Governance in AWS, Azure, GCP

What does governance mean in the context of a public cloud?

Governance , while often used in the context of ‘cost governance’ , can actually apply to either of the following.

• Automation Governance – Resource Provisioning Automation, Account Automation, Policy Automation
• Budget Enforcement and Cost Compliance Governance on AWS, Azure, GCP
• Security Compliance for AWS, Google Cloud and Azure
• Base Enablement – Tagging of assets on GCP, Azure and AWS. Centralized Logging of events and across multiple accounts and subscriptions.  This is probably the FIRST thing you should tackle when it comes to ensuring compliance for any of the other three categories (Security, Automation or Cost)

Automation – Includes Policy Automation, Account Automation, Identity Federation

Resource Provisioning

• AWS Service Catalog automate  – network architecture baselining. They replace manual processes, and facilitate the use of pre-defined, standardized system deployment templates.
• AWS Landing Zones and
• AWS Quick Starts

Account Automation

• Services such as AWS Organizations, AWS CloudFormation –  AWS account provisioning
• AWS Landing Zones

Policy Automation

• AWS guidance to achieve governance at scale automates the application of company policies, deploying accounts with standard specifications to ensure consistency across AWS accounts and resources. The policy engine is flexible to accommodate and enforce different types of security polices such as AWS Identity and Access Management (IAM), AWS CloudFormation, or custom scripts.

Identity Federation

•  AWS governance solutions employ AWS Single Sign-On (SSO) through federated identity integration with external authentication providers such as OpenID, or Active Directory to centralize AWS account management and simplify user access to AWS accounts. When SSO is used in conjunction with AWS CloudTrail, user activity can be tracked across multiple AWS accounts.

Budget Enforcement

Enforcement of budget constraints is a key component of governance at scale. Each layer of the company defines spending limits within accounts and projects, monitors account spending in near real-time, and triggers warning notifications or enforcement actions. Automated actions include:

• Restricting the use of AWS resources to those that cost less than a specified price.
• Throttle new resource provisioning.
• Shut down, terminate, or de-provision AWS resources after archiving configurations and data for future use.

Security Compliance

• AWS services or Amazon Virtual Private Cloud (Amazon VPC) baseline configurations can be provisioned using standardized AWS configurations or AWS CloudFormation templates
• These templates align with the company’s security and compliance requirements and have been evaluated and approved by company’s risk decision makers.
• Well implemented security automation is responsive to security incidents. This includes processes to respond to policy violations by revoking IAM user access, preventing new resource allocation, terminating resources, or isolating existing cloud resources for forensic analysis.
•  Automation can be accomplished by collecting and storing AWS logging data into centralized data lakes and performing analytics, or basing responses on the output of other analytics tools.
• At each level of the hierarchy the company can specify which AWS Services, features, and resources are approved for use on a per department, per user, or per project basis. This ensures self-service requests can’t provision unapproved items, as illustrated in the following diagram.

Base Enablement – Tagging and Logging

As discussed in the opening paragraph, this is the first step in getting any of the other pieces even close to working.

• Centralized logging – There’s a good deal of options – including cloud native options (e.g. centralized S3 bucket logging in AWS) as well as third party open source solutions such as the ELK stack.
• Tagging Strategy and Enforcement on AWS, Azure and Google Cloud – This is such a key area that, if done right, it can help answer the toughest questions around your cloud environment.

Summary

People use the word Governance very loosely, both for on premises as well as cloud environments. In cloud environments, your first concern should be getting base enablement – which involves a comprehensive asset tagging strategy as well as a centralized logging mechanism. Once your environment has this base enablement, some of the other governance can be put in place – using custom policies for security governance, cloud native (Security Hub, Google Command Center, Azure Policy Management…), for automatic checking of resource compliance.

Need assistance with your GCP, Azure or AWS compliance efforts or security audits?