AWS Architecture Center
AWS Well-Architected

Governance, Risk Management, and Compliance Capabilities

Governance, Risk Management, and Compliance (GRC) helps organizations set the foundation for meeting security and compliance requirements and define the overall policies your cloud environment should adhere to. The capabilities within this area help you define what should happen in your environment, your risk appetite, and informs alignment of internal policies.

  • The Log Storage capability enables you to collect and store your environment logs centrally and securely. This will enable you to evaluate, monitor, alert, and audit access and actions performed on your cloud resources and objects.

    Scenarios

    • CF1 – S1: Central reliable log storage
    • CF1 – S3: Log protection and integrity
    • CF1 – S4: Log lifecycle management
    • CF1 – S6: Log access management
    Read the whitepaper
    Implement the capability

  • The Governance capability enables you to define and enforce business and regulatory policies for your cloud environment. Policies can include rules for your environment or risk definitions. A portion of your governance policies is embedded in other capabilities across your environment to ensure that you meet your requirements.

    Scenarios

    • CF26 – S1: Cloud service provider relationship
    • CF26 – S2: Operational standards
    • CF26 – S3: Organizational cloud awareness
    • CF26 – S4: Policy communication
    • CF26 – S5: Governance at scale
    • CF26 – S6: Compliance management
    Read the whitepaper
    Implement the capability

  • The Tagging capability enables you to assign, manage, and discover metadata for resources in your cloud environment. This can be used for resource inventory, Cloud Financial Management, Attribute Based Access Control (ABAC), and automation (e.g. patching for select tagged instances).

    Scenarios

    • CF23 - S1: Tag definition & assignment
    • CF23 - S2: Tag compliance
    • CF23 - S3: Tag usage
    Read the whitepaper
    Implement the capability

  • The Change Management capability enables you to manage risk and minimize negative impact when making changes to your cloud environment. This includes the ability to request, plan, track, deploy, and roll-back changes to your environment.

    Scenarios

    • CF30 - S1: Change management process
    • CF30 - S2: Change management fulfillment
    • CF30 - S3: Change rollback
    • CF30 - S4: Change monitoring and assessment
    Read the whitepaper
    Implement the capability

  • The Records Management capability enables you to store, retain, and secure your data according to your internal policies and regulatory requirements. Some examples may include financial records, transactional data, audit logs, business records, and personally identifiable information (PII).

    Scenarios

    • CF27 - S1: Records classification
    • CF27 - S2: Records lifecycle
    • CF27 - S3: Records access
    • CF27 - S4: Records auditing and monitoring
    Read the whitepaper
    Implement the capability

  • The Service Onboarding capability provides the ability to review and approve AWS services for use based on consideration of internal, compliance, and regulatory requirements. This capability includes risk assessment, documentation, implementation patterns, and the change communication aspects of service consumption.

    Scenarios

    • CF24 - S1: Service request and evaluation
    • CF24 - S2: Service deployment
    • CF24 - S3:  Service operational management
    • CF24 - S4: Service retirement
    Read the whitepaper

  • Forensics involve the analysis of log data and evidentially-captured images of potentially compromised resources, to determine whether a compromise occurred and how. Outcomes of root cause analysis resulting from forensic investigations are typically used to produce and motivate the application of preventative measures.

    Scenarios

    • CF4 - S1: Evidence identification & collection
    • CF4 - S2: Data analysis
    • CF4 - S3: Evidence preservation
    • CF4 - S4: Evidence reporting
    Read the whitepaper

  • The Data De-identification capability enables you to discover and protect sensitive data as it is stored and processed (for example, national ID numbers, trade data, healthcare information).

    Scenarios

    • CF28 - S1: Sensitive data identification
    • CF28 - S2: Data obfuscation
    • CF28 - S3: Data suppression
    Read the whitepaper

  • The Audit & Assessment capability provides the ability to gather and organize documentary evidence to enable internal or independent assessment of your cloud environment. This capability allows you to validate assertions that all changes were performed in accordance with policy.

    Scenarios

    • CF25 - S1: Establish audit scope
    • CF25 - S2: Compliance and regulatory controls
    • CF25 - S3: Audit readiness and execution
    Read the whitepaper

Was this page helpful?

 Feedback