Governance and Policy Framework

Table of Contents


Introduction

Working with cloud governance across various organizations has taught me that the difference between documentation and enforcement is everything.

In compliance and audit engagements, I've consistently seen a pattern where organizations document security requirements but fail to enforce them technically. Common findings include:

  • S3 buckets with public access despite policies prohibiting it

  • Unencrypted databases in production environments

  • Missing centralized logging across accounts

  • Root accounts without MFA enabled

  • Infrequent or missing access reviews

  • No approval processes for production changes

  • Overly permissive access controls

The root cause in these cases was treating governance as documentation rather than technical enforcement. Having a policy that says "buckets must be private" means nothing if developers can still create public buckets.

Through implementing governance frameworks, I've learned that effective governance uses preventive controls that make policy violations technically impossible, not just detective controls that find violations after they occur.

This article shares the governance patterns and policy-as-code approaches I've used to build enforceable compliance frameworks - covering Service Control Policies, Azure Policy, automated compliance scanning, and the shift from recommendations to guardrails.


What is Cloud Governance

Cloud governance is the framework of policies, procedures, and automated controls that ensure:

  • Security: Resources are configured securely

  • Compliance: Regulatory requirements are met

  • Cost: Spending stays within budget

  • Operations: Standards are consistently applied

The Governance Hierarchy

spinner

Key Principles

1. Preventive Over Detective

2. Automated Over Manual

3. Immutable Over Mutable


Service Control Policies (AWS SCPs)

SCPs are the ultimate authority in AWS. They define maximum permissions - even root users cannot bypass SCPs.

SCP Architecture

Inheritance Model:

Essential SCPs

1. Prevent Leaving Organization

Why it matters: Prevents rogue admin from removing account from central governance.

2. Require Encryption at Rest

3. Restrict Approved Regions

Why it matters: Data residency compliance (GDPR, CCPA), cost control, simplified operations.

4. Require MFA for Console Access

5. Prevent Disabling Security Services

6. Prevent Public Access

Terraform - SCP Management


Azure Policy and Management Groups

Azure Policy provides similar governance capabilities with richer evaluation logic.

Azure Policy Effects

Effect
Description
Use Case

Deny

Block resource creation/modification

Prevent unencrypted storage

Audit

Log non-compliant resources

Detect resources missing tags

AuditIfNotExists

Audit if related resource missing

Check if VM has backup enabled

DeployIfNotExists

Automatically deploy missing resource

Auto-enable diagnostic logging

Modify

Add/update/remove tags or properties

Enforce mandatory tags

Disabled

Temporarily disable policy

Testing, exceptions

Essential Azure Policies

1. Require Storage Account Encryption

2. Allowed Locations

3. Auto-Enable Diagnostic Logging (DeployIfNotExists)

4. Require Tags

Terraform - Azure Policy Management


Cost Governance and FinOps

Cost governance prevents surprise cloud bills and ensures efficient spending.

Cost Control Strategies

1. Budgets and Alerts

2. Cost Allocation Tags

3. Reserved Instance Governance

4. Automated Cost Optimization

FinOps Best Practices

1. Tagging Strategy for Cost Allocation:

2. Chargeback Reports:

  • Monthly cost reports by CostCenter

  • Environment-based allocation

  • Application-level cost tracking

3. Reserved Instance Strategy:

  • Centralized RI purchasing (FinOps team only)

  • Analyze 3+ months usage before RI purchase

  • Start with 1-year commitments

  • Review quarterly, adjust as needed


Policy as Code Implementation

Manage all policies in version control for auditability and consistency.

Repository Structure

CI/CD Pipeline for Policy Deployment


What I Learned About Governance

After that $2.8M SOC 2 near-failure and dozens of governance implementations since:

Lesson 1: Preventive Controls Over Detective

Don't just detect violations after they happen. Make violations impossible with SCPs/Azure Policy.

Action: Implement deny policies for critical security requirements (encryption, public access, etc.)

Lesson 2: Policy as Code is Non-Negotiable

Manual policy management doesn't scale and creates inconsistencies.

Action: All policies in Git, deployed via CI/CD, code reviewed before production.

Lesson 3: Start with Essential Policies

Don't try to implement 100 policies on day one. Start with critical security baselines.

Action:

  1. Require encryption

  2. Restrict regions

  3. Prevent public access

  4. Protect security services

  5. Require MFA

Lesson 4: Test Policies Before Enforcement

Audit mode first, then enforce after validation.

Action: Deploy new policies in audit mode for 2 weeks, review violations, then switch to deny.

Lesson 5: Cost Governance Saves Millions

Uncontrolled cloud spending spirals quickly.

Action: Budgets, cost allocation tags, automated resource cleanup, RI governance.

Lesson 6: Automate Compliance Scanning

Manual compliance checks don't scale and miss violations.

Action: AWS Config, Azure Policy, automated remediation for common violations.

Lesson 7: Document Everything

Policies without documentation confuse teams and slow adoption.

Action: Every policy includes: purpose, affected resources, exceptions process, contact.

Lesson 8: Governance Enables Innovation

Good governance doesn't slow teams down - it enables safe experimentation with guardrails.

Action: Self-service with policy guardrails. Teams can provision resources quickly, securely.


Next Up: Monitoring, Logging, and Operational Excellence

In Article 6, we'll cover centralized logging, SIEM integration, monitoring strategies, and building observability into your landing zone.

Ready to observe everything? Let's go! πŸ“Š

Last updated