What is AWS Governance?

In one sentence, ‘Leveraging the AWS API (public cloud API) to create automated templates around provisioning of resources’

All public cloud governance consists of these three broad categories

  • Automation – Resource Provisioning Automation, Account Automation, Policy Automation
  • Budget Enforcement and Cost Compliance
  • Security Compliance
  • Base Enablement – Tagging, Centralized Logging. This isn’t a separate category, but is required for enabling the other 3.

Automation – Includes Policy Automation, Account Automation, Identity Federation

Resource Provisioning

  • AWS Service Catalog automate  – network architecture baselining. They replace manual processes, and facilitate the use of pre-defined, standardized system deployment templates.
  • AWS Landing Zones and
  • AWS Quick Starts

Account Automation

  • Services such as AWS Organizations, AWS CloudFormation –  AWS account provisioning
  • AWS Landing Zones

Policy Automation

  • AWS guidance to achieve governance at scale automates the application of company policies, deploying accounts with standard specifications to ensure consistency across AWS accounts and resources. The policy engine is flexible to accommodate and enforce different types of security polices such as AWS Identity and Access Management (IAM), AWS CloudFormation, or custom scripts.

Identity Federation

  • AWS governance solutions employ AWS Single Sign-On (SSO) through federated identity integration with external authentication providers such as OpenID, or Active Directory to centralize AWS account management and simplify user access to AWS accounts. When SSO is used in conjunction with AWS CloudTrail, user activity can be tracked across multiple AWS accounts.

Budget Enforcement

Enforcement of budget constraints is a key component of governance at scale. Each layer of the company defines spending limits within accounts and projects, monitors account spending in near real-time, and triggers warning notifications or enforcement actions. Automated actions include:

  • Restricting the use of AWS resources to those that cost less than a specified price.
  • Throttle new resource provisioning.
  • Shut down, terminate, or de-provision AWS resources after archiving configurations and data for future use.

Security Compliance

  • AWS services or Amazon Virtual Private Cloud (Amazon VPC) baseline configurations can be provisioned using standardized AWS configurations or AWS CloudFormation templates
  • These templates align with the company’s security and compliance requirements and have been evaluated and approved by company’s risk decision makers.
  • Well implemented security automation is responsive to security incidents. This includes processes to respond to policy violations by revoking IAM user access, preventing new resource allocation, terminating resources, or isolating existing cloud resources for forensic analysis.
  • Automation can be accomplished by collecting and storing AWS logging data into centralized data lakes and performing analytics, or basing responses on the output of other analytics tools.
  • At each level of the hierarchy the company can specify which AWS Services, features, and resources are approved for use on a per department, per user, or per project basis. This ensures self-service requests can’t provision unapproved items, as illustrated in the following diagram.

Base Enablement – Tagging and Logging

  • Centralized logging
  • Tagging Strategy and Enforcement

Governance Track (1 day) – AWS Governance Training

Day One – AWS Governance Training

  • Multiple Account Management – Automated Account Provisioning
  • Cost Enforcement – Actual Spend vs. Projection, Automation and Metering
  • Automation of Compliance (Security, Data) — Security – Dynamic Policies — Data – PCI, PII, HIPAA
  • Service Catalog Templated Approach vs. Manual, Flexible provisioning approach
  • Tools for monitoring and enforcing compliance – Trusted Advisor, CloudCheckr, CloudHealth
  • List of Best Practices , Tagging, AWS Native cost saving tips (EBS, Spot Instances, Volume discounts, RIs…)

Development Track (3 days)

Day 1 – AWS Developer Training

Identity, Accounts, Access Management

  • Account Structure – Single Account vs Multiple Account Structure, Organizations
  • IAM – Users, Groups, Roles, Policies

Networking
— Regions and Zones
— VPCs – default and custom
— Shared vs Dedicated Tenancy Models
— Subnets – public, private
— Route tables
— Security Groups and NACLs
— CloudFront and Route53 (Discussion Only)

Management and Governance
— CloudWatch, CloudTrail, VPC Flowlogs
— AWS Config – (create rules) for monitoring configuration changes to your resources
— Trusted Advisor

Day 2 – AWS Developer Training – EC2, S3 and RDS

— Compute Services, Storage Services, RDS Services
— Elastic IPs
— On-Demand vs. Reserved instances  – RIs – Standard RIs vs. Convertible RIs
— Instance Types
— Instance Tagging
— EBS Volumes – Volume Types
S3
— Naming conventions
— Versioning, Server Access Logging, Object Level Logging
— Public Access versus Restricted Access (e.g. restricting to single IP address)
— Bucket Access Policies (https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html)
— Bucket Lifecycle Policies, Cross Region Replication – Discussion Only
— Tools for syncing between desktops and S3 (CloudBerry..) – Discussion Only

RDS 

Day 3 – AWS Developer Training – VPN Setup, AD One way and 2 way trust setup, Security, Cost Optimization

— Customer Gateway
— VPGs
— Site to Site VPN = VPG  + Customer Gateway – Demo, Try Deleting Customer Gateway or VPG individually.

AD 2-Way Trust Setup – as part of Day 3, developer training AWS

— Configuring On Prem Piece
— Configuring AWS Piece
— Trial Sync of Directory Objects

Security , Cost Optimization – AWS Developer Training

— AWS GuardDuty, Inspector, DMZ subnets
— AWS WAF
— Trusted Advisor
— CloudHealth

 

S3  access Advanced

  • External, programmatic user access to S3  –  access keys and secrets
  • S3 access over ports 80 and 443.
  • S3 – Cloudberry Desktop Explorer and Cloudberry LabDrive (Map an on prem drive to S3)
  • S3 Change Storage Class – aws s3 cp s3://BUCKET/KEY s3://BUCKET/KEY –storage-class STANDARD_IA
  • S3 Rename? Use AWS CLI to create a new bucket and copy all your objects from old bucket to new bucket.

Security Groups versus NACLS – in detail

Security Groups are:

  1. AT INSTANCE LEVEL
  2. Stateful  — easier to manage, by just setting rules for one direction.
  3. VPC Scoped — work in any AZ or Subnet
  4. Allow rules only — everything is implicitly denied
  5. Rules processed together as a group
  6. Rules processed at the ENI layer

NACLS are:

  1. AT SUBNET LEVEL
  2. Stateless — Inbound and Outbound rules must always be configured.
  3. Subnet Scoped –Must be explictly associated to one or more subnets
  4. Allow and Deny rules both
  5. Rules processed in order — when a rule is matched, no rules further down the list are evaluated
  6. Rules processed at the subnet boundary

ADFS Based Server Claims – Federated Logins to AWS REsources

https://aws.amazon.com/blogs/security/how-to-establish-federated-access-to-your-aws-resources-by-using-active-directory-user-attributes/

EC2 Spinning Up, SGs, Access, Moving AZs, Monitoring, RIs

  1. Create new EC2 – Choose correct VPC (not the default VPC), Create a new SG (allow all traffic, for testing), Create Access Key Pair. T2 Micros are free – for quick, testing purposes.
  2. Moving between AZ? – Create an AMI. Launch from AMI from AMI menu and choose new AZ.
  3. While AWS security groups are normally associated with instances on start up, you can also add or remove them from running instances through the AWS Console. Again, go to ‘EC2 > Instances’, select the instance you want to modify, and click Actions > Networking > Change Security Groups’.
  4. Detailed vs Basic Monitoring
  • Basic – Data is available automatically in 5-minute periods at no charge.
  • Detailed – Data is available in 1-minute periods for an additional cost. To get this level of data, you must specifically enable it for the instance. For the instances where you’ve enabled detailed monitoring, you can also get aggregated data across groups of similar instances.

4. Reserved Instances  – Ec2 menu

  1. In the left navigation pane, choose “Reserved Instances”.
  2. Choose “Purchase Reserved Instances”

Elastic IPs (is a Public IP)

  • Up to 5 EIPs per account
  • An Elastic IP address is associated with your AWS account. With an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account.

An Elastic IP address doesn’t incur charges as long as the following conditions are true:

  • The Elastic IP address is associated with an EC2 instance.
  • The instance associated with the Elastic IP address is running.
  • The instance has only one Elastic IP address attached to it.

The Enable auto-assign public IPv4 address check box, if selected, requests a public IPv4 address for all instances launched into the selected subnet.

 

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.