TalksAWS re:Invent 2025 - Actionable controls for improving governance and compliance (COP347)

AWS re:Invent 2025 - Actionable controls for improving governance and compliance (COP347)

Improving Governance and Compliance with AWS Controls

Understanding the Need for Controls

  • Controls are the hidden architecture that holds together the walls of cybersecurity
  • Bridging the gap between abstract regulatory requirements and practical implementation is a key challenge
  • Controls are important for various stakeholders:
    • Business leaders want to minimize barriers to innovation
    • Developers desire autonomy and flexibility
    • Security teams aim for proactive, not just reactive, controls
    • Risk managers ensure adherence to the organization's risk appetite

AWS Approach to Cloud Governance

  • AWS sees cloud governance as a core component with four key pillars:
    1. Security: Ensuring security posture alignment
    2. Operations: Maintaining resilient and efficient operations
    3. Compliance: Aligning to internal and external policies
    4. Cost: Optimizing cost-effectiveness
  • The overarching goal is to mitigate risk across these domains

Challenges in Implementing Governance and Compliance

  • Striking the right balance between innovation and controls
  • Keeping pace with evolving regulatory environments
  • Meeting agility demands to support business changes
  • Enabling cost and operational efficiency at scale

A Risk-Based Approach to Controls

  • Follow a structured, systematic risk management framework
  • Categorize assets, select appropriate controls based on risk appetite
  • Implement, assess, and continuously monitor controls

Leveraging AWS Control Tower's Control Catalog

  • Control Tower provides a centralized catalog of over 1,000 AWS-managed controls
  • Controls are mapped to 17 compliance frameworks, with consistent metadata
  • Three types of controls are available:
    1. Preventive: Security Service Control Policies (SCPs), Resource Control Policies (RCPs), Declarative Policies
    2. Detective: AWS Config rules, Security Hub controls
    3. Proactive: Cloud Formation hooks that validate resources during deployment
  • Recommended approach is to use a combination of preventive, detective, and proactive controls

Approving AWS Service Usage

  • Three approaches to service approval:
    1. Blanket approval: Allows a service for any use case, but lacks context
    2. Contextual approval: Evaluates service in the context of a specific workload
    3. Hybrid two-stage approval: Leverages AWS's shared responsibility model and pre-approved services

Implementing Custom Controls

  • AWS Config allows creating custom detective controls using Lambda functions or Guard DSL
  • Kira CLI, an AI-powered assistant, can help generate custom Config rules

Assessing and Monitoring Controls

  • Control Tower's dashboard provides visibility into deployed controls and compliance status
  • AWS Config tracks resource inventory, compliance history, and changes over time
  • Security Hub aggregates security findings, exposure risks, and potential attack paths

Key Takeaways

  • Start with a risk-based approach and well-defined governance strategy
  • Leverage AWS-managed services and controls to ease implementation
  • Combine preventive, detective, and proactive controls for comprehensive governance
  • Continuously monitor controls and take action on non-compliance
  • Utilize AWS Artifact, CloudTrail Lake, and other services for auditing and reporting

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.