AWS compliance and governance: 3 lessons learned (and 3 must-use tools)

In this post, we’ll talk about governance and compliance in AWS and the services and tools Amazon provides to simplify setting up and maintaining governance and compliance of your AWS accounts and environments.

Every day more and more businesses are adopting the AWS cloud as part of their operations. And why wouldn't they? From deploying infrastructure with code by just a few clicks of a button to automagically scaling your infrastructure to meet traffic demands, AWS provides a mind-boggling number of use cases and applications to make running a business easier. 

As this transition to the cloud continues and the world of technology evolves, it has become increasingly important to secure your data and cloud infrastructure. 

Get started with ACG and transform your career with courses and real hands-on labs in AWS, Microsoft Azure, Google Cloud, and beyond.

We’ve all seen the news stories, videos, and social media posts where a company has been hacked and thousands of people's credentials or personal information has been leaked.

Leaders, organizations, and legal legislation in the IT industry have established a number of standards and compliance frameworks to help provide guidelines on how to secure your cloud to avoid and reduce the risk of these kinds of situations. 

So here’s the big question: what services and tools does Amazon provide to simplify setting up and maintaining governance and compliance of your AWS accounts and environments? 

I aim to answer this question (and more) in my new introduction to Governance and Compliance on AWS course! But in the meantime, I want to share with you three things I've learned about Governance and Compliance on AWS that you may find beneficial.

Here are three lessons learned and three must-use tools to help with compliance and governance on AWS.

• Compliance is cumbersome, but cloud can help
• Hands-on labs for learning AWS security essentials
• How to audit and secure an AWS account
• 12 AWS Config rules that every account should have
• Ransomware and AWS: 6 ways to reduce your blast radius

It's no secret that if you’re working on AWS environments, at some point you’re going to need to investigate who or what made changes on a given AWS account (and whether it’s the new hire or a malicious hacker. Fingers crossed it’s the former . . .)

This is a very important skill to have, and the first go-to service that would probably come to mind is CloudTrail. 

AWS CloudTrail is a service that constantly tracks and logs user activity. From the commands you run from your shell to the clicks in the AWS console, CloudTrail logs it all! Below is a diagram that elaborates on how this useful service works:

Bonus Tidbit: On top of CloudTrail, you can also use AWS Config to monitor and view configuration changes on resources that wouldn’t be captured from the details of an API call. Here’s a diagram to help visualize how Config functions:

If you only work on a single AWS account, managing that account is probably pretty straightforward, but the reality is most businesses (especially large enterprises) have numerous AWS accounts. 

Securing and implementing policies on 50+ accounts is a daunting task not for the faint of heart. And don’t get me started on the billing mayhem. Well, the good news is that there is a service that makes all of this easier for you to deal with. I’m talking about AWS Organizations. 

Watch: How to Secure Your AWS Environment
In this free, on-demand webinar, get a breakdown of taking complex AWS environments from zero to secure.

With AWS Organizations you can logically group AWS accounts into organizational units (or OUs for short). 

So, let’s say out of those 50 accounts 10 are development accounts. You can create a development OU and place those 10 accounts under the one development OU. 

The policies and restrictions you put in place will more than likely differ between a development account and a production account.

For a development account, it’s highly unlikely that you would need to run a juggernaut of an instance like the U-9tb1 instance type. In fact, most companies try to be cost-efficient on development accounts and use instance types like the t3.micro. 

With a Service Control Policy (SCP)  like the one below, you can attach the policy to the development OU and restrict all the development accounts to only be able to use t3.micro instances on a single change:

Don’t think for a second I forget about that billing mayhem either. 

Let me ask you this: when you go out to a restaurant with your family with the intention of paying for everyone’s meal, you don’t ask the waiter or waitress to split the bill and pay for each person with the same card, right? So why would a business do the same for their cloud? 

AWS Organizations offers the perfect solution to this with consolidating billing that makes it easy to track your spend, save you a little money by combining usage across your accounts, and the best part, it’s all on one bill. 

AWS Security Hub is one of the must-have services when you are talking about setting up and managing security or compliance in your environments. 

There are several standards offered within the Security Hub service that you can enable. Once you have the standards you need enabled, Security Hub does the heavy lifting of running security checks and pulling information from other services like Inspector, GuardDuty, Macie, and much more, then takes the results and presents the findings to you in a single comprehensive view. From there, you will have your list of actions you can take to better lockdown and secure your environment. 

There are many other services for governance and compliance. Want to learn more about governance and compliance on AWS? Come join me in my new introduction to Governance and Compliance on AWS course and let's get to learning!

Did you know that you can access a monthly rotating collection of A Cloud Guru courses for free? Well, now you know! Check out what’s free at ACG.

Sign up for an ACG Free Plan (no credit card required) and level up your learning today.

In the month of October, your free account gets you access to a collection of security-related courses, including AWS Identity and Access Management (IAM) Concepts, Cloud Security Fundamentals, Kubernetes Security, and an Introduction to Azure Security

Want to keep up with all things AWS? Subscribe to A Cloud Guru on YouTube for weekly Amazon news and AWS announcements. You can also like ACG on Facebook, follow us on Twitter, or join the conversation on Discord!