Risk management - AWS Cloud Adoption Framework: Governance Perspective

Risk management

Use cloud to lower your risk profile.

Any transformation journey includes many different types of risks, including security, compliance, environmental, resiliency, and business. An organization either rejects, accepts and manages, or transfers the risks. The risk management lifecycle is cyclically completed through assessments to identify risks, treatments through the implementation of risk mitigation strategies, and management through continuous monitoring. Efforts and resources to perform risk assessments, treatments, and management can be significantly reduced by moving workloads to the cloud, enabling the business to innovate faster and operate more efficiently.


Develop or identify an industry leading risk management framework. Identify and create an inventory of the high value assets, including but not limited to people, process, technology and data. Organizations must identify, categorize, assess, and quantify:

Develop the risk profile, determine organizational risk appetite based on each identified event’s impact to the business and acceptable probability of occurrence. Clearly understand the attributes that are contributing to an elevated risk profile. Determine areas that are ripe to reduce risk. Build an initial backlog of stories and a roadmap for lowering your risk profile on the cloud.

Consider using cloud to reduce risks relating to infrastructure operations and failure. Eliminate the need for large upfront infrastructure expenditures and reduce the risk of purchasing assets that may be no longer needed. Depending on the needs of your users, mitigate procurement schedule risks by using cloud to instantly provision and deprovision resources.


Maintain a strong risk posture in the cloud, without having to define, build, and maintain hundreds of controls. Remove the burden of defining, enforcing, and evidencing the configurations and controls required to ensure the confidentiality, integrity, and availability of high value assets. Organizations should consider continuous risk assessments to understand and prioritize AWS services in an agile manner. Consider a shift left approach in the secure development to identify and manage risks at early as possible.

Implement AWS services required for risk management and compliance including:

Continuously monitor, inventory and tag the business’s AWS high value assets to the right categories. Include third party risks in the risk management approach.


Automate and orchestrate to provide means for the risk management processes to enforce controls consistently by using policy as code (PaC) programmatically and at scale. This requires organizations to adopt a Zero Trust approach with least privilege and risk-based access controls through automation of use cases and design patterns using DevSecOps.

Automating processes and workflows minimizes defects due to human error by embedding automated controls and tests into the DevSecOps pipelines. These also avoid bottlenecks and deliver capabilities faster by automating the tasks and approval gates that do not require human intervention. However, for risk automation process to be successful, it is critical to involve the right stakeholders such as business, risks, security, governance and operations teams in the initial, as well as routine, pipeline-related activities.

Consider implementing AWS Control Tower, AWS CloudFormation, Terraform, and AWS Lambda functions to perform automated, event-driven actions that automate the security operations. AWS Security Hub, AWS CloudTrail, AWS CloudWatch, Amazon Detective, Amazon GuardDuty, Amazon Inspector, and AWS Config provide continuous protection from real-time threats and misconfigurations, ultimately ensuring that risk appetite remains within the acceptable range for the organization.