AWS Governance at Scale
Publication date: November 2018 (Document Revisions)
Customers need to structure their governance to grow and scale as they grow the number of AWS accounts. AWS proposes a new approach to meet these challenges. Governance at Scale addresses AWS account management, cost control, and security and compliance through automation; organized by a centralized management toolset. Governance at Scale aligns the organization hierarchy with the AWS multi-account structure for complete management through an intuitive interface.
There are three areas of focus for governance at scale, with techniques for addressing them using a toolset for a typical organizational hierarchy. This whitepaper includes an example use case, an evaluation and selection criteria for developing or procuring a toolset to instantiate governance at scale.
Topics
Introduction
As operational footprints scale on AWS, a common theme across companies, is the need to maintain control over cloud resource usage, visibility, and policy enforcement. The ability to rapidly provision instances introduces the potential risk of overspending and misconfigurations. When strong governance and enforcement are not in place it can cause security concerns. Companies must address oversight challenges so risks are known and can be minimized.
Identified stakeholders are responsible for budget alignment, governance, compliance, business objectives, and technical direction across an entire company. To meet these needs, AWS has developed this governance at scale guidance to help identify and instantiate best practices.
Governance at Scale can help companies establish centrally managed budgets for cloud resources, oversight of cloud implementations, and a dashboard of the company’s cloud health. Cloud health is based on near real-time compliance to governance policies and enforcement mechanisms. To enable this, the policies and mechanisms are separated into three governance at scale focal points:
-
Account Management - Automate account provisioning and maintain good security when hundreds of users and business units are requesting cloud based resources.
-
Budget & Cost Management - Enforce and monitoring budgets across many accounts, workloads, and users.
-
Security & Compliance Automation - Manage security, risk, and compliance at a scale and pace to ensure the organization maintains compliance, while minimizing impact to the business.
Traditional Approaches to Manage Scale
Companies employ three basic approaches to manage large operations on AWS, provision multiple AWS accounts, control budgets, address security, risk, and compliance. Each of these approaches have the following limitations:
-
Traditional IT management processes. A central group controls access through approval chains, and manual or partially automated setup processes for accounts and resources. This approach is difficult to scale because it relies on people and processes that lack automated workflows for help desk tickets, and hand-offs between staff with different roles.
-
Unrestricted, decentralized access to AWS across multiple disassociated accounts. This approach can cause resource sprawl that leadership cannot see. While usage can scale, visibility and accountability are sacrificed. The lack of visibility within a self-service cloud model introduces compliance and financial risks that most companies cannot tolerate.
-
Use a cloud broker enables visibility and accountability, but may limit which AWS services are available to developers and applications, or require additional technology augmentation for organizations that require native access to AWS services.
Companies that have large scale cloud adoption attempt to work around these limitations by using a combination of technologies to address agility and governance goals. Companies may use a specific account management application, a specific cost enforcement system, or multiple toolsets for security and compliance. These separate technologies introduce additional layers of complexity and interoperability challenges.
Governance at Scale
AWS Governance at Scale helps you to monitor and control costs, accounts, and compliance standards, associated with operating large enterprises on AWS. This guidance is derived from best practices at AWS and from customers who have successfully operated at scale. The components are designed to be flexible so that both technical users and project teams can self-serve on AWS, while leadership maintains control on spending decisions and automated policy enforcement. Companies can implement governance at scale practices by developing their own solution, investing in a commercial solution aligned to the framework, or engaging AWS Professional Services for custom options. Mechanisms that align to governance at scale focus on control and reporting of budget, security and compliance, and enforcing AWS access, across all stakeholder teams. A core element is a centralized interface that provides hierarchical structure while preserving native access to the AWS API, the AWS Management Console, and the AWS SDK/CLI.
AWS guidance to achieve governance at scale is designed to conform with a company’s existing structure and business processes. The following diagram shows a typical government or corporate company. Each layer can have different technical, financial, reporting, and security requirements. Different departments and teams can have different success criteria, goals, and technical skill sets.

Figure 1: Sample organizational structure
An interface and subsystem that meets the governance at scale criteria allows leaders to allocate funding, assign budgets, and monitor near real time resource consumption. Each level within a company can institute policies or adjust company and project budgets based on mission priorities and usage patterns. Companies can propagate these policies down through the organization. The interface provides the mechanisms for authorized staff to create new projects, request new AWS accounts, request access to existing accounts, restrict access to AWS resources, and obtain near real-time metrics on project budget consumption.
This hierarchy combined with security automation provides reliable near real-time reporting for each level of leadership and staff. The granular and transparent nature of the workflows and data assures leadership that cloud operations across the enterprise are visible and constrained as appropriate with the implemented governance policies.
Governance at Scale Focal Points
Governance at Scale implements three focal points: Account Management, Budget and Cost Management, and Security and Compliance Automation.
Account Management
AWS guidance to achieve governance at scale streamlines account management across multiple AWS accounts and workloads within a company through centralization, standardization, and automation of account maintenance tasks. This is done through policy automation, identity federation, and account automation. Example, instead of requiring a central group to manually manage the company’s master billing account, a self-service model with workflow automation is employed. It enables authorized staff to link multiple accounts to one or more master billing accounts, and attach appropriate automatic enforced governance policies.

Figure 2: Automation can create and manage accounts at scale
Policy Automation
AWS guidance to achieve governance at scale automates the application of company policies, deploying accounts with standard specifications to ensure consistency across AWS accounts and resources. The policy engine is flexible to accommodate and enforce different types of security polices such as AWS Identity and Access Management (IAM), AWS CloudFormation, or custom scripts.
Identity Federation
AWS governance solutions employ AWS Single Sign-On (SSO) through federated identity integration with external authentication providers such as OpenID, or Active Directory to centralize AWS account management and simplify user access to AWS accounts. When SSO is used in conjunction with AWS CloudTrail, user activity can be tracked across multiple AWS accounts.
Account Automation
Services such as AWS Organizations, AWS CloudFormation, and AWS Service Catalog automate AWS account provisioning and network architecture baselining. They replace manual processes, and facilitate the use of pre-defined, standardized system deployment templates.
Users can create new AWS accounts for projects through self-service and leverage the AWS Management Console and APIs without the assistance of provisioning experts. Project or AWS account owners within a company use a centralized interface to manage access to resources within their assigned area, and configure cross-account access to AWS resources.
This automation of account management removes impediments such as ticketing, and additional out-of-band manual processes from the account provisioning process. This accelerates developers access to AWS resources they need.
Budget and Cost Management
Automated methods define and enforce fiscal policies to achieve governance at scale.
Budget planning and enforcement practices allow leaders and staff to allocate and
manage
budgets for multiple AWS accounts and define enforcement actions. Automation ensures
spending is actively monitored and controlled in near real time. These mechanisms
allow
leaders make proactive, well-informed decisions around budgetary controls and
allocations across their company. When budgets are aligned with projects and AWS
accounts, automation ensures budgets are maintained in real time, and accounts can’t
exceed an approved budget. (For an example use case where budget enforcement is
automated with a governance at scale solution, see Appendix
A.) Companies are able to meet fiscal requirements, such as the Federal Anti-deficiency Act
Budget Planning
It is important to align the company’s budget management process to an automated workflow. The workflow should be flexible so that different types of funding sources, such as investment, appropriation, and contract line items (CLINs), are managed as the funding is allocated across the company. Financial owners should define the timeframe for the funding source, set enforcement actions if budget limits are exceeded, and track utilization over time. Example, if AWS provides a customer a $10,000 credit, the financial owner has the ability to subdivide the funding amount across the company. Automation will manage each allocation individually, while providing awareness and real-time financial dashboards to decision makers over the lifetime of the funding source.
Budget Enforcement
Enforcement of budget constraints is a key component of governance at scale. Each layer of the company defines spending limits within accounts and projects, monitors account spending in near real-time, and triggers warning notifications or enforcement actions. Automated actions include:
-
Restricting the use of AWS resources to those that cost less than a specified price.
-
Throttle new resource provisioning.
-
Shut down, terminate, or de-provision AWS resources after archiving configurations and data for future use.
The following diagram illustrates how this could work. Red numbers indicate the current or projected AWS spend rate exceeds the budget allocated to the project. Green numbers indicate that current AWS spend rate is within budget. When viewed on a governance dashboard, a decision maker has near real-time awareness of usage and spending across the entire company.

Figure 3: Budgets are allocated and enforced through the company
Security and Compliance Automation
Governance at scale security and compliance practices employ automation to enforce security requirements, and help streamline activities across the company’s AWS accounts. These practices are made up of the following items:
Identity & Access Automation
AWS guidance to achieve governance at scale is to offer AWS Identity and Access Management (IAM) capabilities through a central portal. Users can access the portal with an approved authentication scheme such as Microsoft Active Directory, or Lightweight Directory Access Protocol. The system grants access based on the roles defined by the company. Once authorized, the system enforces a strict “policy of least privilege” by providing access to resources authorized by the appropriate authorities. The portal allows users and workload owners to request and approve access to projects, AWS accounts, and centralized resources by managing company defined IAM policies applied at every level. Example, if a Chief Information Security Officer (CISO) wants to allow the company to access a new AWS services that was previously not allowed, the developer can edit the IAM policy at the root OU level, and the system will implement the change across all cloud accounts.
Security Automation
Maintaining a secure posture when operating at scale requires automating security
tasks and compliance assessments. Manual or semi-manual processes cannot easily
scale with business growth. With automation, AWS services or Amazon Virtual Private
Cloud (Amazon VPC)
baseline configurations can be provisioned using standardized AWS configurations or
AWS CloudFormation templates. These templates align with the company’s security and
compliance
requirements and have been evaluated and approved by company’s risk decision makers.
The provisioning process interfaces with the company’s Governance, Risk, and
Compliance (GRC) tools or systems of record. (Partner Solutions include Telos Xacta
Well implemented security automation is responsive to security incidents. This includes processes to respond to policy violations by revoking IAM user access, preventing new resource allocation, terminating resources, or isolating existing cloud resources for forensic analysis. Automation can be accomplished by collecting and storing AWS logging data into centralized data lakes and performing analytics, or basing responses on the output of other analytics tools.
Policy Enforcement
AWS guidance to achieve governance at scale helps you achieve policy enforcement on AWS Regions, AWS Services, and resource configurations. Enforcement is based on stakeholder roles and responsibilities, and in accordance with compliance regulations (e.g. HIPAA, FedRAMP, PCI/DSS). At each level of the hierarchy the company can specify which AWS Services, features, and resources are approved for use on a per department, per user, or per project basis. This ensures self-service requests can’t provision unapproved items, as illustrated in the following diagram.

Figure 4: Security and compliance guardrails flow down through hierarchy. Circles indicates third party security requirements: FedRAMP, HIPAA, and PCI.
Deciding on Your Solution
Designing a system to achieve governance at scale addresses key issues for companies
around account management, cost enforcement, and security and compliance. Companies
can
build a governance at scale solution, or they can build one in partnership with AWS
Professional Services, or an AWS partner. (Partner offerings include Cloudtamer.io
Decision Factor 1, Determine need
Does the company’s AWS footprint exceed or will it exceed the number of AWS accounts and resources that can be managed using a manual process? Example, do you review account billing details, use spreadsheets for tracking, or do you use the AWS Management Console to create and manage all accounts? If the answer to the top question is yes, then a governance at scale solution is needed.
Decision Factor 2, Is it feasible to build versus buy?
In order to build a custom solution, your company should be able to answer
Yes
to the following questions:
-
Does your company have a robust AWS resource tagging or account management methodology for budget control and enforcement?
-
Does your company have an existing governance model with business processes that can be automated?
-
Does your company have the resources to build and maintain an enterprise software solution for managing governance at scale across the company? This includes: engineers and developers with an advanced understanding of the AWS Cloud, APIs, security features and services, and sufficient staff to maintain the enterprise solution over time?
To determine if your company can develop a solution that meets all of the governance at scale requirements, see Appendix B.
Decision Factor 3, Criteria selection for buying a commercial solution
A commercial solution may include one or more products, and/or professional services assistance, with integration and building key components. If you decide to purchase a third party solution to achieve governance at scale, see Appendix B to determine if partner products or professional services meet all of your requirements.
What does a Governance at Scale solution look like to an organizational stakeholder?
The following diagram illustrates a finalized governance at scale implementation dashboard overlaying cost and compliance indicators in the company.

Figure 5: Example Company cloud environment
Decision makers at each layer of the hierarchy are provided real-time data and metrics that are tailored to their company role and/or business units:
-
Executive – Executives can assign budgets and security policies any segment of the company. Data is collected from the all segments and is presented in a summary view to include overall compliance status and financial health.
-
Senior Leadership – Senior leaders can view their respective financial health within their sub-organization. They are responsible for assigning budgets to their respective employees and applying additional security policies as needed.
-
Upper Management – Management monitors budgets, grants personnel access to projects, and assigns focused security policies. This is achieved by assigning specific budget and security policies to business units and teams responsible for applications.
-
Employee – Employees interact directly with cloud accounts and have operational awareness of current spend vs. the assigned budget. They can request access to other projects and exceptions to security and financial policies as appropriate.
Conclusion
Governance at scale is a new concept for automating cloud governance that can help your company retire manual processes in account management, budget enforcement, and security and compliance. By automating these common challenges, the company can scale without inhibiting agility, speed, and innovation, while providing decision makers with the visibility, control, and governance that is necessary to protect sensitive data and systems.
Carefully consider which solution you chose for your company. The decision to build or buy a solution can have critical implications on your AWS migration strategy. Discuss the potential impact with your AWS Solution Architect and/or Professional Services consultant. They can help ensure your solution meets your specific requirements. The use case example in Appendix A offers one way to formalize implementation. This example shows the challenges companies face, and the effect a governance at scale implementation can have. Appendix B provides you with a list of the key capabilities for each governance at scale focal point.
The Governance at Scale framework provides a compass and map to help companies build or buy solutions that can help them scale with confidence, by replacing human based governance processes with automation that is familiar, and easy to use for all stakeholders.
Create a Free AWS Account
Sign up for an AWS account. New accounts include 12 months of AWS Free Tier
Appendix A: Example Use Case
Example use case for implementing governance at scale to manage AWS accounts within a company:
ACME organization has outgrown their manual and spreadsheet-based governance process.
The
company is large and profitable (1B yearly revenue) but have diverse business units
that
require autonomy and flexibility. They have a small governance team, and a limited
budget
for a custom home-grown solution. Because of their organizational and financial constraints,
they decided to purchase a solution from the AWS partner. (Partner offerings include
Cloudtamer.io
John is a developer joining a team that designs application environments for deployment in the AWS Cloud. Therefore, he needs an AWS development environment that allows him to manipulate infrastructure components using code without affecting other developers or systems. Each developer within the team is approved for individual monthly billing budgets for the use of AWS.
A governance at scale implementation and workflow for this scenario is:
-
John navigates to a portal to submit a request for an AWS account for developers. From the list, he chooses from a set of standard corporate AWS account types, and then specifies that he needs a monthly billing budget of $5,000.
-
His request triggers a notification that is sent to his manager. His manager uses the portal to confirm or change the monthly billing budget that John specified, and selects any preapproved/assessed system boundary that John’s environment is allowed to operate within.
-
An automated process creates a new AWS account for John, and uses AWS CloudFormation to build a baseline architecture, and apply predefined IAM policies and AWS service configurations within John’s new AWS account.
-
IAM policies include what services and resources that John is allowed to access, and the AWS Service API calls he is allowed to perform. See https://aws.amazon.com/iam
for details. -
AWS service configurations include services such as an Amazon Virtual Private Cloud (VPC) architecture that includes predefined AWS security groups to be assigned to Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Simple Storage Service (Amazon S3) buckets provisioned with predefined access control policies, and network connectivity to access functional and security-enabling shared services. Example, code repositories, patch repositories, security scanning tools, anti-malware services, authentication services, time synchronization services, directory services, backup and recovery services, and etc.
-
-
An automated process interfaces with the company’s governance, risk, and compliance (GRC) tool to link John’s AWS account with the preapproved/assessed system boundary. This allows the GRC tool to access the account for the system inventory, and monitor for compliance violations as part of automated IT auditing and continuous monitoring.
-
An automated process begins tracking the AWS services and resources that John provisions to record the spending rate within John’s AWS account.
-
As the monthly spend limit is approached, an automated series of notifications is sent to John so he can act to ensure he does not overspend his budget. It is escalated to his management if John fails to react appropriately. Additionally, a series of automated predefined budget enforcement actions take place, including preventing new AWS resources from being provisioned, and shutting down or de-provisioning AWS resources.
Appendix B: Governance at Scale Capability Checklist
There are several Amazon Partner Network (APN) solutions that you can use to meet
your company's governance at scale requirements. We encourage companies to evaluate
each solution and make a decision based on your specific requirements. AWS Professional Services<compliance-accelerator@amazon.com>
.
Account Management
Capability | Fully implements (yes/no) | Partially implements (yes/no) | Comments |
---|---|---|---|
Programmatically provision and delete AWS accounts using AWS APIs to ensure uniformity | |||
Allow external IAM accounts to enable and disable users | |||
Provide single sign-on to the AWS Management Console for AWS account users to manage cloud resources | |||
Integrate with external IAM providers such as Active Directory Support MFA token management | |||
Support MFA token management | |||
Associate AWS accounts with one or more master billing accounts | |||
Associate users with IAM policies to control access | |||
Support multi-level organizational hierarchy | |||
Support use of Enterprise Accelerators to apply baseline configurations to accounts | |||
Provide self-service workflow that allows users to join projects | |||
Provide self-service workflow that allows users to create new projects | |||
Provide self-service workflow that allows users to connect one or more accounts | |||
Control access to custom Amazon Machine Images (AMIs) | |||
Allow user access to the AWS API, AWS Management Console, and SDKs |
Budget and Cost Management
Capability | Fully implements (yes/no) | Partially implements (yes/no) | Comments |
---|---|---|---|
Manage funding sources used to pay for AWS usage | |||
Allocate funding sources to individuals and AWS accounts based on organizational hierarchy | |||
Set monthly and yearly budgets for AWS accounts | |||
View current spending accrual of AWS accounts | |||
Aggregate spending of AWS accounts based on organization structure and purpose | |||
Associate AWS accounts with one or more master billing accounts | |||
Apply cost restrictions to AWS accounts (for example, force use of Reserved Instances, restrict Amazon EC2 instance usage to instances less than $x/hr., etc.) | |||
Set rules to define enforcement actions (including notification, limit creating new cloud resources, archiving cloud resources, and termination of cloud resources) when financial thresholds are reached for each AWS account | |||
Send alerts to financial stakeholders when predefined limits and thresholds are met |
Security and Compliance Automation
Capability | Fully implements (yes/no) | Partially implements (yes/no) | Comments |
---|---|---|---|
Programmatically apply access control policies to restrict user access to AWS services that do not meet regulatory compliance standards (such as HIPAA, FedRAMP, PCI/DSS) | |||
Programmatically apply access control policies to restrict user access to AWS Regions that do not meet regulatory compliance standards (for example, HIPAA, FedRAMP, and PCI/DSS) | |||
Programmatically apply access control policies to restrict user access to AWS resource configurations that do not meet regulatory compliance standards (for example, HIPAA, FedRAMP, and PCI/DSS) | |||
Support multi-level organizational hierarchy to apply and inherit access control policies | |||
Collect and store logs for all AWS accounts, resources, and API actions | |||
Programmatically verify that cloud resources are configured in alignment with best practices, organizational policies, and regulatory compliance standards | |||
Programmatically generate Authorization to Operate (ATO) artifacts, including system security plans (SSPs), based on current cloud resources within AWS accounts | |||
Schedule continuous monitoring tasks (for example, vulnerability scans within and across AWS accounts) to determine whether the system is compliant | |||
Set rules to define enforcement actions (including notification, limit creating new cloud resources, and isolation of cloud resources) when compliance violation thresholds are reached for each AWS account |
Contributors
The following individuals and organizations contributed to this document:
-
Doug Vanderpool - Principal Consultant, Advisory, AWS Professional Services
-
Brett Miller – Technical Program Manager, WWPS Security and Compliance Business Acceleration Team
-
Lou Vecchioni – Senior Consultant, AWS Professional Services
-
Colin Desa - Head, Envision Engineering Center
-
Tim Anderson – Program Manager, WWPS Security and Compliance Business Acceleration Team
-
Nathan Case - Senior Consultant, AWS Professional Services
Resources
Document Revisions
The following table describes additions to this whitepaper, beginning in January 2020. To be notified about updates to this whitepaper, subscribe to the RSS feed.
Change | Description | Date |
---|---|---|
Minor updates |
Reformatted to be single HTML page. |
December 11, 2020 |
Minor updates |
Minor text updates to improve accuracy. |
January 1, 2020 |
Whitepaper changes made prior to January 2020:
Date | Description |
---|---|
May 2017 | First DRAFT Version |
August 2017 | DRAFT Version 2.0 |
November 2017 | DRAFT Version 2.1 |
July 2018 | DRAFT Version 2.2 |
November 2018 | DRAFT Version 2.3 |
Notices
Customers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents current AWS product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from AWS and its affiliates, suppliers or licensors. AWS products or services are provided “as is” without warranties, representations, or conditions of any kind, whether express or implied. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.
© 2020 Amazon Web Services, Inc. or its affiliates. All rights reserved.