Are you getting the most out of your AWS investment? Get your free AWS Well-Architected Assessment.

2021 Fillmore Street #1128

}

24/7 solutions

aws cloud governance

Tools and Best Practices for Governance on AWS

Cloud infrastructure has much faster agility and responsiveness compared to more traditional IT solutions. As resources will be considerably more expendable, there will be a greater tolerance for failures. However, cloud infrastructure does require a strong combination of IT governance and organizational governance to ensure a cloud environment is both agile and safe. Finding that balance can be a significant challenge.

Develop a Plan

Implementing cloud governance strategies on AWS will involve defining policies, procedures, and control functions.  These functions are to keep AWS resources that are in use aligned with business priorities, compliant with regulations and standards, and able to reasonably balance those resources with risks in an effective manner.  As we pointed out in our article on the best practices for Well-Architected Framework, there are some methods developers should focus on in regard to governance.

Develop a Plan

Implementing cloud governance strategies on AWS will involve defining policies, procedures, and control functions.  These functions are to keep AWS resources that are in use aligned with business priorities, compliant with regulations and standards, and able to reasonably balance those resources with risks in an effective manner.  As we pointed out in our article on the best practices for Well-Architected Framework, there are some methods developers should focus on in regard to governance.

aws cloud governance model

Define a Governance Framework

The framework should define multiple features including structure, roles, responsibilities between users, policies, procedures, and controls.  These will be largely user-defined by the organization’s IT strategy and its business objectives on AWS.  On a separate note, do not sacrifice the budget to maintain unrealistic functionality goals.

 

Using Identity Access Management

Controlling what users have access to and what data and functions are important pillars of enforcing security and compliance policies in AWS.  The default solution is AWS Identity Access Management (IAM) for directly managing user accounts, roles, permissions, and access logs.  If there are multiple accounts with different users, AWS Organizations can help centralize permissions across multiple AWS accounts.

 

Network and Infrastructure Security

AWS Security Groups, Network ACLs, and VPCs are necessary tools for controlling the flow of network traffic and monitoring activity.  Along with watching for suspicious activity within an environment, this helps ensure infrastructure resources are configured correctly.

 

Data Protection

An AWS environment can handle plenty of data, including personal information on certain customers.  It would be ideal to avoid doxing customers by implementing data encryption, access controls as mentioned above, and data retention policies for otherwise maintaining confidentiality, integrity, and controlling data availability.  As a result, it is important to keep track of what encryption keys are being used in the environment.

Define a Governance Framework

The framework should define multiple features including structure, roles, responsibilities between users, policies, procedures, and controls.  These will be largely user-defined by the organization’s IT strategy and its business objectives on AWS.  On a separate note, do not sacrifice the budget to maintain unrealistic functionality goals.

 

Using Identity Access Management

Controlling what users have access to and what data and functions are important pillars of enforcing security and compliance policies in AWS.  The default solution is AWS Identity Access Management (IAM) for directly managing user accounts, roles, permissions, and access logs.  If there are multiple accounts with different users, AWS Organizations can help centralize permissions across multiple AWS accounts.

 

Network and Infrastructure Security

AWS Security Groups, Network ACLs, and VPCs are necessary tools for controlling the flow of network traffic and monitoring activity.  Along with watching for suspicious activity within an environment, this helps ensure infrastructure resources are configured correctly.

 

Data Protection

An AWS environment can handle plenty of data, including personal information on certain customers.  It would be ideal to avoid doxing customers by implementing data encryption, access controls as mentioned above, and data retention policies for otherwise maintaining confidentiality, integrity, and controlling data availability.  As a result, it is important to keep track of what encryption keys are being used in the environment.

aws governance security solutions

Monitoring Cost Expenditures and Managing Them

While AWS is designed to utilize resources in the most cost-effective ways possible, it does require some degree of manual input to ensure costs do reach optimal levels.  Fortunately, AWS does provide Costs Explorer for free to calculate and project budgets and monitor resource usage.

 

Compliance and Auditing

Another key component of compliance is the ability to audit logs and capture data concerning activity in an environment.  If security is compromised or performance is suffering, it can be helpful to take a snippet out of environmental history to investigate what happened in order to get a better understanding of what actions can be done to repair any damage and prevent repeat incidents.

 

Disaster Recovery and Backup Plans

Incidents will inevitably happen in some capacity and it is necessary to draft plans on how to recover from any damage done.  This will usually incorporate recovering any data that might have been lost or stolen during the event and restarting any operations that were halted as a result.  Plans for physical backups and contingencies for shifting instances to continue running the environment should be made.

Monitoring Cost Expenditures and Managing Them

While AWS is designed to utilize resources in the most cost-effective ways possible, it does require some degree of manual input to ensure costs do reach optimal levels.  Fortunately, AWS does provide Costs Explorer for free to calculate and project budgets and monitor resource usage.

 

Compliance and Auditing

Another key component of compliance is the ability to audit logs and capture data concerning activity in an environment.  If security is compromised or performance is suffering, it can be helpful to take a snippet out of environmental history to investigate what happened in order to get a better understanding of what actions can be done to repair any damage and prevent repeat incidents.

 

Disaster Recovery and Backup Plans

Incidents will inevitably happen in some capacity and it is necessary to draft plans on how to recover from any damage done.  This will usually incorporate recovering any data that might have been lost or stolen during the event and restarting any operations that were halted as a result.  Plans for physical backups and contingencies for shifting instances to continue running the environment should be made.

Integrated Compliance Tools

To help simplify compliance for developers on AWS, there are a number of services integrated that provide many of the necessary functions for compliance.  There are plenty of moving parts to worry about in order to remain compliant, so here is a general list of services that will contribute.

 

AWS CloudFormation

This will help with the automation of deploying and managing AWS resources.  Automated operations can be repeated and scanned.  Billing is dependent on how many operations are initiated, the first thousand operations per month per account are free.

 

AWS Service Catalog

This lets users compose and manage catalogs of AWS resources and services that comply with governance policies.  These catalogs compose of infrastructure as code (IaC) templates that can be shared and are very capable of adjusting to any project at scale.

 

AWS Organizations

AWS Organizations is helpful for users that own multiple accounts and need something that will centralize all controls, whether it be for scaling, simplifying permissions, optimizing costs, or auditing security.

 

AWS Control Tower

Along with AWS Organizations, building environments that will be used across multiple accounts can be done from AWS Control Tower.  Everything can be specially tailored for regulation and compliance requirements and even be integrated with any third-party software.  Pricing is rather complicated and depends on which services utilize this service.

 

AWS Config

Once everything is established, Config helps monitor and evaluate resource configurations so everything continues to meet compliance requirements through monitoring any changes made.  Pricing is based on the number of evaluations done.

 

AWS CloudTrail

Any API calls made on an AWS environment are tracked here.  Pricing is dependent on stored logs, but there are some features that are free with a month-long trial for the data lakes feature.

 

AWS Trusted Advisor

This service provides automated recommendations on how to optimize anything from costs to security and compliance.  Pricing can be a bit complicated, but all of the payment plans will charge users the greater of either a set rate or a certain percentage of their monthly AWS expenditures.

Integrated Compliance Tools

To help simplify compliance for developers on AWS, there are a number of services integrated that provide many of the necessary functions for compliance.  There are plenty of moving parts to worry about in order to remain compliant, so here is a general list of services that will contribute.

 

AWS CloudFormation

This will help with the automation of deploying and managing AWS resources.  Automated operations can be repeated and scanned.  Billing is dependent on how many operations are initiated, the first thousand operations per month per account are free.

 

AWS Service Catalog

This lets users compose and manage catalogs of AWS resources and services that comply with governance policies.  These catalogs compose of infrastructure as code (IaC) templates that can be shared and are very capable of adjusting to any project at scale.

 

AWS Organizations

AWS Organizations is helpful for users that own multiple accounts and need something that will centralize all controls, whether it be for scaling, simplifying permissions, optimizing costs, or auditing security.

 

AWS Control Tower

Along with AWS Organizations, building environments that will be used across multiple accounts can be done from AWS Control Tower.  Everything can be specially tailored for regulation and compliance requirements and even be integrated with any third-party software.  Pricing is rather complicated and depends on which services utilize this service.

 

AWS Config

Once everything is established, Config helps monitor and evaluate resource configurations so everything continues to meet compliance requirements through monitoring any changes made.  Pricing is based on the number of evaluations done.

 

AWS CloudTrail

Any API calls made on an AWS environment are tracked here.  Pricing is dependent on stored logs, but there are some features that are free with a month-long trial for the data lakes feature.

 

AWS Trusted Advisor

This service provides automated recommendations on how to optimize anything from costs to security and compliance.  Pricing can be a bit complicated, but all of the payment plans will charge users the greater of either a set rate or a certain percentage of their monthly AWS expenditures.

Compliance is Complicated

AWS is a complicated platform and mistakes are an understandable and unfavorable outcome.  Check out our other guide on the best practices for achieving a well-architected framework and a more efficient cloud environment.

Compliance is Complicated

AWS is a complicated platform and mistakes are an understandable and unfavorable outcome.  Check out our other guide on the best practices for achieving a well-architected framework and a more efficient cloud environment.

Dolan Cleary

Dolan Cleary

I am a recent graduate from the University of Wisconsin - Stout and am now working with AllCode as a web technician. Currently working within the marketing department.

Related Articles

AWS Well Architected Framework Remediation

AWS Well Architected Framework Remediation

Ideally, optimization of an AWS environment should be a one-and-done task, but there are plenty of risk factors to consider and sufficient room to forget. High risk issues (HRIs) are architectural and operational decisions that could very easily negatively impact how a business works. Even with in-house help with the automated assistant tools, it is best practice to have manual third-party help to best optimize for individual needs and requirements the business may have.

What is AWS Pinpoint?

What is AWS Pinpoint?

Along with other marketing tools, AWS Pinpoint is a solution to better allow for multi-channel marketing. It is designed to work with current channels of communication and offers flexibility in its application. It is everything needed for campaigns, tracking customer interaction, and utilizing data to improve marketing efforts.

Traditional IT vs. AWS – How Small Businesses can Benefit

Traditional IT vs. AWS – How Small Businesses can Benefit

AWS solutions can accomplish a variety of problems and tasks including IT needs. Even smaller businesses that have a more limited scope that their businesses cover can look to find some way to upgrade their business operations through what Amazon has to offer. Though it may be intimidating and difficult to adapt to, there is more than enough reason to adopt AWS.