Tenet 3. Have a clear strategy and governance to support it

Deciding to pursue a multicloud strategy is insufficient; you must establish a strategy for delivering on your objectives, including clear governance for which workloads will go where and why. Evaluation criteria should be used to optimize workloads and their dependencies. If the evaluation is left up to individuals, an uncoordinated sprawl across CSPs will likely erode the value of the multicloud strategy. We recommend that you evaluate CSP workload performance regularly and use your assessment as a key input to CSP selection, criteria, and future usage.

An effective governance strategy requires visibility into the total number of services, applications, and components used across the enterprise. Integral to this is a robust tagging strategy that spans CSPs and establishes clear ownership, usage, and environment (such as development, QA, staging, and production) for all deployed resources. Everything should be tagged to an owner; if it is not tagged or an owner cannot be identified, it should be removed. We work closely with a major financial services organization that automatically finds and removes any untagged resources, and considers this a best practice, regardless of the inconvenience it presents to development teams. This tagging approach codifies governance rules and automates enforcement instead of creating blocks to progress (that is, it implements guardrails, not gates). Cost, operations, and security must be tracked, monitored, and acted upon in the same way, with the same depth of data and transparency across CSPs.

When you implement a multicloud strategy, establishing a clear and consistent account structure across cloud providers is crucial for maintaining operational control and security. We recommend adopting a hub-and-spoke model, where you create separate AWS accounts for different business units. These are anchored by two critical central accounts: a security/audit account for consolidated compliance and security monitoring, and a central networking account for managing interconnectivity. (This approach is codified in the design of AWS Control Tower. However, the principles of least privilege and separation of duties are equally applicable to other clouds. The AWS Well-Architected Framework discusses these concepts at length, and is highly recommended for technical audiences.) This foundational approach should be mirrored across cloud providers to maintain consistency in governance and operations. Workload accounts should be organized by environment (development, staging, production) or function, with clear processes established for account creation and deletion.

Our guidance:

Implement a comprehensive tagging strategy to maintain clear ownership and usage patterns across all cloud resources. Track environments, cost centers, applications, and business units through consistent tagging policies. Remove resources that lack proper tags to enforce governance standards and maintain environment clarity.
Establish a unified compliance framework that maps regulatory requirements across your multicloud environment. Maintain clear documentation of how each cloud provider's controls and certifications support your compliance obligations.
Automate governance enforcement through automation instead of using manual approval processes. Code your governance rules into automated systems that prevent policy violations before they occur. This removes human error while maintaining development velocity.
Structure accounts in a hub-and-spoke model with centralized security and networking control. Create dedicated accounts for security auditing and network management to centralize critical functions. This foundation enables consistent security policies and network connectivity across the organization.
To maintain operational boundaries, create separate accounts, subscriptions, or projects (depending on your CSP's nomenclature) for different environments and functions. Divide workloads by development, staging, and production environments. This separation prevents security incidents from spreading and maintains clear operational domains.
Monitor costs, operations, and security through consistent metrics across the environment. Implement unified monitoring for resource utilization, security events, and spending patterns. Use this data to optimize workload placement and resource allocation decisions.
Prevent unauthorized cloud usage through organizational policies and automated controls. Define clear processes for account creation and resource provisioning. Implement service control policies (SCPs) to enforce compliance with organizational standards across all accounts.
Establish detective and preventive controls to prevent shadow IT from emerging through unauthorized provider accounts. Monitor for unauthorized cloud usage through expense reports and network traffic. Block unauthorized provider access while maintaining approved paths for innovation.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

2. Be mindful of multicloud misconceptions

4. Do not spread contiguous workloads across clouds