AWS Government, Education, & Nonprofits Blog

AWS Governance@Scale for U.S. Federal Government Customers

U.S. federal customers move workloads of all sizes to the AWS Cloud. These projects range from single deliverables to complete data center migrations, frequently implemented across multiple AWS accounts for cost-containment and security purposes.

Regardless of size though, our customers face common governance challenges:

  • How to perform account provisioning, and establish and maintain security amid high demand for cloud-based resources from users and business units;
  • How to control budgets and manage funding sources across many accounts, workloads, and users in a large organization; and,
  • How to manage security, risk, and compliance at scale, while minimizing the impact to development and deployment time.

While it is imperative for large organizations to scale their cloud adoption, smaller organizations can benefit from the same approach. Designing a well-architected, governable infrastructure will help lower costs, enable growth, and reduce security risk.

AWS developed Governance@Scale to meet this requirement. The solution helps facilitate a multi-account strategy and manage long-term growth of a customer’s AWS presence, thereby realizing the full benefits of an AWS Cloud architecture. This is done through three major areas of focus: account management, budget/cost enforcement, and security and compliance automation.

How it works

Governance@Scale can be developed into a technical solution that:

  • Provides mechanisms to manage provisioning of AWS accounts, including creation, modification, and decommissioning;
  • Retains users’ ability to access native AWS interfaces and services, including the AWS Management Console, AWS Command Line Interface, and AWS Service API, so that they have the flexibility and tools to build their workloads effectively;
  • Employs a mapping of AWS accounts to organizational constructs, such as departments, agencies, and divisions;
  • Provides mechanisms for managing AWS costs, budgets, and funding sources, including tracking at the AWS account and resource level;
  • Includes the capability to deploy infrastructure patterns in a repeatable, controlled manner;
  • Incorporates mechanisms to consistently deploy and enforce common security compliance policies – both organizational and workload-specific policies.

To create a Governance@Scale solution, customers face a build-versus-buy decision. They can build their own solutions from a foundation of AWS services (e.g.: AWS Organizations and AWS CloudFormation) or customers can use commercial offerings to address governance requirements, then augment their solutions with additional third-party financial and compliance reporting tools.

Building your own Governance@Scale

AWS Organizations and AWS CloudFormation form the core of a Governance@Scale solution. AWS Organizations is a service intended to provide policy-based management for multiple AWS accounts. It enables the customer to centrally manage organizational structure across multiple accounts; create centralized Identity and Access Management (IAM) policies that centrally control AWS service use across multiple AWS accounts; and consolidate the billing for multiple accounts into a single payment method.

To use AWS Organizations, a customer can start by enabling the corresponding feature in the master account, defining an “organization,” then linking any additional accounts. They can also use AWS Organizations to create new AWS accounts that are linked to the master for billing purposes. Any existing AWS accounts added to the organization must consent to becoming part of the organization. The organization hierarchy can reflect complex governmental agencies or business entities.

Next, AWS Organizations can be used to define and enforce service control policies (SCP), which are applied to accounts within the organization. An SCP determines which services can and cannot be used falling under a particular account. Additional IAM polices can be created within member accounts, but the SCP cannot be overridden from within the account. Finally, organizational costs can be centrally managed through the consolidated billing feature on the master account.

Another major component of a Governance@Scale solution is the ability to consistently provision infrastructure. AWS CloudFormation templates, augmented with automation via AWS Lambda functions, provide tooling to define and deploy infrastructure as code. Using the combination of the AWS Organizations API, AWS CloudFormation templates, and Lambda functions, a customer can automate the entire process of defining a new AWS account, provisioning infrastructure, and configuring IAM. AWS CloudFormation templates play a central role in provisioning infrastructure-as-code.

Figure 1 – Create accounts or invite existing accounts to become part of the organization.

 

Figure 2 – Create organizational units (OUs) to reflect organization structure and associate AWS accounts with OUs.

 

Figure 3 – Create service control policies (SCP) and enforce them at the OU or account level.

 

Figure 4 – Attach service control policies (SCP) to either an OU or an AWS account.

Finally, customers often choose to incorporate third-party cost and compliance reporting tools, such as CloudCheckr, CloudHealth, Datadog, and Evident.io, into their solutions.

Commercial Governance@Scale offerings

For federal customers, procurement rules may require the purchase of cloud services through established resellers to maintain compliance with the Antideficiency Act. AWS accounts established through resellers are normally established under a common, reseller-owned, master account. This arrangement generally precludes the use of AWS Organizations as previously described.

For these customers, commercial alternatives are available, including offerings from Stratus Solutions, Turbot, and Dome9 Security.

Whether rooted in AWS services or third-party tools, Governance@Scale offers a defined framework for helping customers address their needs related to account management, budget/cost enforcement, and security and compliance automation.

 


A post by Derek Doerr, Solutions Architect, Amazon Web Services