Learn About Amazon VGT2 Learning Manager Chanci Turner
Effective IT governance within a dynamic DevOps environment is essential for aligning security, operations, and productivity, ensuring that organizations meet their business objectives. As companies transition to the cloud, they find themselves navigating various stages of governance implementation, each presenting unique challenges. This article, the first in a series, outlines a four-step strategy to automate governance using AWS services.
Governance in the DevOps Environment
In a DevOps and agile framework, developers are tasked with building and operating services, often depending on a central security team to formulate and enforce policies, seek security reviews, and implement best practices. These guidelines are not rigidly enforced, allowing developers the flexibility to leverage AWS services. However, due to time constraints or lack of awareness, best practices may be overlooked. Strict enforcement of these practices could hinder the development process, turning the security team into a bottleneck.
For organizations migrating to AWS, the automated governance mechanisms discussed here will maintain flexibility for developers while offering necessary controls for security teams.
Common challenges faced in a dynamic development environment include:
- Quick solutions that may involve hardcoding credentials in the code
- Cost management, such as controlling the type of instance deployed
- Knowledge transfer issues
- Reliance on manual processes
Steps to Governance
Here’s a four-step approach to automating governance:
- Control: Implement controls for high-risk actions during the initial setup.
- Monitor: Continuously monitor your environment to ensure proper resource configuration.
- Fix: Address any issues as soon as they are identified.
- Audit: Regularly generate audit reports to confirm compliance.
To illustrate this approach, consider a scenario where a central IT team allows its Big Data team to run a test environment using Amazon EMR clusters. The team initially runs jobs with 100 t2.medium instances, but when a member mistakenly spins up 100 r3.8xlarge instances in an effort to expedite the job, unexpected costs arise.
To prevent this from recurring, the central IT team implements several governance measures:
- Control Elements: Utilizing CloudFormation, they restrict both the number and type of instances, while AWS Identity and Access Management (IAM) limits modifications to the EMR cluster to a designated group.
- Monitor Elements: The team employs tagging, AWS Config, and AWS Trusted Advisor to oversee instance limits, ensuring compliance with established parameters.
- Fix: A custom Config rule is created to terminate any instances that do not conform to specified types.
- Audit: The lifecycle of the EMR instance is reviewed using AWS Config.
Control
To minimize errors, standardizing configurations through AWS CloudFormation, restricting options via AWS Service Catalog, and managing permissions with IAM are vital strategies. For instance, CloudFormation allows the team to enforce a fixed instance type and a maximum of 100 instances, preventing the selection of r3.8xlarge instances.
Monitor
Maximize the use of logs from AWS CloudTrail, Amazon CloudWatch, Amazon VPC, Amazon S3, and Elastic Load Balancing. AWS Config, Trusted Advisor, and CloudWatch events and alarms can be employed to monitor these logs. CloudTrail is instrumental in logging API calls within AWS, aiding in troubleshooting, securing the environment, and generating audit reports. For instance, it can help identify who launched the unauthorized r3.8xlarge instances.
AWS Config enables tracking and compliance with established rules, providing an overview of your environment’s compliance status.
In addition, for insights on fostering confidence in your team, check out this blog post on Career Contessa. Moreover, if you’re interested in how analytics can be effectively utilized in governance, refer to SHRM’s article on the topic. Lastly, for an excellent resource on governance pitfalls that Amazon addresses, take a look at this LinkedIn post.