AWS re:Invent 2025 - Balancing Agility and Compliance feat. The Digital Agency of Japan (COP349)

Balancing Agility and Compliance: The Governance Story of Japan's Digital Agency

Addressing Customer Needs in Highly Regulated Industries

• Customers in industries like healthcare, public sector, and financial services have key needs around:
  • Innovation and leveraging the latest cloud services and AI capabilities to build new products and services
  • Organizational agility to adapt to change and deliver outcomes efficiently
  • Strict security and compliance requirements to adhere to regulations and standards
• There is a tension between the need for agility from development teams and the need for compliance and control from operations and security teams.

Defining Cloud Governance

• Cloud governance is a set of rules, processes, and reports that guide an organization to follow best practices and build a foundation aligned with business requirements.
• The foundation starts with building a secure, scalable, multi-account environment using AWS Organizations and AWS Control Tower.

Key Principles of a Well-Architected Landing Zone

• Use multiple accounts as building blocks to operate efficiently, manage teams, and reduce security risks.
• Centralize identity access and logging to track activity and resource configuration changes.
• Automate account provisioning and customization to enable self-service and reduce administrative overhead.
• Establish preventive, proactive, and detective controls to enforce security and compliance.

Implementing Governance Controls

• Preventive controls restrict identities from performing certain actions using Service Control Policies and Resource Control Policies.
• Proactive controls scan resources before provisioning to catch errors early and improve cost efficiency.
• Detective controls evaluate resources and report on compliance without blocking deployments.
• Leverage managed controls from AWS Control Tower and Security Hub, and build custom rules as needed.

The Governance Story of Japan's Digital Agency

• The Digital Agency of Japan supports 1,700+ local governments and has over 6,000 AWS accounts, growing by 300-400 per month.
• Key objectives:
  1. Governance: Ensure data is encrypted and managed under direct contract with the government, with strict key management.
  2. Local Autonomy: Prevent Digital Agency employees from directly accessing local government environments.
  3. Agility and Scalability: Automate account provisioning and leverage AWS services like Control Tower.
• Implemented a multi-cloud strategy with one CSP per system to maintain simplicity and cost efficiency.
• Developing additional services like a Git-based deployment platform and AI environments to further enhance the government cloud.

Key Governance Best Practices from the Digital Agency

1. Align control objectives to a security framework like NIST to ensure comprehensive coverage.
2. Implement a strong identity foundation using automation and role-based access to scale user management.
3. Automate account provisioning and customization using a combination of infrastructure-as-code and custom workflows.
4. Continuously monitor and test controls, with distributed notification systems to maintain local autonomy.

Conclusion

The Digital Agency of Japan's governance story demonstrates how organizations in highly regulated industries can balance agility and compliance by leveraging AWS cloud governance best practices. The key is to establish a solid foundation with the right controls, automation, and monitoring to enable innovation while ensuring security and compliance.