AWS Governance at Scale
AWS Governance at Scale

Governance at Scale Focal Points

Governance at Scale implements three focal points: Account Management, Budget and Cost Management, and Security and Compliance Automation.

Account Management

AWS guidance to achieve governance at scale streamlines account management across multiple AWS accounts and workloads within a company through centralization, standardization, and automation of account maintenance tasks. This is done through policy automation, identity federation, and account automation. Example, instead of requiring a central group to manually manage the company’s master billing account, a self-service model with workflow automation is employed. It enables authorized staff to link multiple accounts to one or more master billing accounts, and attach appropriate automatic enforced governance policies.

Figure 2: Automation can create and manage accounts at scale

Policy Automation

AWS guidance to achieve governance at scale automates the application of company policies, deploying accounts with standard specifications to ensure consistency across AWS accounts and resources. The policy engine is flexible to accommodate and enforce different types of security polices such as AWS Identity and Access Management (IAM), AWS CloudFormation, or custom scripts.

Identity Federation

AWS governance solutions employ AWS Single Sign-On (SSO) through federated identity integration with external authentication providers such as OpenID, or Active Directory to centralize AWS account management and simplify user access to AWS accounts. When SSO is used in conjunction with AWS CloudTrail, user activity can be tracked across multiple AWS accounts.

Account Automation

Services such as AWS Organizations, AWS CloudFormation, and AWS Service Catalog automate AWS account provisioning and network architecture baselining. They replace manual processes, and facilitate the use of pre-defined, standardized system deployment templates.

Users can create new AWS accounts for projects through self-service and leverage the AWS Management Console and APIs without the assistance of provisioning experts. Project or AWS account owners within a company use a centralized interface to manage access to resources within their assigned area, and configure cross-account access to AWS resources.

This automation of account management removes impediments such as ticketing, and additional out-of-band manual processes from the account provisioning process. This accelerates developers access to AWS resources they need.

Budget and Cost Mangement

Automated methods define and enforce fiscal policies to achieve governance at scale. Budget planning and enforcement practices allow leaders and staff to allocate and manage budgets for multiple AWS accounts and define enforcement actions. Automation ensures spending is actively monitored and controlled in near real time. These mechanisms allow leaders make proactive, well-informed decisions around budgetary controls and allocations across their company. When budgets are aligned with projects and AWS accounts, automation ensures budgets are maintained in real time, and accounts can’t exceed an approved budget. (For an example use case where budget enforcement is automated with a governance at scale solution, see Appendix A.) Companies are able to meet fiscal requirements, such as the Federal Anti-deficiency Act for U.S. Government agencies. Shared service providers or AWS resellers can implement governance at scale to provide chargeback capabilities across a diverse company.

Budget Planning

It is important to align the company’s budget management process to an automated workflow. The workflow should be flexible so that different types of funding sources, such as investment, appropriation, and contract line items (CLINs), are managed as the funding is allocated across the company. Financial owners should define the timeframe for the funding source, set enforcement actions if budget limits are exceeded, and track utilization over time. Example, if AWS provides a customer a $10,000 credit, the financial owner has the ability to subdivide the funding amount across the company. Automation will manage each allocation individually, while providing awareness and real-time financial dashboards to decision makers over the lifetime of the funding source.

Budget Enforcement

Enforcement of budget constraints is a key component of governance at scale. Each layer of the company defines spending limits within accounts and projects, monitors account spending in near real-time, and triggers warning notifications or enforcement actions. Automated actions include:

  • Restricting the use of AWS resources to those that cost less than a specified price.

  • Throttle new resource provisioning.

  • Shut down, terminate, or de-provision AWS resources after archiving configurations and data for future use.

The following diagram illustrates how this could work. Red numbers indicate the current or projected AWS spend rate exceeds the budget allocated to the project. Green numbers indicate that current AWS spend rate is within budget. When viewed on a governance dashboard, a decision maker has near real-time awareness of usage and spending across the entire company.

Figure 3: Budgets are allocated and enforced through the company

Security and Compliance Automation

Governance at scale security and compliance practices employ automation to enforce security requirements, and help streamline activities across the company’s AWS accounts. These practices are made up of the following items:

Identity & Access Automation

AWS guidance to achieve governance at scale is to offer AWS Identity and Access Management (IAM) capabilities through a central portal. Users can access the portal with an approved authentication scheme such as Microsoft Active Directory, or Lightweight Directory Access Protocol. The system grants access based on the roles defined by the company. Once authorized, the system enforces a strict “policy of least privilege” by providing access to resources authorized by the appropriate authorities. The portal allows users and workload owners to request and approve access to projects, AWS accounts, and centralized resources by managing company defined IAM policies applied at every level. Example, if a Chief Information Security Officer (CISO) wants to allow the company to access a new AWS services that was previously not allowed, the developer can edit the IAM policy at the root OU level, and the system will implement the change across all cloud accounts.

Security Automation

Maintaining a secure posture when operating at scale requires automating security tasks and compliance assessments. Manual or semi-manual processes cannot easily scale with business growth. With automation, AWS services or Amazon Virtual Private Cloud (Amazon VPC) baseline configurations can be provisioned using standardized AWS configurations or AWS CloudFormation templates. These templates align with the company’s security and compliance requirements and have been evaluated and approved by company’s risk decision makers. The provisioning process interfaces with the company’s Governance, Risk, and Compliance (GRC) tools or systems of record. (Partner Solutions include Telos Xacta 360, RSA Archer.) These templates generate security documentation and implementation details for newly provisioned baseline architectures, and shorten the overall time required for a system or project to be assessed and approved for operations.

Well implemented security automation is responsive to security incidents. This includes processes to respond to policy violations by revoking IAM user access, preventing new resource allocation, terminating resources, or isolating existing cloud resources for forensic analysis. Automation can be accomplished by collecting and storing AWS logging data into centralized data lakes and performing analytics, or basing responses on the output of other analytics tools.

Policy Enforcement

AWS guidance to achieve governance at scale helps you achieve policy enforcement on AWS Regions, AWS Services, and resource configurations. Enforcement is based on stakeholder roles and responsibilities, and in accordance with compliance regulations (e.g. HIPAA, FedRAMP, PCI/DSS). At each level of the hierarchy the company can specify which AWS Services, features, and resources are approved for use on a per department, per user, or per project basis. This ensures self-service requests can’t provision unapproved items, as illustrated in the following diagram.

Figure 4: Security and compliance guardrails flow down through hierarchy. Circles indicates third party security requirements: FedRAMP, HIPAA, and PCI.