2022-02-22 Chapter 20 - Governance
February 22, 2022•585 words
governance-001; {{c1::AWS Organisations}} is a free governance tool that allows you to create and manage multiple AWS accounts. With it, you can control your accounts from a single location rather than jumping from account to account.
governance-002; When using AWS Organisations, it's best practice to create a specific account dedicated to {{c1::logging}}. {{c1::CloudTrail}} supports logs aggregation.
governance-003; AWS Organisations allows you to combine and share {{c1::reserved instances}} across AWS accounts.
governance-004; When managing multiple applications, it's a good idea to isolate resources across different {{c1::AWS accounts}}.
governance-005; AWS Organisations supports consolidated {{c1::billing}}.
governance-006; AWS Organisations includes {{c1::service control policies}} which restrict what users can do within specific AWS accounts. These apply even to the {{c1::root user}} and {{c1::override}} other permission sets. They are structured like IAM policy documents. Note that these don't grant permissions - they only restrict. An "Allow" statement in a {{c1::service control policy}} effectively means {{c1::deny}} everything not listed here.
governance-007; {{c1::AWS Resource Access Manager (RAM)}} is a free service that allows you to share a broad range of resources (e.g. Transit Gateways, VPC subnets, License Manager, Route 53 Resolver, dedicated hosts) with other AWS accounts and within your organisation.
governance-008; AWS Resource Access Manager (RAM) differs from {{c1::VPC peering}} in that it's slightly easier to share resources within the same region, whereas {{c1::VPC peering}} is slightly easier to share resources in different regions.
governance-009; Cross-account {{c1::IAM role}} access can be useful for granting temporary access to sensitive resources such as production AWS accounts.
governance-010; {{c1::AWS Config}} is an inventory management and control tool. It allows you to review the history of your infrastructure, along with creating rules to make sure that you're following best practices and trigger alerts or automated remediations (automation documents or Lambda functions) in case of compliance misses.
governance-011; AWS Config offers both {{c1::preconfigured}} and {{c1::custom}} rules.
governance-012; AWS Config is not a {{c1::free}} service.
governance-013; {{c1::AWS Directory Service}} is a fully managed version of Active Directory. It allows you to offload the painful parts of keeping AD online to AWS while still giving you full control and flexibility.
governance-014; AWS Directory Service offers different types: 1) {{c1::Managed Microsoft AD}} which includes the entire AD suite to build in AWS 2) {{c1::AD Connector}} which creates a tunnel between AWS and your on-premises AD and 3) {{c1::Simple AD}} which includes the basics of AWS, powered by Linux Samba Active Directory-compatible server.
governance-015; {{c1::AWS Cost Explorer}} is an easy-to-use tool that allows you to visualise your cloud costs. You can generate reports using services and tags for segregation and filtering.
governance-016; AWS Cost Explorer supports generating {{c1::forecasts}} based on statistical algorithms.
governance-017; {{c1::AWS Budgets}} allows organisations to plan and set expectations around cloud costs. You can easily track ongoing spend and create related alerts and actions.
governance-018; AWS Budgets supports 4 different types of budgets: 1) {{c1::cost}} budgets 2) {{c1::usage}} budgets 3) {{c1::reservation}} budgets 4) {{c1::savings plan}} budgets.
governance-019; {{c1::AWS Trusted Advisor}} is a fully managed best-practice auditing tool that scans 5 different parts of AWS accounts to look for places to improve: 1) cost optimisation 2) performance 3) security 4) fault tolerance 5) service limits.
governance-020; AWS Trusted Advisor is free, but includes more checks for users who subscribe to an {{c1::AWS business or enterprise support plan}}.
governance-021; AWS Trusted Advisor doesn't {{c1::remediate issues}}, but can of course be linked with EventBridge + Lambda to handle actions.
governance-022; {{c1::AWS Cognito}} is an authentication service for external users of AWS resources i.e. users of a mobile app running on AWS.