Reduce Cost at Scale with Automated Governance & Guardrails

By Morten Jensen

| 3 minutes read

Reduce Cost at Scale with Automated Governance & Guardrails

Background

As organisations continue to grow and with the resulting increases in AWS consumption there is a need to be able to cost-effectively scale not just workloads but also governance and guardrails to ensure that security requirements are met across the estate.

A key requirement to move quickly to expand and improve services and products in AWS is to enable developers to work unhindered while establishing a set of guardrails that ensure safe operation of workloads.

Solutions

Virtuability has worked closely with organisations to considerably improve governance and guardrails throughout the AWS estate, which includes automation to ensure that accounts, workloads and teams are automatically covered.

The portfolio of solutions is a mix of out-of-the-box AWS capabilities combined with a range of tools that minimise overall operational overheads. The tools and capabilities include:

  • An AWS Organizations account structure rooted in team structure and the development lifecycle combined with Control Tower for general governance and guardrails of AWS estate and users
  • Automated deployment of bespoke and Control Tower Preventive, Proactive and Detective controls across the organisation in a unified configuration, which is achieved transparently on an Organisational, OU and account level
  • Automated AWS SSO (IAM Identity Center) deployment of permission sets, customer-managed policies and account assignments as teams change, new accounts are provisioned or existing accounts are moved within the Organisational structure
  • EC2 & container Image Builder factory with automated build, hardening, test and publishing of a unified set of hardened OS flavours (25+) that are shared with and used across the organisation. Adding new or removing old, hardened OS flavours is a simple and very time-efficient process
  • Automated, unified pipeline roles factory that automatically distributes deployment pipeline roles across the organization. Includes a set of guardrails to ensure correctness of policies and permissions
  • Unified set of Cloud Development Kit (CDK) & Cloudformation Bootstrap Stacks, roles and policies that separate landing zone concerns from application workloads through a combination of IAM paths, Permissions Boundaries and Security Control Policies
  • A split of landing zone, deployment and app/services workload roles and resources by leveraging IAM policy and role paths and leveraging permission boundaries, which allows developers to have more permissions within well-established boundaries
  • Regular, automated reporting of aggregate Security Hub findings has enabled the organisation to identify and correct problematic workloads on a risk/impact basis

Business Outcomes

Through the new tools and capabilities, organisations have improved governance and security posture considerably while scaling AWS consumption at the same time.

This has led to a hands-off approach in provisioning new accounts, guardrails, SSO permission sets etc.

Many previously manual and laborious challenges have been eliminated over time, which has allowed the IT Operations & Security teams to instead focus on other business objectives and the future.

For more information, please feel free to contact us at team@virtuability.com.