Technology•Feb 23, 2021
AWS Cloud Governance Part 1: 3 Keys to Starting Your AWS Governance Journey
Going to the cloud is supposed to be an enabler for innovation, deliver improved agility, and decrease time to market so organizations can better respond to changing demands. However, empowering stakeholders to develop their own systems and deploy assets with the click of a button in the cloud comes with its own set of pitfalls.
Organizations may no longer have to worry about capital costs, but operational costs can quickly get out of hand without controls in place. A lack of controls not only creates challenges with costs and efficiency but can also raise security concerns when assets are deployed with poor access controls or configuration vulnerabilities. The chaos and instability that goes with these pitfalls often robs organizations of the velocity and efficiency promised by the cloud.
Cloud governance encompasses the people, process, and technology associated with your cloud infrastructure, security, and operations. Governance is a framework with a set of business-driven policies and standard practices for promoting the well-architected principles of operational excellence, security, reliability, performance efficiency, and cost optimization. Governance ensures cloud-related spend aligns with business objectives, promotes data integrity across the enterprise, encourages innovation, and mitigates the risk of data loss or non-compliance with regulations.
In a nutshell, cloud governance is the map to get you to a well-architected state. Implementing and operationalizing governance policies keep you there.
This blog series will outline the fundamental elements for establishing a governance map for AWS that is specific to your organization and guide you on the journey to developing governance that enables a well-architected cloud environment that evolves with your business to innovate quickly without losing control of the environment.
Good AWS Governance Is a Journey
Somewhere along their journey working with the cloud, most organizations realize they don’t know how to control all the things that are being created in their cloud environment. Just like cloud adoption is a journey, establishing good governance is a journey of its own that will evolve as your business and the cloud continues to change. The first steps to take in establishing governance controls depend on where your organization is in its journey on AWS. Are you preparing to create your first AWS resources, or do you already have hundreds or thousands of resources in AWS?
The keys to making the governance journey a success even as it continues to evolve are:
Establish clear goals that address your specific control objectives
Clearly articulate the road map to achieving those goals
Get upfront buy-in on the road map from both technical and business stakeholders
Choosing Your AWS Governance Destination
Before you start any journey, you need to know where you are going. A journey in the cloud and in building good governance will include identifying organizational objectives for leveraging AWS. For the larger cloud journey, these should not just be IT objectives (i.e., we want to get out of the data center, or the development team wants to be able to use Lambda) but rather strategic goals for the business (i.e., we need to be able to scale up quickly to meet demand spikes but scale down to save cost in off periods, or we need to be able to add geo-specific resources quickly to accommodate clients in regions for our expansion plan).
Likewise, your cloud governance goals should be enablers for meeting these business objectives while controlling costs, ensuring the security and integrity of the cloud environment, and optimizing performance.
Some of the key themes we have seen with these goals are:
Segregating development and production environments with appropriate separation of duties/access permissions
Allowing teams freedom to experiment within a budget
Conforming to security and/or compliance standards required for your business or industry
Ensuring all actions on AWS are logged and the audit trail can’t be altered
Enabling secure private network access to resources across accounts and regions as needed
Implementation of automation tooling for standardization and consistency of cloud resources
Reducing application downtime due to lack of understanding or insight into your AWS environment
These goals should tie back to your business objectives so you can secure buy-in from the whole executive leadership team. Once your goals are established and agreed upon, they can serve as the compass for the journey—but remember these goals should evolve and change if the larger business goals change. It can also be helpful to set up clear driving statements for your goals that teams can use to help them when making decisions, for example, if stability is your goal “Will doing X help drive stability?” or “Does doing A or B next help stability more?”
Starting to Map out Your AWS Governance Journey
With specific governance goals for your organization, you can now map out what a well-architected cloud destination on the journey needs to look like with a clear case for the business objectives and value.
AWS has tried to help organizations achieve a well-architected environment by establishing the Well-Architected Framework and review process, where an AWS partner such as Credera can analyze a workload in AWS with a standard set of questions to determine the opportunities for improving the workload. This can be a great tool for creating the map of your governance journey if you are already running some portions of your application on AWS, because it allows the organization flexibility to limit the scope under review and to fit the overall goals of the organization. It also gives you concrete next steps to keep the organization moving forward on its governance journey while considering ongoing operational constraints.
If you are at the beginning of your cloud adoption journey and don’t yet have workloads in the cloud, then you have the opportunity to build and implement your governance controls before users start creating resources. To be able to leverage this opportunity, you need to quickly identify the key controls that need to be in place from the start and those you can add later in the journey. The Well-Architected Framework can help point you to the key controls that your organization needs to start with. This will allow users to start leveraging AWS as soon as possible while minimizing rework later.
AWS also has a whitepaper, AWS Governance at Scale, which can help organizations plan their governance road map. The whitepaper focuses on three key areas: account management, budget and cost management, and security and compliance automation, that tie back closely to the Well-Architected Framework. We will dig into the considerations and details of each of these areas in the remainder of blog posts in this series.
Getting Everyone on Board
Once you are ready to start your governance journey on AWS, it is important to get everyone on board in order to make the journey a success. More and more teams and knowledge workers have started to place increasing importance on understanding how their job can make an impact on the business and making their internal and/or external customers’ lives better.
Helping everyone make the connection between what can sometimes be mundane daily tasks needed for good governance and the larger objectives can be the hardest part of the governance journey. This can be especially true for agile technology teams who have operated with autonomy in the cloud when starting to talk about “adding governance.” This is largely due to the legacy perception of governance as a set of prescriptive dictates that might or might not apply to the work the team is focused on.
The key to selling your governance goals is to keep reminding all the teams involved of the larger goals, while also articulating immediate benefits of adopting smaller elements of good cloud governance.
Some of the goals might easily tie directly to technical objectives, i.e., ensuring end-to-end encryption for PCI or HIPAA data, while a goal of “reducing application downtime due to lack of understanding of your environment” might be not as clearly tie back to “making sure every resource on AWS has a set of tags.” For these goals it is important to help teams understand that these rules are not there to control them but to empower and inform them. For example, ensuring every resource has an “owner” tag means that updates or changes to any resource involve the right people so that downtime can be reduced while maintaining security and flexibility.
You should also encourage push back from your teams, especially on how the technical solutions to meet your governance goals are architected. It is important to remember to trust the feedback from those closest to the problem, while still reinforcing directional guidance and maintaining a clear link between each small decision and the overarching goals.
Next Steps on Your AWS Governance Journey
The rest of this blog series will dig into the specifics of establishing good governance to meet your goals and objectives. We will also try to help guide you in determining what you should do first, focusing on quick wins—improving access and accountability patterns that set you up for further success on your organization’s governance journey.
Check out the rest of the insights in this series:
AWS Cloud Governance Part 2: Centralized Account Management and Organization Controls
AWS Cloud Governance Part 3: Compliance, Security, & Cost Management
Need a Guide for Your Cloud Transformation Journey?
Credera is passionate about helping organizations foster cloud enablement that drives successful cloud adoption and valuable business outcomes. Our unique expertise in corporate strategy, innovation, and application development enables us to bring a holistic approach to your cloud adoption journey.
Explore Credera’s Cloud Transformation Framework to learn more, or reach out to us at firstname.lastname@example.org if you have any other questions on AWS Cloud Governance.
- Governance & Compliance
- Well architected
- Cloud Strategy
- Cloud Security
- Cloud Technologies
- Comprehensive Cloud