Achieving governance at scale (COP383)

Here's a detailed summary of the key takeaways from the video transcription, broken down into sections:

Building the Foundation of Cloud Governance

  • Definition of Cloud Governance: Refers to the rules, processes, and reports that allow organizations to implement best practices according to their business objectives.
  • Importance of Governance: Helps with regulation, operations, and cost management in a multi-account, multi-service cloud environment.
  • Scale of Governance Services: AWS Organizations manages millions of accounts and handles over a billion API calls per second.

Structuring the Multi-Account Environment

  • Accounts as Isolation Boundaries: Accounts represent the "rooms" in the building, providing natural isolation for users, applications, and services.
  • Organizational Units (OUs): Provide structure to accounts, allowing the application of policies and controls at the OU level.
  • Recommended OU Structure: Security, Infrastructure, Sandbox, and Workloads OUs.
  • Migrating to Multi-Account: Recommendations include isolating the management account, creating new accounts for new workloads, and using resource sharing capabilities like AWS RAM.
  • Single Production Organization: Recommended to maintain a single production organization for better centralized governance and visibility.

Implementing Security in the Multi-Account Environment

  1. Access Management:

    • AWS IAM Identity Center for centralized user and group access management.
    • Root Access Management for reviewing and managing root user credentials.
    • Continuous auditing of user and role permissions.
  2. Visibility and Monitoring:

    • Centralized logging with AWS CloudTrail and AWS Config.
    • Security monitoring tools: AWS Security Hub and AWS GuardDuty.
  3. Controls:

    • Organization-level controls: Service Control Policies (SCPs), Resource Control Policies (RCPs), and Declarative Policies.
    • Detective controls with AWS Config.
    • Preventive controls with SCPs, RCPs, and Declarative Policies.

Inventory Management and Cost Optimization

  1. Inventory Management:

    • AWS Resource Explorer and AWS Config for resource visibility and configuration history.
    • Using Config Aggregators and APIs for advanced querying and reporting.
  2. Cost Optimization:

    • Ensuring visibility of costs, understanding cost drivers, and empowering teams to optimize.
    • Using services like AWS Compute Optimizer, AWS S3 Storage Lens, and AWS Cost Optimization Hub.

Workday's Governance Journey

  • Evolution from a Single Organization to Multiple Organizations: Workday transitioned from a single AWS organization to a multi-organization structure, leveraging newer governance services like AWS Control Tower.
  • Practical Tips:
    • Monitoring CloudTrail and Config costs
    • Leveraging delegated admin accounts for governance services
    • Adopting centralized logging and security monitoring
    • Careful consideration of guard rails and configuration drift in Control Tower
    • Maintaining an accurate inventory of AWS accounts

Overall, the video covers the foundational elements of cloud governance, the importance of a well-structured multi-account environment, the security and control aspects, as well as practical guidance from a customer's perspective.

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.

Talk to us