provides automated recommendations on how to optimize anything from costs to security and compliance.  Pricing can be a bit complicated, but all of the payment plans will charge users the greater of either a set rate or a certain percentage of their monthly AWS expenditures.

Integrated Compliance Tools

To help simplify compliance for developers on AWS, there are a number of services integrated that provide many of the necessary functions for compliance.  There are plenty of moving parts to worry about in order to remain compliant, so here is a general list of services that will contribute.

AWS CloudFormation

This will help with the automation of deploying and managing AWS resources.  Automated operations can be repeated and scanned.  Billing is dependent on how many operations are initiated, the first thousand operations per month per account are free.

AWS Service Catalog

This lets users compose and manage catalogs of AWS resources and services that comply with governance policies.  These catalogs compose of infrastructure as code (IaC) templates that can be shared and are very capable of adjusting to any project at scale.

AWS Organizations

AWS Organizations is helpful for users that own multiple accounts and need something that will centralize all controls, whether it be for scaling, simplifying permissions, optimizing costs, or auditing security.

AWS Control Tower

Along with AWS Organizations, building environments that will be used across multiple accounts can be done from AWS Control Tower.  Everything can be specially tailored for regulation and compliance requirements and even be integrated with any third-party software.  Pricing is rather complicated and depends on which services utilize this service.

AWS Config

Once everything is established, Config helps monitor and evaluate resource configurations so everything continues to meet compliance requirements through monitoring any changes made.  Pricing is based on the number of evaluations done.

AWS CloudTrail

Any API calls made on an AWS environment are tracked here.  Pricing is dependent on stored logs, but there are some features that are free with a month-long trial for the data lakes feature.

AWS Trusted Advisor

This service provides automated recommendations on how to optimize anything from costs to security and compliance.  Pricing can be a bit complicated, but all of the payment plans will charge users the greater of either a set rate or a certain percentage of their monthly AWS expenditures.

Compliance is Complicated

AWS is a complicated platform and mistakes are an understandable and unfavorable outcome.  Check out our other guide on the best practices for achieving a well-architected framework and a more efficient cloud environment.

Compliance is Complicated

AWS is a complicated platform and mistakes are an understandable and unfavorable outcome.  Check out our other guide on the best practices for achieving a well-architected framework and a more efficient cloud environment.