AWS Partner Network (APN) Blog
Strengthening Cloud Governance and Optimizing FinOps with LTI Infinity Ensure
By Austin Sequeira, Head of Cloud Innovation – LTI
By Lewis Tang, Sr. Solutions Architect – AWS
As customers continue to accelerate business transformation by moving to the cloud, the need for a more self-reliant and integrated cloud governance framework with enhanced security and compliance, cost management, and reporting and analytics, is on the rise. As a result, it is essential that enterprises look at strengthening management, compliance, and governance in the cloud.
AWS Well-Architected helps customers build secure, high-performing, resilient, and efficient infrastructure for a variety of applications and workloads. Built around six pillars—operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability—AWS Well-Architected provides a consistent approach for customers and partners to evaluate architectures and implement scalable designs.
Guided by the AWS Well-Architected Framework, customers look to align cloud strategies to business objectives, enabling enterprises to propel a cloud-native culture and advocate for a Cloud Center of Excellence (CCoE) advisory council—made up of people, processes, and technologies that drive successful business transformations.
CCoE accelerates cloud migrations, encourages innovation, minimizes security risks, and helps create and implement custom policies to optimize FinOps. It enables enterprises to administer the right governance tools and best practices that improve efficiency, resiliency, and compliance on the cloud.
Larsen and Toubro Infotech (LTI) is an AWS Premier Tier Services Partner and long standing member of the AWS Well-Architected Partner Program. The consultants at LTI spend thousands of hours every year helping customers build AWS focused CCoE and adopt AWS Well-Architected best practices.
Infinity is LTI’s unified multi-cloud platform with technology-led suite of modern engineering tools and processes enabling cloud lifecycle excellence from decisions to operations. The platform is equipped with a comprehensive suite of efficiency kits delivering value and speed across cloud migration implementations. LTI Infinity Ensure is a cloud governance platform designed to optimize governance, compliance, and remediation on Amazon Web Services (AWS) and other cloud portfolios.
In this post, we explore how Infinity Ensure can help enterprises optimize cloud governance with continuous monitoring and tracking, and share recommendations to keep up with cloud innovations.
Infinity Ensure is an autonomous multi-cloud platform that empowers outcome-based transformations, providing continuous cloud health monitoring and threat governance. With over 1,500 checks, Infinity Ensure helps customers achieve optimized cloud environments.
The platform offers a set of configurable governance policies, cost insights and recommendations, near real-time compliance checks, and audit and reporting to fortify the performance and scalability of your cloud architecture. It ascertains whether your cloud portfolio aligns with cloud best practices and derives strategic recommendations based on evaluated outcomes.
Infinity Ensure uses AWS Support API to pull metadata from AWS accounts. This data is evaluated against a set of pre-defined checks within the platform’s well-architected audit (WAA) module. The WAA reviews, highlights and reports misconfiguration or discrepancies, and provides automated one-click remediation for quick resolution.
Infinity Ensure uses AWS Cost Explorer API to create a data repository. This data is then used by the tool’s statistical analytics model to provide visibility on AWS spend trends and resource utilization on a single dashboard. The solution also generates detailed reports and metrics with cost insights and recommendations for optimized FinOps.
In this section, we will detail the key features that LTI Infinity Ensure offers, such as the automated governance and FinOps optimization through integration with AWS.
Automated AWS Well-Architected Review Audits
Infinity Ensure offers continuous cloud health monitoring and governance with over 650+ AWS checks through its AWS Well-Architected Review framework, enabling users to comprehend the system, assess financial implications of design decisions, and implement best practices and recommendations across the five pillars of the AWS Well-Architected Framework.
These pillars are operational excellence, security, reliability, performance efficiency, and cost optimization. The platform also capacitates adherence to organizational tagging policies by enabling AWS tag compliance for all AWS resources.
Advanced Cost Analytics
Advanced cost analytics gives complete visibility of AWS cost spend and provides savings recommendation for better FinOps. This data helps FinOps SMEs in rightsizing resources, creating reserved instances, switching to spot instances, or releasing unused resources. Infinity Ensure offers valuable cost insights reports and cost predictability through automated cost recommendations and enables chargeback reporting for better financial accountability using the configured AWS tags.
Unified Reports and Dashboards
The platform includes customized value-stream dashboards and detailed configurable reports on AWS resources from a single pane of glass. It also provides a consolidated inventory view across AWS accounts for better portfolio understanding and informed decision making.
Regulatory Compliance Checks
Over 400 AWS checks facilitate continuous analysis of the cloud portfolio to validate compliance of configurations with key industry-specific benchmarks and regulations, including NIST, GDPR, HIPAA, CIS, PCI-DSS. The platform provides a compliance score and controls segregated improvement list to adhere to the required compliance standards.
Infinity Ensure enables Infrastructure as Code (IaC) audits that can proactively monitor IaC repositories and report misconfigurations even before the script is executed. IaC checks ensure accelerated and resilient infrastructure deployment and updating. It also enables fortified performance and scalability of workloads deployed in the AWS environment.
Infinity Ensure helps create standard and custom policies as per organizational mandates and compliance specifications.
The platform allows integration with existing ITSM tools, like ServiceNow and Freshservice, for integrated workflow management. Infinity Ensure provides manual, one-click, and automated remediation for faster issue reporting, resolution, and continuous governance.
Stabilized Security Posture
Infinity Ensure helps in discovering AWS misconfiguration vulnerabilities not addressed by typical compliance packages, such as multi-resource misconfigurations and advanced AWS Identity and Access Management (IAM) threats.
The platform provides persona-based access for granular controls across AWS accounts, while ensuring continuous security monitoring and threat-detection—protecting your cloud 99% of the time. For example, users can enable AWS native guard rails like AWS Config and AWS CloudTrail on the Infinity Ensure platform to dispense enhanced security mechanisms and add-on features.
How Infinity Ensure Works
Infinity Ensure is built on microservices architecture with redundant infrastructure for high-availability and high-scalability. The platform’s microservices can communicate with each other using REST APIs or the messaging bus.
Figure 1 – Service architecture.
Infinity Ensure’s network architecture consists of multiple private and public subnets in an Amazon Virtual Private Cloud (Amazon VPC). All the components are in private subnet and only application load balancers are in public subnet.
The platform’s front-end UI is deployed on Amazon Simple Storage Service (Amazon S3) with Amazon CloudFront content delivery network for low latency performance. Amazon CloudFront distribution has all the edge locations enabled for best performance with Amazon CloudFront origin access identity (OAI), AWS WAF, and HTTPS/TLS enabled for enhanced security. The front-end application uses JSON web tokens for authentication and authorization with the back-end APIs.
Infinity Ensure’s core API is built using Flask and deployed in AWS Elastic Beanstalk with a load balanced redundant infrastructure. The platform ensures that the Elastic Beanstalk runtime environment is up-to-date so that all security patches are applied. Also, detailed monitoring and logging are enabled to track any unusual activity and audit them while the API connects securely using internal endpoints over TLS/HTTPS with the data stores.
Infinity Ensure’s orchestration service and worker service running in Amazon Elastic Container Service (Amazon ECS) perform long running tasks, like audits and cost-saving recommendations. AWS Lambda functions are used for handling infrequent events, like scheduling and running tasks using Amazon CloudWatch rules.
Amazon Relational Database Service (Amazon RDS) for PostgreSQL is used to store the application metadata and user data. It is deployed in the private subnet without internet access and with only specific ports open to application security groups. It has the backup, detailed monitoring, and alerting enabled and the data at rest and in transit are both encrypted using respective algorithms. All the passwords and keys stored in DB are also encrypted securely using salted encryption algorithms.
Amazon OpenSearch Service is used to store the cost and inventory related data for better indexing and Amazon OpenSearch Service searches using names or tags. Data is accessed over HTTPS and data at rest in encrypted using AES-256. The OpenSearch Service domain has been configured with VPC endpoint for added security.
Amazon ElastiCache for Redis is a redundant cluster with encryption enabled both for data at rest and in transit. Application servers use Redis cache to store session information and also to cache API responses for faster performance.
AWS WAF is enabled with all the standard rules applied to protect endpoints from different types of attacks, such as brute force or DDoS attack. CloudWatch logs help monitor and alert extensively to ensure that applications are performing efficiently.
How to Get Started
To start monitoring your cloud environments with LTI’s Infinity Ensure platform, follow two simple steps:
Step 1: Sign Up
Create an account with Infinity Ensure. A verification link will be sent to your email address to authenticate creation of the account. Complete the sign up and email verification process to authorize login.
Step 2: Onboard AWS Account
Infinity automates the onboarding of AWS accounts once the following details are provided:
- AWS account name: A reference name provided for ease of access and recognition of account.
- AWS account ID: A 12-digit number that uniquely identifies an AWS account.
- Role, Amazon Resource Names (ARNs): A file naming convention used to uniquely identify AWS resources.
To onboard multiple AWS accounts, repeat the steps.
In this post, we shared that comprehensive governance strategies coupled with continuous cost management techniques are essential in establishing an independent audit stance, in addition to strengthening security, reliability, and performance on the cloud.
We also discussed how vital it is for enterprises to establish a platform-based governance solution that orchestrates the right people, process, tools, and best practices to optimize governance, compliance, and FinOps across cloud portfolios.
LTI Infinity Ensure helps organizations secure, govern, and provide value-stream visibility and control over investments across the entire cloud landscape. It also helps stay compliant with industry regulatory standards and provides cost optimization recommendations to improve FinOps. To get started with LTI Infinity Ensure, follow the sign-up process outlined in this post.
LTI – AWS Partner Spotlight
LTI is an AWS Premier Tier Services Partner and global technology consulting and digital solutions company helping more than 400 clients succeed in a converging world.
Contact LTI | Partner Overview
*Already worked with LTI? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.