Governance Risk Compliance
Running business operations in the cloud requires a different approach from an on-premises datacentre. There are virtualised servers on shared hardware with no access to the bare metal, containers that may be launched and shut down frequently and serverless compute that may last for milliseconds; which all means that running logging and monitoring agents on operating systems does not work the way it used to. Aside from the different environment, the scaling up and down of resources and being able to deploy resources globally means that governance, cost controls, risk management, compliance checks and monitoring the health of your infrastructure can be difficult to get right.
A way to provide the ability to trace the creation, changes and deletion of cloud assets and to trace the origins of each API call and other events to recreate a chain of events for close management of how and where and when and by whom events were generated. Overarching all this is the need to see in near real time what is the state of the infrastructure, whether it is compliant with a desired state, what are current usage rates costing over all the business and by business unit. In addition stresses and strains on the system should be identified ahead of system faults, throttling, time outs and other reductions in service availability and resiliency.
One of the goals of good governance is to code infrastructure in a declarative way - that is to declare what you want without needing to worry about how to produce that state. This involves building a delivery pipeline and a perimeter of controls that act as guardrails around services, access, accounts and regions. This baseline platform can then be further monitored for continuous compliance in accordance with recognised standards such as HIPAA, NIST, PCI DSS, CSA CCM. The continuous compliance environment produces immutable logs for alerts, reports, dashboards and in specific cases automatic responses to deviations from compliance. Reports can be tailored to meet the needs of sopecific groups of users e.g finance and cost control, senior management, devops, developers, auditors.
For new accounts AWS Control Tower has a coded template to create a Landing Zone, a well-architected, multi-account AWS environment that's based on security and compliance best practices with multiple accounts, groups and users with appropriate permissions in a single sign-on directory. Logging is centralised in cross account storage to allow audit access only. The account factory automates provisioning of new accounts in your organization. Guardrails are pre-packaged governance rules for security, operations, and compliance. The Control Tower dashboard gives you continuous visibility into your AWS environment. In addition AWS Config can be used to monitor and trigger AWS Lambda functions to automatically remediate non-compliance such as where an AWS S3 bucket is publicly accessible. Click to download a brochure.