Governance, Risk Management, and Compliance (GRC) helps organizations set the foundation for meeting security and compliance requirements and define the overall policies your cloud environment should adhere to. The capabilities within this area help you define what should happen in your environment, your risk appetite, and informs alignment of internal policies.

-
Log Storage capability
Log storage helps you securely collect and store environment logs centrally within a tamper resistant storage. This capability helps you evaluate, monitor, alert, and audit access and actions performed on your AWS resources and events.
Scenarios
- CF1 – S1: Build a secure and resilient log storage
- CF1 – S2: Store logs centrally
- CF1 – S3: Ensure the integrity of logs within your log storage
- CF1 – S4: Manage your logs in your log storage
- CF1 – S5: Add new logs into the log storage
- CF1 – S6: Grant access to the logs
-
Governance capability
Governance of your environment is important to address questions on why and how cloud services are consumed. Your cloud environment needs to align with your organization’s strategy on cloud service provider usage.
Scenarios
- CF26 – S1: Establish the relationship with your cloud services provider
- CF26 – S2: Define how cloud services are consume
- CF26 – S3: Build cloud capability across your organization
- CF26 – S4: Establish standards for your cloud environment
- CF26 – S5: Respond to growth or change
- CF26 – S6: Industry-specific governance
-
Tagging capability
Tagging is the act of assigning metadata to the different resources in your AWS environment and can be used to create new resource constructs for visibility or control. Tagging is fundamental to providing enterprise-level visibility and control.
Scenarios
- CF23 - S1: Implement a tagging strategy for your environment
- CF23 - S2: Enforce tagging across your environment and resources
- CF23 - S3: Monitor the resources based on your tags across your environment
-
Change Management capability
Change Management enables you to deploy planned alterations to all configurable items that are in your environment within the defined scope, such as production and test. An approved change is an action which alters resource configuration implemented with a minimized and accepted risk to an existing IT infrastructure.
Scenarios
- CF30 - S1: Establish a change management process
- CF30 - S2: Define change management request fulfillment process
- CF30 - S3: Recover from failed change operations
- CF30 - S4: Establish mechanisms to assess, review, and monitor change