AWS Governance at Scale
AWS Governance at Scale

Appendix B: Governance at Scale Capability Checklist

There are several Amazon Partner Network (APN) solutions that you can use to meet your company's governance at scale requirements. We encourage companies to evaluate each solution and make a decision based on your specific requirements. AWS Professional Services and Solution Architects can assist in your evaluation process. If you want to discuss partner products, reach out to your AWS Sales teams, or send an email to .

Account Management

Capability Fully implements (yes/no) Partially implements (yes/no) Comments
Programmatically provision and delete AWS accounts using AWS APIs to ensure uniformity
Allow external IAM accounts to enable and disable users
Provide single sign-on to the AWS Management Console for AWS account users to manage cloud resources
Integrate with external IAM providers such as Active Directory Support MFA token management
Support MFA token management
Associate AWS accounts with one or more master billing accounts
Associate users with IAM policies to control access
Support multi-level organizational hierarchy
Support use of Enterprise Accelerators to apply baseline configurations to accounts
Provide self-service workflow that allows users to join projects
Provide self-service workflow that allows users to create new projects
Provide self-service workflow that allows users to connect one or more accounts
Control access to custom Amazon Machine Images (AMIs)
Allow user access to the AWS API, AWS Management Console, and SDKs

Budget and Cost Management

Capability Fully implements (yes/no) Partially implements (yes/no) Comments
Manage funding sources used to pay for AWS usage
Allocate funding sources to individuals and AWS accounts based on organizational hierarchy
Set monthly and yearly budgets for AWS accounts
View current spending accrual of AWS accounts
Aggregate spending of AWS accounts based on organization structure and purpose
Associate AWS accounts with one or more master billing accounts
Apply cost restrictions to AWS accounts (for example, force use of Reserved Instances, restrict Amazon EC2 instance usage to instances less than $x/hr., etc.)
Set rules to define enforcement actions (including notification, limit creating new cloud resources, archiving cloud resources, and termination of cloud resources) when financial thresholds are reached for each AWS account
Send alerts to financial stakeholders when predefined limits and thresholds are met

Security and Compliance Automation

Capability Fully implements (yes/no) Partially implements (yes/no) Comments
Programmatically apply access control policies to restrict user access to AWS services that do not meet regulatory compliance standards (such as HIPAA, FedRAMP, PCI/DSS)
Programmatically apply access control policies to restrict user access to AWS Regions that do not meet regulatory compliance standards (for example, HIPAA, FedRAMP, and PCI/DSS)
Programmatically apply access control policies to restrict user access to AWS resource configurations that do not meet regulatory compliance standards (for example, HIPAA, FedRAMP, and PCI/DSS)
Support multi-level organizational hierarchy to apply and inherit access control policies
Collect and store logs for all AWS accounts, resources, and API actions
Programmatically verify that cloud resources are configured in alignment with best practices, organizational policies, and regulatory compliance standards
Programmatically generate Authorization to Operate (ATO) artifacts, including system security plans (SSPs), based on current cloud resources within AWS accounts
Schedule continuous monitoring tasks (for example, vulnerability scans within and across AWS accounts) to determine whether the system is compliant
Set rules to define enforcement actions (including notification, limit creating new cloud resources, and isolation of cloud resources) when compliance violation thresholds are reached for each AWS account