Title

AWS re:Invent 2023 - Best practices for cloud governance (COP318)

Summary

• Speakers: Svetlana Kolomiskaia (Cloud Governance Manager, SPS Commerce), Krista Gorman (Product Lead for Control Tower Service), and Troy Jordan (Senior Manager for Cloud Operations, SPS Commerce).
• Key Topics: Cloud governance foundations, best practices, AWS services for governance, customer journey, and insights from SPS Commerce's experience.
• Cloud Governance Definition: A set of rules, practices, and reports aligning cloud use with business objectives.
• When Cloud Governance is Needed: For setting up secure cloud environments, complying with regulatory requirements, and enabling developer agility.
• AWS Services Highlighted: Control Tower, AWS Organizations, CloudTrail, Config, IAM Identity Center, Service Catalog.
• Best Practices for Cloud Environments:
  1. Use accounts as building blocks.
  2. Enable visibility to track user activity and risk.
  3. Automate account provisioning and use customizations.
  4. Apply the principle of least privilege.
• Best Practices for Controls Management: 5. Define controls using policy as code models. 6. Align control objectives to a security framework. 7. Use proactive and preventive controls to protect security baselines. 8. Continuously monitor and test for control effectiveness.
• Cloud Governance for Developers: 9. Use and govern infrastructure as code for consistency. 10. Proactively detect security vulnerabilities in code.
• Customer Journey: Troy Jordan shared SPS Commerce's 10-year journey with AWS, emphasizing the importance of tagging, account-level governance, and the shift to a multi-account strategy facilitated by AWS Control Tower and other AWS services.

Insights

• Cloud Governance Evolution: Cloud governance is an evolving journey that starts with foundational elements and adapts to changing workloads, projects, and organizational transitions.
• Importance of Tagging: Tagging is fundamental for resource attribution, cost management, and identifying ownership for security and compliance purposes.
• Multi-Account Strategy: A multi-account strategy is recommended for security, isolation, and cost management. It also simplifies IAM and reduces the blast radius in case of security incidents.
• Automation and Standardization: Automating account provisioning and applying standard configurations across accounts can significantly reduce setup time and ensure consistency.
• Policy as Code: Defining controls as code and using human-readable policy languages can streamline control engineering and facilitate peer review processes.
• Alignment with Security Frameworks: Mapping control objectives to security frameworks like NIST and PCI helps establish a consistent risk management foundation and facilitates communication with compliance teams.
• Proactive and Preventive Controls: Implementing proactive and preventive controls can prevent misconfigurations and reduce the need for remediation.
• Developer Enablement: Providing developers with tools and environments that enforce governance while allowing innovation is crucial for agile development.
• Customer Experience: SPS Commerce's journey highlights the practical application of AWS governance tools and the benefits of a well-architected multi-account environment.
• Continuous Improvement: Cloud governance is not a one-time setup; it requires continuous monitoring, testing, and adaptation to new regulations and business requirements.