TalksAWS re:Invent 2025 - From Reactive to Proactive: Infrastructure governance by design (COP352)

AWS re:Invent 2025 - From Reactive to Proactive: Infrastructure governance by design (COP352)

Summary of "From Reactive to Proactive: Infrastructure governance by design" (AWS re:Invent 2025)

Introduction to Infrastructure as Code (IaC) Governance

  • Developers are moving fast, using tools like generative AI to quickly create infrastructure
  • Organizations need to implement guardrails to ensure security, cost, and compliance requirements are met
  • Reactive controls (e.g. detective controls that find issues after deployment) are not enough

Proactive Controls with CloudFormation Hooks

  • CloudFormation Hooks allow you to define rules that evaluate resources before they are provisioned
  • Hooks can use a policy-as-code language like CloudFormation Guard to define and enforce rules
  • Example use cases:
    • Ensuring S3 buckets have encryption and object locking enabled
    • Preventing over-provisioning of resources (e.g. auto-scaling groups exceeding 50% capacity change)
    • Enforcing allowed instance types to control costs

Automating Governance with the Control Catalog

  • The Control Catalog provides pre-built governance policies that can be easily enabled
  • Policies are grouped by compliance frameworks (e.g. NIST) for easy application
  • Policies can be applied at the Organization Unit (OU) level, enforcing controls across multiple accounts

Extending Proactive Controls to Terraform

  • The AWS Cloud Control API allows Terraform to leverage CloudFormation Hooks
  • Terraform resources are evaluated before provisioning, allowing the same proactive controls
  • Demonstration of using Guard rules to validate Terraform resources (e.g. deprecated Lambda runtime)

Benefits of Proactive Infrastructure Governance

  • Stops bad configurations from being deployed, reducing security risks and compliance issues
  • Codifies organizational best practices and learnings from past incidents
  • Enables developers to move fast while maintaining platform integrity
  • Provides visibility and control over resource provisioning across multi-account environments

Conclusion and Key Takeaways

  • Proactive controls are essential for modern infrastructure governance
  • CloudFormation Hooks and the Control Catalog make it easy to implement guardrails
  • Extending proactive controls to Terraform ensures consistent governance across IaC tools
  • Proactive controls improve developer experience, platform security, and organizational cost control

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.