AWS re:Invent 2025 - Actionable controls for improving governance and compliance (COP347)

Improving Governance and Compliance with AWS Controls

Understanding the Need for Controls

• Controls are the hidden architecture that holds together the walls of cybersecurity
• Bridging the gap between abstract regulatory requirements and practical implementation is a key challenge
• Controls are important for various stakeholders:
  • Business leaders want to minimize barriers to innovation
  • Developers desire autonomy and flexibility
  • Security teams aim for proactive, not just reactive, controls
  • Risk managers ensure adherence to the organization's risk appetite

AWS Approach to Cloud Governance

• AWS sees cloud governance as a core component with four key pillars:
  1. Security: Ensuring security posture alignment
  2. Operations: Maintaining resilient and efficient operations
  3. Compliance: Aligning to internal and external policies
  4. Cost: Optimizing cost-effectiveness
• The overarching goal is to mitigate risk across these domains

Challenges in Implementing Governance and Compliance

• Striking the right balance between innovation and controls
• Keeping pace with evolving regulatory environments
• Meeting agility demands to support business changes
• Enabling cost and operational efficiency at scale

A Risk-Based Approach to Controls

• Follow a structured, systematic risk management framework
• Categorize assets, select appropriate controls based on risk appetite
• Implement, assess, and continuously monitor controls

Leveraging AWS Control Tower's Control Catalog

• Control Tower provides a centralized catalog of over 1,000 AWS-managed controls
• Controls are mapped to 17 compliance frameworks, with consistent metadata
• Three types of controls are available:
  1. Preventive: Security Service Control Policies (SCPs), Resource Control Policies (RCPs), Declarative Policies
  2. Detective: AWS Config rules, Security Hub controls
  3. Proactive: Cloud Formation hooks that validate resources during deployment
• Recommended approach is to use a combination of preventive, detective, and proactive controls

Approving AWS Service Usage

• Three approaches to service approval:
  1. Blanket approval: Allows a service for any use case, but lacks context
  2. Contextual approval: Evaluates service in the context of a specific workload
  3. Hybrid two-stage approval: Leverages AWS's shared responsibility model and pre-approved services

Implementing Custom Controls

• AWS Config allows creating custom detective controls using Lambda functions or Guard DSL
• Kira CLI, an AI-powered assistant, can help generate custom Config rules

Assessing and Monitoring Controls

• Control Tower's dashboard provides visibility into deployed controls and compliance status
• AWS Config tracks resource inventory, compliance history, and changes over time
• Security Hub aggregates security findings, exposure risks, and potential attack paths

Key Takeaways

• Start with a risk-based approach and well-defined governance strategy
• Leverage AWS-managed services and controls to ease implementation
• Combine preventive, detective, and proactive controls for comprehensive governance
• Continuously monitor controls and take action on non-compliance
• Utilize AWS Artifact, CloudTrail Lake, and other services for auditing and reporting