Governance and Policy Framework

Introduction

Working with cloud governance across various organizations has taught me that the difference between documentation and enforcement is everything.

In compliance and audit engagements, I've consistently seen a pattern where organizations document security requirements but fail to enforce them technically. Common findings include:

S3 buckets with public access despite policies prohibiting it
Unencrypted databases in production environments
Missing centralized logging across accounts
Root accounts without MFA enabled
Infrequent or missing access reviews
No approval processes for production changes
Overly permissive access controls

The root cause in these cases was treating governance as documentation rather than technical enforcement. Having a policy that says "buckets must be private" means nothing if developers can still create public buckets.

Through implementing governance frameworks, I've learned that effective governance uses preventive controls that make policy violations technically impossible, not just detective controls that find violations after they occur.

This article shares the governance patterns and policy-as-code approaches I've used to build enforceable compliance frameworks - covering Service Control Policies, Azure Policy, automated compliance scanning, and the shift from recommendations to guardrails.

What is Cloud Governance

Cloud governance is the framework of policies, procedures, and automated controls that ensure:

Security: Resources are configured securely
Compliance: Regulatory requirements are met
Cost: Spending stays within budget
Operations: Standards are consistently applied

The Governance Hierarchy

Key Principles

1. Preventive Over Detective

❌ Detective: Scan daily for unencrypted S3 buckets, alert if found
  Problem: Data already exposed for up to 24 hours

✅ Preventive: SCP denies creating unencrypted buckets
  Result: Impossible to create unencrypted bucket

2. Automated Over Manual

❌ Manual: Quarterly access reviews (spreadsheets, email)
  Problem: 3-month window for inappropriate access

✅ Automated: Daily automated access analysis, automatic revocation
  Result: Violations detected within hours

3. Immutable Over Mutable

❌ Mutable: CloudTrail logs in S3 bucket (can be deleted)
  Problem: Attacker can cover tracks

✅ Immutable: CloudTrail with S3 Object Lock (cannot be deleted)
  Result: Audit trail preserved even if account compromised

Service Control Policies (AWS SCPs)

SCPs are the ultimate authority in AWS. They define maximum permissions - even root users cannot bypass SCPs.

SCP Architecture

Inheritance Model:

Root OU: Deny deleting CloudTrail
└── Production OU: Require encryption
    └── PCI Workloads OU: Restrict to specific regions
        └── Account: Inherits ALL three policies

Essential SCPs

1. Prevent Leaving Organization

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PreventLeavingOrganization",
      "Effect": "Deny",
      "Action": "organizations:LeaveOrganization",
      "Resource": "*"
    }
  ]
}

Why it matters: Prevents rogue admin from removing account from central governance.

2. Require Encryption at Rest

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyUnencryptedS3",
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": ["aws:kms", "AES256"]
        }
      }
    },
    {
      "Sid": "DenyUnencryptedRDS",
      "Effect": "Deny",
      "Action": [
        "rds:CreateDBInstance",
        "rds:CreateDBCluster"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "rds:StorageEncrypted": "false"
        }
      }
    },
    {
      "Sid": "DenyUnencryptedEBS",
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:volume/*",
      "Condition": {
        "Bool": {
          "ec2:Encrypted": "false"
        }
      }
    },
    {
      "Sid": "DenyUnencryptedDynamoDB",
      "Effect": "Deny",
      "Action": "dynamodb:CreateTable",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "dynamodb:EncryptionType": "KMS"
        }
      }
    }
  ]
}

3. Restrict Approved Regions

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAllOutsideApprovedRegions",
      "Effect": "Deny",
      "NotAction": [
        "iam:*",
        "organizations:*",
        "route53:*",
        "budgets:*",
        "ce:*",
        "cloudfront:*",
        "globalaccelerator:*",
        "health:*",
        "trustedadvisor:*",
        "support:*",
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": [
            "us-east-1",
            "us-west-2",
            "eu-west-1"
          ]
        }
      }
    }
  ]
}

Why it matters: Data residency compliance (GDPR, CCPA), cost control, simplified operations.

4. Require MFA for Console Access

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAllActionsWithoutMFA",
      "Effect": "Deny",
      "NotAction": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:GetUser",
        "iam:ListMFADevices",
        "iam:ListVirtualMFADevices",
        "iam:ResyncMFADevice",
        "sts:GetSessionToken"
      ],
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

5. Prevent Disabling Security Services

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ProtectCloudTrail",
      "Effect": "Deny",
      "Action": [
        "cloudtrail:DeleteTrail",
        "cloudtrail:StopLogging",
        "cloudtrail:UpdateTrail"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ProtectGuardDuty",
      "Effect": "Deny",
      "Action": [
        "guardduty:DeleteDetector",
        "guardduty:DeleteMembers",
        "guardduty:DisassociateFromMasterAccount",
        "guardduty:StopMonitoringMembers",
        "guardduty:UpdateDetector"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ProtectConfig",
      "Effect": "Deny",
      "Action": [
        "config:DeleteConfigurationRecorder",
        "config:DeleteDeliveryChannel",
        "config:StopConfigurationRecorder"
      ],
      "Resource": "*"
    }
  ]
}

6. Prevent Public Access

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyPublicS3Buckets",
      "Effect": "Deny",
      "Action": [
        "s3:PutBucketPublicAccessBlock",
        "s3:PutAccountPublicAccessBlock"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "s3:publicAccessBlock": "true"
        }
      }
    },
    {
      "Sid": "DenyPublicRDS",
      "Effect": "Deny",
      "Action": [
        "rds:ModifyDBInstance",
        "rds:ModifyDBCluster"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "rds:PubliclyAccessible": "true"
        }
      }
    }
  ]
}

Terraform - SCP Management

# SCP: Require Encryption
resource "aws_organizations_policy" "require_encryption" {
  name        = "require-encryption"
  description = "Require encryption at rest for all storage services"
  type        = "SERVICE_CONTROL_POLICY"
  
  content = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "DenyUnencryptedStorage"
        Effect = "Deny"
        Action = [
          "s3:PutObject",
          "rds:CreateDBInstance",
          "rds:CreateDBCluster",
          "ec2:RunInstances",
          "dynamodb:CreateTable"
        ]
        Resource = "*"
        Condition = {
          # Complex conditions from examples above
        }
      }
    ]
  })
}

# Attach to Production OU
resource "aws_organizations_policy_attachment" "prod_encryption" {
  policy_id = aws_organizations_policy.require_encryption.id
  target_id = aws_organizations_organizational_unit.production.id
}

# SCP: Restrict Regions
resource "aws_organizations_policy" "restrict_regions" {
  name    = "restrict-regions"
  type    = "SERVICE_CONTROL_POLICY"
  
  content = file("${path.module}/policies/restrict-regions.json")
}

# Attach to Root (applies to all accounts)
resource "aws_organizations_policy_attachment" "root_regions" {
  policy_id = aws_organizations_policy.restrict_regions.id
  target_id = data.aws_organizations_organization.main.roots[0].id
}

Azure Policy and Management Groups

Azure Policy provides similar governance capabilities with richer evaluation logic.

Azure Policy Effects

Effect

Description

Use Case

Deny

Block resource creation/modification

Prevent unencrypted storage

Audit

Log non-compliant resources

Detect resources missing tags

AuditIfNotExists

Audit if related resource missing

Check if VM has backup enabled

DeployIfNotExists

Automatically deploy missing resource

Auto-enable diagnostic logging

Modify

Add/update/remove tags or properties

Enforce mandatory tags

Disabled

Temporarily disable policy

Testing, exceptions

Essential Azure Policies

1. Require Storage Account Encryption

{
  "properties": {
    "displayName": "Storage accounts should use customer-managed keys for encryption",
    "policyType": "Custom",
    "mode": "Indexed",
    "description": "Enforce encryption with customer-managed keys for data at rest",
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Storage/storageAccounts/encryption.keySource",
                "notEquals": "Microsoft.Keyvault"
              },
              {
                "field": "Microsoft.Storage/storageAccounts/encryption.keyVaultProperties.keyName",
                "exists": "false"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}

2. Allowed Locations

{
  "properties": {
    "displayName": "Allowed locations for resources",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "parameters": {
      "allowedLocations": {
        "type": "Array",
        "metadata": {
          "displayName": "Allowed locations",
          "description": "The list of locations that resources can be created in",
          "strongType": "location"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "location",
            "notIn": "[parameters('allowedLocations')]"
          },
          {
            "field": "type",
            "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}

3. Auto-Enable Diagnostic Logging (DeployIfNotExists)

{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Storage Accounts",
    "policyType": "Custom",
    "mode": "Indexed",
    "parameters": {
      "logAnalyticsWorkspaceId": {
        "type": "String",
        "metadata": {
          "displayName": "Log Analytics Workspace ID"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Storage/storageAccounts"
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                "equals": "true"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "resourceName": {
                    "type": "string"
                  },
                  "workspaceId": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "type": "Microsoft.Storage/storageAccounts/providers/diagnosticSettings",
                    "apiVersion": "2021-05-01-preview",
                    "name": "[concat(parameters('resourceName'), '/Microsoft.Insights/default')]",
                    "properties": {
                      "workspaceId": "[parameters('workspaceId')]",
                      "logs": [
                        {
                          "category": "StorageRead",
                          "enabled": true
                        },
                        {
                          "category": "StorageWrite",
                          "enabled": true
                        },
                        {
                          "category": "StorageDelete",
                          "enabled": true
                        }
                      ],
                      "metrics": [
                        {
                          "category": "Transaction",
                          "enabled": true
                        }
                      ]
                    }
                  }
                ]
              },
              "parameters": {
                "resourceName": {
                  "value": "[field('name')]"
                },
                "workspaceId": {
                  "value": "[parameters('logAnalyticsWorkspaceId')]"
                }
              }
            }
          }
        }
      }
    }
  }
}

4. Require Tags

{
  "properties": {
    "displayName": "Require specified tags on resources",
    "policyType": "Custom",
    "mode": "Indexed",
    "parameters": {
      "tagNames": {
        "type": "Array",
        "metadata": {
          "displayName": "Tag Names",
          "description": "List of required tag names"
        },
        "defaultValue": ["Environment", "CostCenter", "Owner"]
      }
    },
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "field": "[concat('tags[', parameters('tagNames')[0], ']')]",
            "exists": "false"
          },
          {
            "field": "[concat('tags[', parameters('tagNames')[1], ']')]",
            "exists": "false"
          },
          {
            "field": "[concat('tags[', parameters('tagNames')[2], ']')]",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}

Terraform - Azure Policy Management

# Policy Definition
resource "azurerm_policy_definition" "require_encryption" {
  name         = "require-storage-encryption"
  policy_type  = "Custom"
  mode         = "Indexed"
  display_name = "Require customer-managed encryption for storage accounts"
  
  metadata = jsonencode({
    category = "Storage"
    version  = "1.0.0"
  })
  
  policy_rule = file("${path.module}/policies/require-storage-encryption.json")
}

# Policy Assignment at Management Group
resource "azurerm_management_group_policy_assignment" "require_encryption" {
  name                 = "require-encryption"
  management_group_id  = azurerm_management_group.landing_zones.id
  policy_definition_id = azurerm_policy_definition.require_encryption.id
  
  description = "Enforces customer-managed encryption on all storage accounts"
  display_name = "Require Storage Encryption"
  
  parameters = jsonencode({
    effect = {
      value = "Deny"
    }
  })
}

# Policy Initiative (Bundle of Policies)
resource "azurerm_policy_set_definition" "security_baseline" {
  name         = "security-baseline"
  policy_type  = "Custom"
  display_name = "Security Baseline Policy Set"
  
  parameters = jsonencode({
    allowedLocations = {
      type = "Array"
      metadata = {
        displayName = "Allowed Locations"
      }
    }
  })
  
  policy_definition_reference {
    policy_definition_id = azurerm_policy_definition.require_encryption.id
    parameter_values = jsonencode({})
  }
  
  policy_definition_reference {
    policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c"  # Allowed locations
    parameter_values = jsonencode({
      allowedLocations = {
        value = ["eastus", "westus", "westeurope"]
      }
    })
  }
  
  policy_definition_reference {
    policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d"  # Require tag
    parameter_values = jsonencode({
      tagName = {
        value = "Environment"
      }
    })
  }
}

# Assign Policy Initiative
resource "azurerm_management_group_policy_assignment" "security_baseline" {
  name                 = "security-baseline"
  management_group_id  = azurerm_management_group.root.id
  policy_definition_id = azurerm_policy_set_definition.security_baseline.id
  
  parameters = jsonencode({
    allowedLocations = {
      value = ["eastus", "westus", "westeurope"]
    }
  })
}

Cost Governance and FinOps

Cost governance prevents surprise cloud bills and ensures efficient spending.

Cost Control Strategies

1. Budgets and Alerts

# AWS Budget
resource "aws_budgets_budget" "monthly_cost" {
  name              = "monthly-cost-budget"
  budget_type       = "COST"
  limit_amount      = "10000"
  limit_unit        = "USD"
  time_period_start = "2024-01-01_00:00"
  time_unit         = "MONTHLY"
  
  notification {
    comparison_operator        = "GREATER_THAN"
    threshold                  = 80
    threshold_type             = "PERCENTAGE"
    notification_type          = "ACTUAL"
    subscriber_email_addresses = ["[email protected]"]
  }
  
  notification {
    comparison_operator        = "GREATER_THAN"
    threshold                  = 100
    threshold_type             = "PERCENTAGE"
    notification_type          = "ACTUAL"
    subscriber_email_addresses = ["[email protected]", "[email protected]"]
  }
  
  notification {
    comparison_operator        = "GREATER_THAN"
    threshold                  = 90
    threshold_type             = "PERCENTAGE"
    notification_type          = "FORECASTED"
    subscriber_email_addresses = ["[email protected]"]
  }
}

# Budget per Environment
resource "aws_budgets_budget" "production" {
  name              = "production-budget"
  budget_type       = "COST"
  limit_amount      = "5000"
  limit_unit        = "USD"
  time_unit         = "MONTHLY"
  
  cost_filter {
    name = "TagKeyValue"
    values = [
      "Environment$production"
    ]
  }
}

# Azure Budget
resource "azurerm_consumption_budget_subscription" "monthly" {
  name            = "monthly-budget"
  subscription_id = data.azurerm_subscription.current.id
  
  amount     = 10000
  time_grain = "Monthly"
  
  time_period {
    start_date = "2024-01-01T00:00:00Z"
  }
  
  notification {
    enabled   = true
    threshold = 80
    operator  = "GreaterThan"
    
    contact_emails = [
      "[email protected]"
    ]
  }
  
  notification {
    enabled   = true
    threshold = 100
    operator  = "GreaterThan"
    
    contact_emails = [
      "[email protected]",
      "[email protected]"
    ]
  }
}

2. Cost Allocation Tags

# Enable Cost Allocation Tags (AWS)
resource "aws_ce_cost_category" "environment" {
  name         = "Environment"
  rule_version = "CostCategoryExpression.v1"
  
  rule {
    value = "Production"
    rule {
      dimension {
        key           = "TAG"
        match_options = ["EQUALS"]
        values        = ["Environment$production"]
      }
    }
  }
  
  rule {
    value = "Development"
    rule {
      dimension {
        key           = "TAG"
        match_options = ["EQUALS"]
        values        = ["Environment$dev", "Environment$development"]
      }
    }
  }
}

3. Reserved Instance Governance

# SCP: Prevent RI/Savings Plan purchases without approval
resource "aws_organizations_policy" "restrict_ri_purchases" {
  name = "restrict-ri-purchases"
  type = "SERVICE_CONTROL_POLICY"
  
  content = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "DenyRIPurchases"
        Effect = "Deny"
        Action = [
          "ec2:PurchaseReservedInstancesOffering",
          "rds:PurchaseReservedDBInstancesOffering",
          "elasticache:PurchaseReservedCacheNodesOffering",
          "savingsplans:CreateSavingsPlan"
        ]
        Resource = "*"
        Condition = {
          StringNotEquals = {
            "aws:PrincipalArn" = [
              "arn:aws:iam::123456789012:role/FinOpsTeamRole"
            ]
          }
        }
      }
    ]
  })
}

4. Automated Cost Optimization

# Lambda function: Auto-stop dev instances after hours
import boto3
import os
from datetime import datetime, time

ec2 = boto3.client('ec2')

def lambda_handler(event, context):
    """Stop dev instances outside business hours"""
    
    # Business hours: 7 AM - 7 PM Monday-Friday
    now = datetime.now()
    business_hours = time(7, 0) <= now.time() <= time(19, 0)
    weekday = now.weekday() < 5  # Monday = 0, Friday = 4
    
    if business_hours and weekday:
        print("During business hours, skipping")
        return
    
    # Find running dev instances
    response = ec2.describe_instances(
        Filters=[
            {'Name': 'tag:Environment', 'Values': ['dev', 'development']},
            {'Name': 'instance-state-name', 'Values': ['running']}
        ]
    )
    
    instance_ids = []
    for reservation in response['Reservations']:
        for instance in reservation['Instances']:
            instance_ids.append(instance['InstanceId'])
    
    if instance_ids:
        print(f"Stopping {len(instance_ids)} dev instances")
        ec2.stop_instances(InstanceIds=instance_ids)
    else:
        print("No running dev instances found")
    
    return {
        'statusCode': 200,
        'body': f'Stopped {len(instance_ids)} instances'
    }

FinOps Best Practices

1. Tagging Strategy for Cost Allocation:

Required Tags:
- CostCenter: Engineering, Marketing, Sales
- Environment: Production, Staging, Dev
- Application: payment-api, user-service, etc.
- Owner: [email protected]

2. Chargeback Reports:

Monthly cost reports by CostCenter
Environment-based allocation
Application-level cost tracking

3. Reserved Instance Strategy:

Centralized RI purchasing (FinOps team only)
Analyze 3+ months usage before RI purchase
Start with 1-year commitments
Review quarterly, adjust as needed

Policy as Code Implementation

Manage all policies in version control for auditability and consistency.

Repository Structure

governance/
├── aws/
│   ├── scps/
│   │   ├── require-encryption.json
│   │   ├── restrict-regions.json
│   │   ├── prevent-public-access.json
│   │   └── protect-security-services.json
│   ├── config-rules/
│   │   ├── s3-bucket-encryption.yaml
│   │   ├── rds-encryption.yaml
│   │   └── vpc-flow-logs-enabled.yaml
│   └── terraform/
│       ├── scps.tf
│       ├── config.tf
│       └── guardduty.tf
├── azure/
│   ├── policies/
│   │   ├── require-encryption.json
│   │   ├── allowed-locations.json
│   │   └── require-tags.json
│   ├── initiatives/
│   │   └── security-baseline.json
│   └── terraform/
│       ├── policies.tf
│       └── assignments.tf
├── gcp/
│   ├── organization-policies/
│   │   ├── restrict-regions.yaml
│   │   └── require-labels.yaml
│   └── terraform/
│       └── org-policies.tf
└── tests/
    ├── test_scps.py
    ├── test_azure_policies.py
    └── test_gcp_policies.py

CI/CD Pipeline for Policy Deployment

# .github/workflows/deploy-policies.yml
name: Deploy Governance Policies

on:
  push:
    branches: [main]
    paths:
      - 'governance/**'
  pull_request:
    branches: [main]
    paths:
      - 'governance/**'

jobs:
  validate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Validate JSON syntax
        run: |
          for file in $(find governance -name '*.json'); do
            echo "Validating $file"
            jq empty "$file" || exit 1
          done
      
      - name: Terraform fmt check
        run: terraform fmt -check -recursive governance/
      
      - name: Terraform validate
        run: |
          cd governance/aws/terraform
          terraform init -backend=false
          terraform validate
  
  test:
    runs-on: ubuntu-latest
    needs: validate
    steps:
      - uses: actions/checkout@v3
      
      - name: Run policy tests
        run: |
          pip install pytest boto3 moto
          pytest governance/tests/
  
  plan:
    runs-on: ubuntu-latest
    needs: test
    if: github.event_name == 'pull_request'
    steps:
      - uses: actions/checkout@v3
      
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: arn:aws:iam::123456789012:role/GitHubActions
          aws-region: us-east-1
      
      - name: Terraform Plan
        run: |
          cd governance/aws/terraform
          terraform init
          terraform plan -out=tfplan
      
      - name: Comment Plan on PR
        uses: actions/github-script@v6
        with:
          script: |
            const fs = require('fs');
            const plan = fs.readFileSync('governance/aws/terraform/tfplan.txt', 'utf8');
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `## Terraform Plan\n\`\`\`\n${plan}\n\`\`\``
            });
  
  deploy:
    runs-on: ubuntu-latest
    needs: test
    if: github.ref == 'refs/heads/main'
    steps:
      - uses: actions/checkout@v3
      
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: arn:aws:iam::123456789012:role/GitHubActions
          aws-region: us-east-1
      
      - name: Terraform Apply
        run: |
          cd governance/aws/terraform
          terraform init
          terraform apply -auto-approve
      
      - name: Notify Slack
        uses: slackapi/slack-github-action@v1
        with:
          webhook-url: ${{ secrets.SLACK_WEBHOOK }}
          payload: |
            {
              "text": "Governance policies deployed to production",
              "blocks": [
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": "✅ Governance policies successfully deployed"
                  }
                }
              ]
            }

What I Learned About Governance

After that $2.8M SOC 2 near-failure and dozens of governance implementations since:

Lesson 1: Preventive Controls Over Detective

Don't just detect violations after they happen. Make violations impossible with SCPs/Azure Policy.

Action: Implement deny policies for critical security requirements (encryption, public access, etc.)

Lesson 2: Policy as Code is Non-Negotiable

Manual policy management doesn't scale and creates inconsistencies.

Action: All policies in Git, deployed via CI/CD, code reviewed before production.

Lesson 3: Start with Essential Policies

Don't try to implement 100 policies on day one. Start with critical security baselines.

Action:

Require encryption
Restrict regions
Prevent public access
Protect security services
Require MFA

Lesson 4: Test Policies Before Enforcement

Audit mode first, then enforce after validation.

Action: Deploy new policies in audit mode for 2 weeks, review violations, then switch to deny.

Lesson 5: Cost Governance Saves Millions

Uncontrolled cloud spending spirals quickly.

Action: Budgets, cost allocation tags, automated resource cleanup, RI governance.

Lesson 6: Automate Compliance Scanning

Manual compliance checks don't scale and miss violations.

Action: AWS Config, Azure Policy, automated remediation for common violations.

Lesson 7: Document Everything

Policies without documentation confuse teams and slow adoption.

Action: Every policy includes: purpose, affected resources, exceptions process, contact.

Lesson 8: Governance Enables Innovation

Good governance doesn't slow teams down - it enables safe experimentation with guardrails.

Action: Self-service with policy guardrails. Teams can provision resources quickly, securely.

Next Up: Monitoring, Logging, and Operational Excellence

In Article 6, we'll cover centralized logging, SIEM integration, monitoring strategies, and building observability into your landing zone.

Ready to observe everything? Let's go! 📊

PreviousNetwork Architecture and Connectivity NextMonitoring, Logging, and Operational Excellence

Last updated 1 month ago

hashtagTable of Contents

hashtagIntroduction

hashtagWhat is Cloud Governance

hashtagThe Governance Hierarchy

hashtagKey Principles

hashtagService Control Policies (AWS SCPs)

hashtagSCP Architecture

hashtagEssential SCPs

hashtagTerraform - SCP Management

hashtagAzure Policy and Management Groups

hashtagAzure Policy Effects

hashtagEssential Azure Policies

hashtagTerraform - Azure Policy Management

hashtagCost Governance and FinOps

hashtagCost Control Strategies

hashtagFinOps Best Practices

hashtagPolicy as Code Implementation

hashtagRepository Structure

hashtagCI/CD Pipeline for Policy Deployment

hashtagWhat I Learned About Governance

hashtagLesson 1: Preventive Controls Over Detective

hashtagLesson 2: Policy as Code is Non-Negotiable

hashtagLesson 3: Start with Essential Policies

hashtagLesson 4: Test Policies Before Enforcement

hashtagLesson 5: Cost Governance Saves Millions

hashtagLesson 6: Automate Compliance Scanning

hashtagLesson 7: Document Everything

hashtagLesson 8: Governance Enables Innovation

Table of Contents