AWS Governance
Governance
Users and IAM Governance
- No Root user creds (lock away creds).
- Create IAM users and assign specific roles.
- Create roles with granular access
- Cross account access roles
Accounts Governance – Organizations and Landing Zones (Control Tower) for Multiple Accounts – Centralized logging account – with cross account access roles
- Master: This is where you will find the AWS organisation. Also found here are Single Sign-On (SSO) and a service catalog for the ‘Account Vending Machine’ (AVM), which automates the process of creating new AWS accounts.
- Security: Contains roles that allow you to switch to other accounts or receive notifications of security incidents.
- Shared services: Contains Active Directory and other services that are used by all accounts.
- Logging: This is the central landing place for logs, such as CloudTrail audit logs.
Resource Level Governance – – Custom Policy PLUS CloudFormation
Simple Way = You can create an IAM policy that allows the action ‘CreateTags’ on a service, for example ‘ec2:CreateTags’ (as well as the ability to create a resource), and then have a condition attached that looks for a tag with a certain name having any value
Entire Infrastructure Automation – Cloudformation
- Reproducible – Automate infrastructure creation
- Automatic Dependencies – what to create first , second, next – are resolved automatically – based on the References (Refs) in the stack definition.
PARAMETERS (INPUT PARAMETERS) E.G. VPC NAME, REGION
MAPPINGS – FOR MULTI REGION TEMPLATES – CUSTOMIZING PER REGION – ESPECIALLY SINCE AMI ID IS DIFFERENT IN DIFFERENT REGIONS (FOR THE SAME IMAGE)
PSEUDO PARAMETERS – AVAILABLE BY DEFAULT – ACCOUNT ID, REGION
RESOURCES : {
Refs
Installing / Configuring Software on Ec2 instance using UserData and Fn::Join Fn:: Base64
}
TerraForm
Create a Custom VM with two managed disks (EBS) on a cloud
Group of Resources Governance – Service Catalog (e.g. Create a custom training lab with custom software)
Service Catalog – Resource Level Automation –
- Create a portfolio and a product (using template constraint and launch constraint)
Tagging Enforcement using Service Catalog
- Use AWS Service Catalog – DynamoDB , Lambda and Cloudwatch events
Leave a Reply