New governance capabilities for multi-account environments (COP378-NEW)

Here is a detailed summary of the video transcription in markdown format, broken into sections for better readability:

Introduction and Overview of Cloud Governance

  • Speakers introduced themselves - Tim Honey Church, a principal specialist in Cloud Governance, and Naveen Shanker, a product manager in AWS Organizations.
  • The session aims to discuss new capabilities in Cloud Governance, specifically in the areas of control policies and observability tools.
  • The speakers define Cloud Governance as aligning the use of AWS Cloud with business outcomes, emphasizing moving fast, doing it securely and compliantly, and efficiently.
  • They also discuss key challenges in Cloud Governance, such as balancing innovation and controls, dealing with regulations, maintaining agility, and optimizing costs.
  • A customer success story of Clearwater Analytics is shared, highlighting how they used AWS Organizations and Control Policies to handle 200% more resources with a small team.

AWS Organizations and Control Policies

  • AWS Organizations and AWS Control Tower are foundational services for multi-account governance.
  • AWS Organizations policies are divided into two categories: Authorization Policies (for managing access) and Management Policies (for managing configuration).
  • Service Control Policies (SCPs) are a popular type of Authorization Policy for controlling access of IAM principals.
  • Until recently, Management Policies included Backup Policies, Tag Policies, and AI Opt-in Policies. In October 2022, Chatbot Policies were added, and in November 2022, Resource Control Policies were launched.

Declarative Policies for EC2

  • Declarative Policies, launched just in time for re:Invent 2022, address the need for enforcing uniform configuration across accounts, providing security teams with peace of mind, and applying configurations at scale.
  • The speaker demonstrates how to create a Declarative Policy to block public access to VPCs, which is propagated across the organization and enforced by the underlying VPC service.
  • Declarative Policies are service-control-plane-level implementations, providing the flexibility of custom error messages and transparent feedback to developers.
  • The key benefits of Declarative Policies include easy setup, consistent enforcement, and improved developer experience compared to using SCPs for configuration management.

Resource Control Policies

  • Resource Control Policies are a new type of Authorization Policy that allows centralized and consistent access control on resources, similar to how SCPs work for IAM principals.
  • The speaker provides an example scenario where a resource-based policy is not sufficient to control external users' access to an S3 bucket, and how Resource Control Policies solve this challenge.
  • Resource Control Policies offer benefits such as centralized definition and enforcement of controls, powerful preventative control, and empowering developer teams to innovate faster.

Observability and Cloud Trail

  • Cloud Trail provides visibility into API calls and resource-level activities, enabling operational auditing, risk auditing, and informing governance policies.
  • In addition to Management Events and Data Events, Cloud Trail now offers Network Activity Events, providing granular visibility into traffic between VPC endpoints.
  • VPC Endpoint Policies can be used to control access to VPC endpoints, and the Network Activity Events in Cloud Trail can help identify the need for exceptions or updates to these policies.

Conclusion

  • The speakers encourage the audience to consider how to apply the new capabilities in their own environments and share their success stories.
  • They provide links to related AWS re:Invent sessions for further learning on the new control policy types.
  • The audience is encouraged to provide feedback through the survey, as the team takes customer feedback seriously.

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.

Talk to us