AWS Governance at Scale - AWS Governance at Scale

AWS Governance at Scale

Publication date: November 2018 (Document Revisions)

Customers need to structure their governance to grow and scale as they grow the number of AWS accounts. AWS proposes a new approach to meet these challenges. Governance at Scale addresses AWS account management, cost control, and security and compliance through automation; organized by a centralized management toolset. Governance at Scale aligns the organization hierarchy with the AWS multi-account structure for complete management through an intuitive interface.

There are three areas of focus for governance at scale, with techniques for addressing them using a toolset for a typical organizational hierarchy. This whitepaper includes an example use case, an evaluation and selection criteria for developing or procuring a toolset to instantiate governance at scale.

Introduction

As operational footprints scale on AWS, a common theme across companies, is the need to maintain control over cloud resource usage, visibility, and policy enforcement. The ability to rapidly provision instances introduces the potential risk of overspending and misconfigurations. When strong governance and enforcement are not in place it can cause security concerns. Companies must address oversight challenges so risks are known and can be minimized.

Identified stakeholders are responsible for budget alignment, governance, compliance, business objectives, and technical direction across an entire company. To meet these needs, AWS has developed this governance at scale guidance to help identify and instantiate best practices.

Governance at Scale can help companies establish centrally managed budgets for cloud resources, oversight of cloud implementations, and a dashboard of the company’s cloud health. Cloud health is based on near real-time compliance to governance policies and enforcement mechanisms. To enable this, the policies and mechanisms are separated into three governance at scale focal points:

  • Account Management - Automate account provisioning and maintain good security when hundreds of users and business units are requesting cloud based resources.

  • Budget & Cost Management - Enforce and monitoring budgets across many accounts, workloads, and users.

  • Security & Compliance Automation - Manage security, risk, and compliance at a scale and pace to ensure the organization maintains compliance, while minimizing impact to the business.

Traditional Approaches to Manage Scale

Companies employ three basic approaches to manage large operations on AWS, provision multiple AWS accounts, control budgets, address security, risk, and compliance. Each of these approaches have the following limitations:

  • Traditional IT management processes. A central group controls access through approval chains, and manual or partially automated setup processes for accounts and resources. This approach is difficult to scale because it relies on people and processes that lack automated workflows for help desk tickets, and hand-offs between staff with different roles.

  • Unrestricted, decentralized access to AWS across multiple disassociated accounts. This approach can cause resource sprawl that leadership cannot see. While usage can scale, visibility and accountability are sacrificed. The lack of visibility within a self-service cloud model introduces compliance and financial risks that most companies cannot tolerate.

  • Use a cloud broker enables visibility and accountability, but may limit which AWS services are available to developers and applications, or require additional technology augmentation for organizations that require native access to AWS services.

Companies that have large scale cloud adoption attempt to work around these limitations by using a combination of technologies to address agility and governance goals. Companies may use a specific account management application, a specific cost enforcement system, or multiple toolsets for security and compliance. These separate technologies introduce additional layers of complexity and interoperability challenges.

Governance at Scale

AWS Governance at Scale helps you to monitor and control costs, accounts, and compliance standards, associated with operating large enterprises on AWS. This guidance is derived from best practices at AWS and from customers who have successfully operated at scale. The components are designed to be flexible so that both technical users and project teams can self-serve on AWS, while leadership maintains control on spending decisions and automated policy enforcement. Companies can implement governance at scale practices by developing their own solution, investing in a commercial solution aligned to the framework, or engaging AWS Professional Services for custom options. Mechanisms that align to governance at scale focus on control and reporting of budget, security and compliance, and enforcing AWS access, across all stakeholder teams. A core element is a centralized interface that provides hierarchical structure while preserving native access to the AWS API, the AWS Management Console, and the AWS SDK/CLI.

AWS guidance to achieve governance at scale is designed to conform with a company’s existing structure and business processes. The following diagram shows a typical government or corporate company. Each layer can have different technical, financial, reporting, and security requirements. Different departments and teams can have different success criteria, goals, and technical skill sets.

Figure 1: Sample organizational structure

An interface and subsystem that meets the governance at scale criteria allows leaders to allocate funding, assign budgets, and monitor near real time resource consumption. Each level within a company can institute policies or adjust company and project budgets based on mission priorities and usage patterns. Companies can propagate these policies down through the organization. The interface provides the mechanisms for authorized staff to create new projects, request new AWS accounts, request access to existing accounts, restrict access to AWS resources, and obtain near real-time metrics on project budget consumption.

This hierarchy combined with security automation provides reliable near real-time reporting for each level of leadership and staff. The granular and transparent nature of the workflows and data assures leadership that cloud operations across the enterprise are visible and constrained as appropriate with the implemented governance policies.

Governance at Scale Focal Points

Governance at Scale implements three focal points: Account Management, Budget and Cost Management, and Security and Compliance Automation.

Account Management

AWS guidance to achieve governance at scale streamlines account management across multiple AWS accounts and workloads within a company through centralization, standardization, and automation of account maintenance tasks. This is done through policy automation, identity federation, and account automation. Example, instead of requiring a central group to manually manage the company’s master billing account, a self-service model with workflow automation is employed. It enables authorized staff to link multiple accounts to one or more master billing accounts, and attach appropriate automatic enforced governance policies.

Figure 2: Automation can create and manage accounts at scale

Policy Automation

AWS guidance to achieve governance at scale automates the application of company policies, deploying accounts with standard specifications to ensure consistency across AWS accounts and resources. The policy engine is flexible to accommodate and enforce different types of security polices such as AWS Identity and Access Management (IAM), AWS CloudFormation, or custom scripts.

Identity Federation

AWS governance solutions employ AWS Single Sign-On (SSO) through federated identity integration with external authentication providers such as OpenID, or Active Directory to centralize AWS account management and simplify user access to AWS accounts. When SSO is used in conjunction with AWS CloudTrail, user activity can be tracked across multiple AWS accounts.

Account Automation

Services such as AWS Organizations, AWS CloudFormation, and AWS Service Catalog automate AWS account provisioning and network architecture baselining. They replace manual processes, and facilitate the use of pre-defined, standardized system deployment templates.

Users can create new AWS accounts for projects through self-service and leverage the AWS Management Console and APIs without the assistance of provisioning experts. Project or AWS account owners within a company use a centralized interface to manage access to resources within their assigned area, and configure cross-account access to AWS resources.

This automation of account management removes impediments such as ticketing, and additional out-of-band manual processes from the account provisioning process. This accelerates developers access to AWS resources they need.

Budget and Cost Management

Automated methods define and enforce fiscal policies to achieve governance at scale. Budget planning and enforcement practices allow leaders and staff to allocate and manage budgets for multiple AWS accounts and define enforcement actions. Automation ensures spending is actively monitored and controlled in near real time. These mechanisms allow leaders make proactive, well-informed decisions around budgetary controls and allocations across their company. When budgets are aligned with projects and AWS accounts, automation ensures budgets are maintained in real time, and accounts can’t exceed an approved budget. (For an example use case where budget enforcement is automated with a governance at scale solution, see Appendix A.) Companies are able to meet fiscal requirements, such as the Federal Anti-deficiency Act for U.S. Government agencies. Shared service providers or AWS resellers can implement governance at scale to provide chargeback capabilities across a diverse company.

Budget Planning

It is important to align the company’s budget management process to an automated workflow. The workflow should be flexible so that different types of funding sources, such as investment, appropriation, and contract line items (CLINs), are managed as the funding is allocated across the company. Financial owners should define the timeframe for the funding source, set enforcement actions if budget limits are exceeded, and track utilization over time. Example, if AWS provides a customer a $10,000 credit, the financial owner has the ability to subdivide the funding amount across the company. Automation will manage each allocation individually, while providing awareness and real-time financial dashboards to decision makers over the lifetime of the funding source.

Budget Enforcement

Enforcement of budget constraints is a key component of governance at scale. Each layer of the company defines spending limits within accounts and projects, monitors account spending in near real-time, and triggers warning notifications or enforcement actions. Automated actions include:

  • Restricting the use of AWS resources to those that cost less than a specified price.

  • Throttle new resource provisioning.

  • Shut down, terminate, or de-provision AWS resources after archiving configurations and data for future use.

The following diagram illustrates how this could work. Red numbers indicate the current or projected AWS spend rate exceeds the budget allocated to the project. Green numbers indicate that current AWS spend rate is within budget. When viewed on a governance dashboard, a decision maker has near real-time awareness of usage and spending across the entire company.

Figure 3: Budgets are allocated and enforced through the company

Security and Compliance Automation

Governance at scale security and compliance practices employ automation to enforce security requirements, and help streamline activities across the company’s AWS accounts. These practices are made up of the following items:

Identity & Access Automation

AWS guidance to achieve governance at scale is to offer AWS Identity and Access Management (IAM) capabilities through a central portal. Users can access the portal with an approved authentication scheme such as Microsoft Active Directory, or Lightweight Directory Access Protocol. The system grants access based on the roles defined by the company. Once authorized, the system enforces a strict “policy of least privilege” by providing access to resources authorized by the appropriate authorities. The portal allows users and workload owners to request and approve access to projects, AWS accounts, and centralized resources by managing company defined IAM policies applied at every level. Example, if a Chief Information Security Officer (CISO) wants to allow the company to access a new AWS services that was previously not allowed, the developer can edit the IAM policy at the root OU level, and the system will implement the change across all cloud accounts.

Security Automation

Maintaining a secure posture when operating at scale requires automating security tasks and compliance assessments. Manual or semi-manual processes cannot easily scale with business growth. With automation, AWS services or Amazon Virtual Private Cloud (Amazon VPC) baseline configurations can be provisioned using standardized AWS configurations or AWS CloudFormation templates. These templates align with the company’s security and compliance requirements and have been evaluated and approved by company’s risk decision makers. The provisioning process interfaces with the company’s Governance, Risk, and Compliance (GRC) tools or systems of record. (Partner Solutions include Telos Xacta 360, RSA Archer.) These templates generate security documentation and implementation details for newly provisioned baseline architectures, and shorten the overall time required for a system or project to be assessed and approved for operations.

Well implemented security automation is responsive to security incidents. This includes processes to respond to policy violations by revoking IAM user access, preventing new resource allocation, terminating resources, or isolating existing cloud resources for forensic analysis. Automation can be accomplished by collecting and storing AWS logging data into centralized data lakes and performing analytics, or basing responses on the output of other analytics tools.

Policy Enforcement

AWS guidance to achieve governance at scale helps you achieve policy enforcement on AWS Regions, AWS Services, and resource configurations. Enforcement is based on stakeholder roles and responsibilities, and in accordance with compliance regulations (e.g. HIPAA, FedRAMP, PCI/DSS). At each level of the hierarchy the company can specify which AWS Services, features, and resources are approved for use on a per department, per user, or per project basis. This ensures self-service requests can’t provision unapproved items, as illustrated in the following diagram.

Figure 4: Security and compliance guardrails flow down through hierarchy. Circles indicates third party security requirements: FedRAMP, HIPAA, and PCI.

Deciding on Your Solution

Designing a system to achieve governance at scale addresses key issues for companies around account management, cost enforcement, and security and compliance. Companies can build a governance at scale solution, or they can build one in partnership with AWS Professional Services, or an AWS partner. (Partner offerings include Cloudtamer.io, Turbot, and Dome9 Security.)

Decision Factor 1, Determine need

Does the company’s AWS footprint exceed or will it exceed the number of AWS accounts and resources that can be managed using a manual process? Example, do you review account billing details, use spreadsheets for tracking, or do you use the AWS Management Console to create and manage all accounts? If the answer to the top question is yes, then a governance at scale solution is needed.

Decision Factor 2, Is it feasible to build versus buy?

In order to build a custom solution, your company should be able to answer Yes to the following questions:

  • Does your company have a robust AWS resource tagging or account management methodology for budget control and enforcement?

  • Does your company have an existing governance model with business processes that can be automated?

  • Does your company have the resources to build and maintain an enterprise software solution for managing governance at scale across the company? This includes: engineers and developers with an advanced understanding of the AWS Cloud, APIs, security features and services, and sufficient staff to maintain the enterprise solution over time?

To determine if your company can develop a solution that meets all of the governance at scale requirements, see Appendix B.

Decision Factor 3, Criteria selection for buying a commercial solution

A commercial solution may include one or more products, and/or professional services assistance, with integration and building key components. If you decide to purchase a third party solution to achieve governance at scale, see Appendix B to determine if partner products or professional services meet all of your requirements.

What does a Governance at Scale solution look like to an organizational stakeholder?

The following diagram illustrates a finalized governance at scale implementation dashboard overlaying cost and compliance indicators in the company.

Figure 5: Example Company cloud environment

Decision makers at each layer of the hierarchy are provided real-time data and metrics that are tailored to their company role and/or business units:

  • Executive – Executives can assign budgets and security policies any segment of the company. Data is collected from the all segments and is presented in a summary view to include overall compliance status and financial health.

  • Senior Leadership – Senior leaders can view their respective financial health within their sub-organization. They are responsible for assigning budgets to their respective employees and applying additional security policies as needed.

  • Upper Management – Management monitors budgets, grants personnel access to projects, and assigns focused security policies. This is achieved by assigning specific budget and security policies to business units and teams responsible for applications.

  • Employee – Employees interact directly with cloud accounts and have operational awareness of current spend vs. the assigned budget. They can request access to other projects and exceptions to security and financial policies as appropriate.

Conclusion

Governance at scale is a new concept for automating cloud governance that can help your company retire manual processes in account management, budget enforcement, and security and compliance. By automating these common challenges, the company can scale without inhibiting agility, speed, and innovation, while providing decision makers with the visibility, control, and governance that is necessary to protect sensitive data and systems.

Carefully consider which solution you chose for your company. The decision to build or buy a solution can have critical implications on your AWS migration strategy. Discuss the potential impact with your AWS Solution Architect and/or Professional Services consultant. They can help ensure your solution meets your specific requirements. The use case example in Appendix A offers one way to formalize implementation. This example shows the challenges companies face, and the effect a governance at scale implementation can have. Appendix B provides you with a list of the key capabilities for each governance at scale focal point.

The Governance at Scale framework provides a compass and map to help companies build or buy solutions that can help them scale with confidence, by replacing human based governance processes with automation that is familiar, and easy to use for all stakeholders.

Create a Free AWS Account


          Sign up for a free AWS account

Sign up for an AWS account. New accounts include 12 months of AWS Free Tier access, including the use of Amazon EC2, Amazon S3, and Amazon DynamoDB.

Appendix A: Example Use Case

Example use case for implementing governance at scale to manage AWS accounts within a company:

ACME organization has outgrown their manual and spreadsheet-based governance process. The company is large and profitable (1B yearly revenue) but have diverse business units that require autonomy and flexibility. They have a small governance team, and a limited budget for a custom home-grown solution. Because of their organizational and financial constraints, they decided to purchase a solution from the AWS partner. (Partner offerings include Cloudtamer.io, Turbot, and Dome9 Security.) Once the solution is deployed and configured to align with the company specific processes and requirements, the solution is available for developers and decision makers, to centrally manage their cloud resources. The workflow below describes how a new developer would access and manage their resources within a governance at scale solution.

John is a developer joining a team that designs application environments for deployment in the AWS Cloud. Therefore, he needs an AWS development environment that allows him to manipulate infrastructure components using code without affecting other developers or systems. Each developer within the team is approved for individual monthly billing budgets for the use of AWS.

A governance at scale implementation and workflow for this scenario is:

  1. John navigates to a portal to submit a request for an AWS account for developers. From the list, he chooses from a set of standard corporate AWS account types, and then specifies that he needs a monthly billing budget of $5,000.

  2. His request triggers a notification that is sent to his manager. His manager uses the portal to confirm or change the monthly billing budget that John specified, and selects any preapproved/assessed system boundary that John’s environment is allowed to operate within.

  3. An automated process creates a new AWS account for John, and uses AWS CloudFormation to build a baseline architecture, and apply predefined IAM policies and AWS service configurations within John’s new AWS account.

    • IAM policies include what services and resources that John is allowed to access, and the AWS Service API calls he is allowed to perform. See https://aws.amazon.com/iam for details.

    • AWS service configurations include services such as an Amazon Virtual Private Cloud (VPC) architecture that includes predefined AWS security groups to be assigned to Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Simple Storage Service (Amazon S3) buckets provisioned with predefined access control policies, and network connectivity to access functional and security-enabling shared services. Example, code repositories, patch repositories, security scanning tools, anti-malware services, authentication services, time synchronization services, directory services, backup and recovery services, and etc.

  4. An automated process interfaces with the company’s governance, risk, and compliance (GRC) tool to link John’s AWS account with the preapproved/assessed system boundary. This allows the GRC tool to access the account for the system inventory, and monitor for compliance violations as part of automated IT auditing and continuous monitoring.

  5. An automated process begins tracking the AWS services and resources that John provisions to record the spending rate within John’s AWS account.

  6. As the monthly spend limit is approached, an automated series of notifications is sent to John so he can act to ensure he does not overspend his budget. It is escalated to his management if John fails to react appropriately. Additionally, a series of automated predefined budget enforcement actions take place, including preventing new AWS resources from being provisioned, and shutting down or de-provisioning AWS resources.

Appendix B: Governance at Scale Capability Checklist

There are several Amazon Partner Network (APN) solutions that you can use to meet your company's governance at scale requirements. We encourage companies to evaluate each solution and make a decision based on your specific requirements. AWS Professional Services and Solution Architects can assist in your evaluation process. If you want to discuss partner products, reach out to your AWS Sales teams, or send an email to .

Account Management

Capability Fully implements (yes/no) Partially implements (yes/no) Comments
Programmatically provision and delete AWS accounts using AWS APIs to ensure uniformity
Allow external IAM accounts to enable and disable users
Provide single sign-on to the AWS Management Console for AWS account users to manage cloud resources
Integrate with external IAM providers such as Active Directory Support MFA token management
Support MFA token management
Associate AWS accounts with one or more master billing accounts
Associate users with IAM policies to control access
Support multi-level organizational hierarchy
Support use of Enterprise Accelerators to apply baseline configurations to accounts
Provide self-service workflow that allows users to join projects
Provide self-service workflow that allows users to create new projects
Provide self-service workflow that allows users to connect one or more accounts
Control access to custom Amazon Machine Images (AMIs)
Allow user access to the AWS API, AWS Management Console, and SDKs

Budget and Cost Management

Capability Fully implements (yes/no) Partially implements (yes/no) Comments
Manage funding sources used to pay for AWS usage
Allocate funding sources to individuals and AWS accounts based on organizational hierarchy
Set monthly and yearly budgets for AWS accounts
View current spending accrual of AWS accounts
Aggregate spending of AWS accounts based on organization structure and purpose
Associate AWS accounts with one or more master billing accounts
Apply cost restrictions to AWS accounts (for example, force use of Reserved Instances, restrict Amazon EC2 instance usage to instances less than $x/hr., etc.)
Set rules to define enforcement actions (including notification, limit creating new cloud resources, archiving cloud resources, and termination of cloud resources) when financial thresholds are reached for each AWS account
Send alerts to financial stakeholders when predefined limits and thresholds are met

Security and Compliance Automation

Capability Fully implements (yes/no) Partially implements (yes/no) Comments
Programmatically apply access control policies to restrict user access to AWS services that do not meet regulatory compliance standards (such as HIPAA, FedRAMP, PCI/DSS)
Programmatically apply access control policies to restrict user access to AWS Regions that do not meet regulatory compliance standards (for example, HIPAA, FedRAMP, and PCI/DSS)
Programmatically apply access control policies to restrict user access to AWS resource configurations that do not meet regulatory compliance standards (for example, HIPAA, FedRAMP, and PCI/DSS)
Support multi-level organizational hierarchy to apply and inherit access control policies
Collect and store logs for all AWS accounts, resources, and API actions
Programmatically verify that cloud resources are configured in alignment with best practices, organizational policies, and regulatory compliance standards
Programmatically generate Authorization to Operate (ATO) artifacts, including system security plans (SSPs), based on current cloud resources within AWS accounts
Schedule continuous monitoring tasks (for example, vulnerability scans within and across AWS accounts) to determine whether the system is compliant
Set rules to define enforcement actions (including notification, limit creating new cloud resources, and isolation of cloud resources) when compliance violation thresholds are reached for each AWS account

Contributors

The following individuals and organizations contributed to this document:

  • Doug Vanderpool - Principal Consultant, Advisory, AWS Professional Services

  • Brett Miller – Technical Program Manager, WWPS Security and Compliance Business Acceleration Team

  • Lou Vecchioni – Senior Consultant, AWS Professional Services

  • Colin Desa - Head, Envision Engineering Center

  • Tim Anderson – Program Manager, WWPS Security and Compliance Business Acceleration Team

  • Nathan Case - Senior Consultant, AWS Professional Services

 

Resources

Document Revisions

The following table describes additions to this whitepaper, beginning in January 2020. To be notified about updates to this whitepaper, subscribe to the RSS feed.

Change Description Date

Minor updates

Reformatted to be single HTML page.

December 11, 2020

Minor updates

Minor text updates to improve accuracy.

January 1, 2020

Whitepaper changes made prior to January 2020:

Date Description
May 2017 First DRAFT Version
August 2017 DRAFT Version 2.0
November 2017 DRAFT Version 2.1
July 2018 DRAFT Version 2.2
November 2018 DRAFT Version 2.3

Notices

Customers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents current AWS product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from AWS and its affiliates, suppliers or licensors. AWS products or services are provided “as is” without warranties, representations, or conditions of any kind, whether express or implied. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

© 2020 Amazon Web Services, Inc. or its affiliates. All rights reserved.