OPS01-BP03 Evaluate governance requirements

Governance is the set of policies, rules, or frameworks that a company uses to achieve its business goals. Governance requirements are generated from within your organization. They can affect the types of technologies you choose or influence the way you operate your workload. Incorporate organizational governance requirements into your workload. Conformance is the ability to demonstrate that you have implemented governance requirements.

Desired outcome:

• Governance requirements are incorporated into the architectural design and operation of your workload.

• You can provide proof that you have followed governance requirements.

• Governance requirements are regularly reviewed and updated.

Common anti-patterns:

• Your organization mandates that the root account has multi-factor authentication. You failed to implement this requirement and the root account is compromised.

• During the design of your workload, you choose an instance type that is not approved by the IT department. You are unable to launch your workload and must conduct a redesign.

• You are required to have a disaster recovery plan. You did not create one and your workload suffers an extended outage.

• Your team wants to use new instances but your governance requirements have not been updated to allow them.

Benefits of establishing this best practice:

• Following governance requirements aligns your workload with larger organization policies.

• Governance requirements reflect industry standards and best practices for your organization.

Level of risk exposed if this best practice is not established: High

Implementation guidance

Identify governance requirement by working with stakeholders and governance organizations. Include governance requirements into your workload. Be able to demonstrate proof that you’ve followed governance requirements.

Customer example

At AnyCompany Retail, the cloud operations team works with stakeholders across the organization to develop governance requirements. For example, they prohibit SSH access into Amazon EC2 instances. If teams need system access, they are required to use AWS Systems Manager Session Manager. The cloud operations team regularly updates governance requirements as new services become available.

Implementation steps

1. Identify the stakeholders for your workload, including any centralized teams.

2. Work with stakeholders to identify governance requirements.

3. Once you’ve generated a list, prioritize the improvement items, and begin implementing them into your workload.

   1. Use services like AWS Config to create governance-as-code and validate that governance requirements are followed.

   2. If you use AWS Organizations, you can leverage Service Control Policies to implement governance requirements.

4. Provide documentation that validates the implementation.

Level of effort for the implementation plan: Medium. Implementing missing governance requirements may result in rework of your workload.

Resources

Related best practices:

• OPS01-BP04 Evaluate compliance requirements - Compliance is like governance but comes from outside an organization.

Related documents:

• AWS Management and Governance Cloud Environment Guide

• Best Practices for AWS Organizations Service Control Policies in a Multi-Account Environment

• Governance in the AWS Cloud: The Right Balance Between Agility and Safety

• What is Governance, Risk, And Compliance (GRC)?

Related videos:

• AWS Management and Governance: Configuration, Compliance, and Audit - AWS Online Tech Talks

• AWS re:Inforce 2019: Governance for the Cloud Age (DEM12-R1)

• AWS re:Invent 2020: Achieve compliance as code using AWS Config

• AWS re:Invent 2020: Agile governance on AWS GovCloud (US)

Related examples:

• AWS Config Conformance Pack Samples

Related services:

• AWS Config

• AWS Organizations - Service Control Policies