Achieving governance at scale (COP383)

Here's a detailed summary of the key takeaways from the video transcription, broken down into sections:

Building the Foundation of Cloud Governance

• Definition of Cloud Governance: Refers to the rules, processes, and reports that allow organizations to implement best practices according to their business objectives.
• Importance of Governance: Helps with regulation, operations, and cost management in a multi-account, multi-service cloud environment.
• Scale of Governance Services: AWS Organizations manages millions of accounts and handles over a billion API calls per second.

Structuring the Multi-Account Environment

• Accounts as Isolation Boundaries: Accounts represent the "rooms" in the building, providing natural isolation for users, applications, and services.
• Organizational Units (OUs): Provide structure to accounts, allowing the application of policies and controls at the OU level.
• Recommended OU Structure: Security, Infrastructure, Sandbox, and Workloads OUs.
• Migrating to Multi-Account: Recommendations include isolating the management account, creating new accounts for new workloads, and using resource sharing capabilities like AWS RAM.
• Single Production Organization: Recommended to maintain a single production organization for better centralized governance and visibility.

Implementing Security in the Multi-Account Environment

1. Access Management:

   • AWS IAM Identity Center for centralized user and group access management.
   • Root Access Management for reviewing and managing root user credentials.
   • Continuous auditing of user and role permissions.

2. Visibility and Monitoring:

   • Centralized logging with AWS CloudTrail and AWS Config.
   • Security monitoring tools: AWS Security Hub and AWS GuardDuty.

3. Controls:

   • Organization-level controls: Service Control Policies (SCPs), Resource Control Policies (RCPs), and Declarative Policies.
   • Detective controls with AWS Config.
   • Preventive controls with SCPs, RCPs, and Declarative Policies.

Inventory Management and Cost Optimization

1. Inventory Management:

   • AWS Resource Explorer and AWS Config for resource visibility and configuration history.
   • Using Config Aggregators and APIs for advanced querying and reporting.

2. Cost Optimization:

   • Ensuring visibility of costs, understanding cost drivers, and empowering teams to optimize.
   • Using services like AWS Compute Optimizer, AWS S3 Storage Lens, and AWS Cost Optimization Hub.

Workday's Governance Journey

• Evolution from a Single Organization to Multiple Organizations: Workday transitioned from a single AWS organization to a multi-organization structure, leveraging newer governance services like AWS Control Tower.
• Practical Tips:
  • Monitoring CloudTrail and Config costs
  • Leveraging delegated admin accounts for governance services
  • Adopting centralized logging and security monitoring
  • Careful consideration of guard rails and configuration drift in Control Tower
  • Maintaining an accurate inventory of AWS accounts

Overall, the video covers the foundational elements of cloud governance, the importance of a well-structured multi-account environment, the security and control aspects, as well as practical guidance from a customer's perspective.