Management and Governance Lens - Management and Governance Lens

Management and Governance Lens

The AWS Well-Architected Framework helps you understand the pros and cons of decisions you make while building systems on AWS. The Management and Governance Lens (M&G Lens) provides prescriptive guidance on how to manage your AWS workloads so that you have environments that are migration-ready, scale-ready and cost-efficient.

Providing controlled and secure cloud resources with cost, compliance, and operational transparency is a critical part of leveraging the cloud for applications. To help customers create effective workloads in the cloud, AWS developed the AWS Well-Architected Framework. The Framework helps you understand the pros and cons of decisions you make when creating workloads on AWS. By using the Framework, you will learn architectural best practices for designing and operating reliable, secure, efficient, and cost-effective systems in the cloud. It provides a way for you to consistently measure your architectures against best practices and identify areas for improvement. We believe that having well-architected systems greatly increases the likelihood of business success.

In an extension of the Framework, AWS has developed the Management and Governance Lens (M&G Lens) to provide prescriptive guidance on designing your AWS environment with governance so that you can manage, scale, and operate a secure and cost-efficient environment.

This Lens provides guidance to cloud, networking, and security architects on how to configure their baseline AWS environment with management and governance – using AWS services and AWS Partner Network (APN) partners.

To fully evaluate your workloads and industry scenarios, use applicable lenses from the Well-Architected Framework along with the Management and Governance Lens. Well-Architected lenses extend the guidance offered by AWS Well-Architected to specific industry and technology domains, such as machine learning, analytics, serverless applications, high performance computing (HPC), IoT (Internet of Things), and financial services.

To configure your AWS environment with management and governance, you need to start with the eight foundational capabilities that are needed for any type of cloud environment:

  • Controls and guardrails

  • Network connectivity

  • Identity management

  • Security operations

  • Service management (ITSM)

  • Observability

  • Cloud financial management

  • Sourcing and distribution


            Management and Governance Lens Scope diagram

Implement each capability across your AWS environment in an automated and interoperable manner. Deploying all eight capabilities in this way enables you to configure your AWS environment to be ready to build and migrate applications to AWS with cost efficient operations, management, and governance at scale. This Lens proposes processes, developed with tools from AWS and AWS Partners, that work together to reduce complexity. For instance, the financial controls prescribed by your cloud financial management processes should be embedded as controls when you provision your accounts. Also, as you provision sandbox accounts for a development team, you should implement a control that specifies a spending limit for each account.

With controls in place, you can proactively tune the financial operations of your IT functions to allow for automated cost controls, which permit you to continually evaluate mechanisms that can reduce your cloud costs. Without financial controls in place, a reactive measure would be required to review and react to manual change processes. Although the manual mechanisms might be effective, they are not the most efficient, and typically require additional operational overhead. Throughout this Lens, you will see the additive benefits of having an interoperable and automated foundation of the proposed eight capabilities in your cloud environments.

AWS recommends that you define a multi-account framework that considers scale and operational efficiency concerns. This means that you should separate out your workloads into a logical pattern that best meets your operational needs. AWS provides prescriptive guidance for this, and suggests that you start with a foundational set of accounts to accommodate centralized and decentralized capabilities in your enterprise. AWS accounts allow you to centralize governance for distributed and autonomous teams, while allowing you delineate at security, financial, and operational levels. Your journey should begin with automating the provisioning of your accounts with a multi-account framework. Then, implement a set of foundational capabilities within each account. After you have completed deploying all of the capabilities within the M&G Lens, you should be ready to migrate, build, and scale your workloads with AWS.

What is your cloud strategy?

We have seen that successful strategies drive clarity for investments and are realized with an operational and innovation efficiency that helps enterprises increase the speed to value for their customers. The set of goals outlined in the strategy should address the value provided to your internal and external customers, technology improvements made by leveraging cloud, and the value provided by improvements in organizational and process changes. That is, the most effective strategies we have seen customers employ for using AWS have included the people, process, and technology elements along with the prioritization of which features to accelerate.

From evaluating thousands of customers who have migrated their workloads to AWS, we recognize that there are different approaches for moving them. Migrating and scaling your cloud capabilities is an ongoing process. There are several ways that you can segment your migration workloads. These include six common patterns AWS refers to as the 6 Rs:

  • Retire

  • Retain / Revisit

  • Re-purchase

  • Re-platform

  • Re-host

  • Re-factor / Re-architect

These migration patterns don’t stop once they’ve moved to AWS. To position yourself for business growth and scale, you will need to continually evaluate your workloads once migrated.

A cornerstone of a successful, cost efficient cloud strategy is to emphasize proactive management and governance from the start. These management and governance capabilities should be built with agility and operational focus to provide an increasing set of efficiencies as you continuously mature through your cloud journey.

Manage and govern with a multi-account point of view

AWS enables you to experiment, innovate, and scale more quickly, while providing a flexible and secure cloud environment. An AWS account provides natural security, access, and billing boundaries for your AWS resources. These boundaries enable you to achieve resource isolation as described in the Security Pillar whitepaper.

The Security Pillar specifically recommends the following objectives: separation of workloads by account; the ability to secure each account with controls and configured services; and, the ability to centrally manage accounts, set controls, configure services, and constrain resources. The multi-account framework prescriptive guidance supports this span of control into through isolated and enforced boundaries for your workloads. The M&G Lens builds on both the Security Pillar and the multi account framework to further define a set of eight foundational capabilities required to prepare your environments and operate efficiently in the AWS Cloud.

The multi-account strategy prescriptive guidance described in Organizing AWS Environments Whitepaper outlines specific mechanisms to organize these accounts and to apply a consistent set of controls and guardrails so that you can efficiently manage your cloud assets. For instance, when creating sandbox environments, you might need a different set of controls and guardrails, network, support model, change processes, and financial limits compared to the environments used to support your primary workloads. This framework allows you to take advantage of operational efficiencies gained by the ability to centrally manage resources, permissions, and security standards across accounts.

While the multi-account framework defines account boundaries, it is important to evaluate and plan your account management with operational capacity and automation in mind. That is, your accounts should employ the least privilege access, and provide boundaries to limit the effect of failures. You should select the AWS Region where you do the most work as your home Region. And, you should not propagate more accounts than are feasible to operationally manage or scale. For the majority of enterprises at this time, this means using a framework that limits the number of accounts to a few hundred or less. Furthermore, as you continue to scale, you will need to consider service quotas and latencies when performing actions on a large number of accounts.

Consider the purchase or development of solutions

The M&G Lens provides prescriptive guidance on key concepts, design principles, and best practices for optimizing management and governance across applications, including recommended combinations of AWS services, integration points with AWS Partner solutions, and vetted reference implementations. The M&G Lens incorporates best practices learned from customers who have migrated thousands of applications to AWS, and includes guidance on meeting regulatory expectations for different industries.

Organizations of every size and industry are moving to the cloud to become more agile, reduce costs, instantly scale, and deploy globally in minutes. When making this transition, customers need to ensure they have visibility and controls across applications running on both AWS and on-premises environments to help ensure secure, cost efficient, and healthy cloud applications, while providing evidence of compliance. Customers want to leverage their existing tooling and processes. However, traditional management and governance solutions are designed for on-premises infrastructure.

The M&G Lens helps customers leverage familiar processes and tools from AWS Partners and provides guidance on how to use them in an interoperable manner. For example, the Lens demonstrates how enterprises can use Splunk and Sumo Logic as an observability capability with interoperable capabilities of controls and guardrails from AWS Control Tower, and security operations from AWS Security Hub. The Lens also shows how to use the AWS Service Management Connector to integrate with popular ITSM products from ServiceNow and Atlassian in an interoperable manner with Sourcing from AWS Marketplace (via Coupa), and distribution capabilities from AWS Service Catalog.