Governance

Users and IAM Governance

  • No Root user creds (lock away creds).
  • Create IAM users and assign specific roles.
  • Create roles with granular access
  • Cross account access roles

Accounts Governance – Organizations and Landing Zones (Control Tower) for Multiple Accounts – Centralized logging account – with cross account access roles

  • Master: This is where you will find the AWS organisation. Also found here are Single Sign-On (SSO) and a service catalog for the ‘Account Vending Machine’ (AVM), which automates the process of creating new AWS accounts.
  • Security: Contains roles that allow you to switch to other accounts or receive notifications of security incidents.
  • Shared services: Contains Active Directory and other services that are used by all accounts.
  • Logging: This is the central landing place for logs, such as CloudTrail audit logs.

Resource Level Governance –  – Custom Policy PLUS CloudFormation

Simple Way = You can create an IAM policy that allows the action ‘CreateTags’ on a service, for example ‘ec2:CreateTags’ (as well as the ability to create a resource), and then have a condition attached that looks for a tag with a certain name having any value

Entire Infrastructure Automation – Cloudformation

  1. Reproducible – Automate infrastructure creation
  2. Automatic Dependencies – what to create first , second, next –  are resolved automatically – based on the References (Refs) in the stack definition.
PARAMETERS (INPUT PARAMETERS)  E.G. VPC NAME, REGION
MAPPINGS – FOR MULTI REGION TEMPLATES – CUSTOMIZING PER REGION – ESPECIALLY SINCE AMI ID IS DIFFERENT IN DIFFERENT REGIONS (FOR THE SAME IMAGE)
PSEUDO PARAMETERS – AVAILABLE BY DEFAULT – ACCOUNT ID, REGION
RESOURCES : { 

Refs

Installing / Configuring Software on Ec2 instance using UserData and Fn::Join Fn:: Base64

}

TerraForm

Create a Custom VM with two managed disks (EBS) on a cloud

Group of Resources Governance – Service Catalog (e.g. Create a custom training lab with custom software)

Service Catalog – Resource Level Automation –

  •   Create a portfolio and a product (using template constraint and launch constraint)

Tagging Enforcement using Service Catalog

  • Use AWS Service Catalog – DynamoDB , Lambda and Cloudwatch events

Tag Enforcement-1

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.