As enterprises continue to rapidly adopt AWS cloud, the complexity and scale of operations on the AWS have increased exponentially. Enterprises now operate hundreds and even thousands of AWS accounts to meet their enterprise IT needs. With this in mind, AWS Management & Governance has emerged as a major focus area that enterprises need to address in a holistic manner to ensure efficient, automated, performant, available, secure, and compliant cloud operations.
Governance360 integrated with Dash ComplyOps
Relevance Lab has recently launched its Governance360 professional services offering in the AWS Marketplace. This offering builds upon Relevance Lab’s theme of helping customers adopt AWS the right way.
Governance360 brings together the framework, tooling, and process for implementing a best-practices-based AWS Management & Governance at scale for multi-account AWS environments. It helps clients seamlessly manage their “Day after Cloud” operations on an ongoing basis. The tooling that would be leveraged for implementing Governance360 can include AWS’s native tools, services, RL’s tools, and third-party industry tools.
Typically a Governance360 type of professional service is engaged either during or after the phase of customers’ transition to AWS cloud (Infra & application migration or development on AWS Cloud).
Dash ComplyOps Platform Dash ComplyOps platform enables and automates the lifecycle of a client’s journey for compliance of their AWS environments towards industry-specific compliance requirements such as HIPAA, HITRUST, SOC2, GDPR. Dash ComplyOps platform provides organizations with the ability to manage a robust cloud security program through the implementation of guardrails and controls, continuous compliance monitoring, and advanced reporting and remediation of security and compliance issues.
Relevance Lab and Dash Solutions have partnered together to bring an end-to-end solution and professional service offering that helps customers realize an automated AWS Management & Governance posture for their environments meeting regulatory compliance needs.
As a part of this partnership, the Dash ComplyOps platform is integrated within the overall Governance360 framework. The detailed mapping of features, tooling, and benefits (including Dash ComplyOps as a tool) across Governance360’s major topic areas is articulated in the table below.
Automate repetitive and time-consuming tasks
Automated setup of environments for common use cases such as regulatory, workloads, etc
Codify best practices learned over time
Automated & Standardized Account Provisioning
Cost & Budget Management
Architecture for Industry Standard Compliance, Monitoring, and Remediation
Automated & Continuous Compliance Monitoring, Detection, and Remediation
Dashboards for monitoring AWS Environment from infrastructure to application
Ease of Deployment of Security Controls @ Scale using CI/CD Pipeline
Infra and Application Security Threat Monitoring, Prevention, Detection & Remediation
Service & Asset Management
Software and Asset Management practice with real-time CMDB for Applications & Infrastructure
Incident management and auto-remediation
Workload Migration & Management
Best practices-based workload migration and implementations on AWS cloud
Compliance with industry regulatory standards
Engagement Flow / Phase
Discovery & Assessment
Understand current state, data, management & governance goals
Recommendations include services, tools, and dashboards & expected outcomes, benefits
Use of native AWS services, RL’s monitoring & BOTs, Dash ComplyOps platform, and other 3rd party tools
Implement, test, UAT & production cutover of recommended services, tools, and dashboards
Post-implementation support – monitor and resolve any issues faced
* Duration depends on the complexity and scope of the requirements.
Relevance Lab is a consulting partner of AWS and helps organizations achieve automation-led Cloud Management using Governance360, based on the best practices of AWS. For enterprises with regulatory compliance needs, integration with the Dash ComplyOps platform provides an advanced setup for operation in a multi-account environment.
While enterprises can try to build some of these solutions, it is both time-consuming and error-prone and demands a specialist partner. Relevance Lab has helped multiple enterprises with this need and has a reusable automated solution and pre-built library to meet the security and compliance needs of any organization.
Governance360 is an integrated and automated solution using the Control Tower Customization methodology. The solution is focussed on the entire lifecycle of a customer cloud adoption covering the following stages:
Workload planning for Cloud Migration and associated best practices with automation.
Multi-account management with secure and compliant AWS Accounts, Cost tracking against budgets, guardrails to ensure the workloads are deployed as per AWS Well Architected best practices. This component is called “Control Services” and provides preventive and corrective guardrails.
The workloads consisting of network, IDAM, compute, data, storage, applications need to be secure and monitored for static and dynamic threats and vulnerabilities covered under Security Management. This ensures proactive detection and correction of security threats.
Proactive monitoring enables observability across system, application, logs management with integrated alert aggregation, correlation and diagnostics to detection performance and availability issues.
Service Management and Asset Management integrates the Cloud management workflows with ITSM tools based on enterprise standards and enables self-service portals and active CMDB tracking.
Foundation of Automation-First approach with workflows, templates and BOTs provides a scalable enterprise grade framework of achieving better, faster, cheaper adoption of Cloud and ongoing cloud managed services leveraging RLCatalyst BOTs Server.
All the above components are complex systems that need integration and data sharing with active policies, status monitoring and workflows for suitable interventions to achieve a holistic Governance360 model. The solution ensures that proper policies and governance models are set up upfront and consistently updated, as life cycle changes are needed. It combines AWS Control Tower and other highly-available, trusted AWS services and Relevance Lab Automated solutions to help customers quickly set up a secure, multi-account AWS environment using AWS best practices. Through customization, this solution can integrate with AWS Control Tower lifecycle events to ensure the resource deployment stays in sync with the landing zone. In a single pane, get visibility on the organizational tree structure of your AWS accounts along with compliance status and non-compliance findings.
The diagram below explains the core building blocks of the Governance360 Solution.
Why do Enterprises need Governance360?
For most Enterprises, the major challenge is around governance and compliance and lack of visibility into their Cloud Infrastructure. They spend enormous time trying to achieve compliance in a silo manner. Enterprises also spend enormous amounts of time and effort on security and compliance. This can be addressed by automating compliance monitoring, increasing visibility across the cloud with the right set of tools and solutions. Our solution addresses the need of Enterprises on the automation of these security & compliance. By a combination of automated preventive, detective, and responsive controls, we help enterprises by enforcing nearly continuous compliance and auto-remediation and there-by increase the overall security and reduce the compliance cost.
Some of the use cases on why Enterprises would adopt Governance360:
Centralized Cloud Operations Management
Configuration, Compliance and Audit Management
Automated proactive monitoring and Observability of your Applications
Self-Service Provision and Deprovision of Cloud resources
Cloud Financial Management
As shown in the above diagram, Governance360 uses a set of tools and policies across multiple layers.
This solution starts with a deployment of AWS Control Tower, post which an AWS CloudFormation template you deploy in the account where AWS Control Tower landing zone is deployed. The template launches an AWS CodePipeline, AWS CodeBuild projects, AWS Step Functions, AWS Lambda functions, an Amazon EventBridge event rule, an AWS Simple Queue Service (Amazon SQS) queue, and an Amazon Simple Storage Service (Amazon S3) bucket which contains a sample configuration package. The solution can also create an AWS CodeCommit repository to contain the sample configuration package, instead of the Amazon S3 bucket.
Once the solution is deployed, the custom resources are packaged and uploaded to the CodePipeline source using Amazon S3, and triggers the service control policies (SCPs) state machine and the AWS CloudFormation StackSets state machine to deploy the SCPs at the organizational units (OUs) level or stack instances at the OU and/or account level. Also, integration with Security Hub ensures all of your accounts and resources are being continuously monitored for Continuous Compliance.
Our standard and the custom library includes a set of pre-built templates (Cloud Formation and Terraform) and policies (YAML/JSON). This could be a combination of CFTs for deployment or provision and policies to enforce, monitor the governance and compliances. This can help automated deployment with one-click for your Network, Infrastructure, and Application Layer and enforce pre-defined compliance on your account.
Governance360 Maturity Model
Governance360 maturity model consists of 4 levels as shown below:
Level-1 (Basic Governance)
Covers AWS Control Tower
Takes about 4-6 weeks
What is AWS Control Tower?
Multi-Account AWS Environments.
Based on AWS Best Practices.
How does it work?
Identity and Access Management.
Account Provisioning Workflows.
Apply Guardrails – Security and Compliance Policies.
Prevents non-compliance during new deployments.
Detects and Remediate non-compliances found on Accounts and Resources.
Monitors Compliance with Visual Summaries.
Provides Dashboard for Accounts, Guardrails and Compliance status all in one place.
What benefits does it provide?
Automated & Standardized Account Provisioning.
Get better control of AWS environments.
Govern your workloads more easily and Drive Innovation.
Cost and Budget Management.
What is still missing in maturity at this Level?
A manual setup model where making changes to all different OUs and Accounts is not automated to deploying new policies and customization is not easy.
Setup of VPC/Subnet/IAM roles needs more advanced templates and automation.
Only mandatory guard-rails are activated and still need more work for getting all AWS Foundation and CIS Top 20 Benchmark compliance.
Cost Optimization missing.
Integration with ITSM Tools missing.
Level-2 (Advanced Governance)
Automation led Governance@Scale
Covers AWS Service Management Connector and ITSM Integrations
Additional 6-8 weeks
What is Governance@Scale?
Use Customization of Control Tower using CI/CD Pipeline Best Practices.
Rich library of Automation Templates for Infra Automation.
Get extended compliance to AWS Foundation and CIS Top-20.
Activate AWS Service Catalog, AWS Service Management Connector.
How does it work?
Deployment of Customization of Control Tower and Custom Guardrails.
Enablement of Security Hub, Config
Service Catalog and Service Management capabilities using your ITSM platform (ServiceNow, Jira SD, Freshservice).
What benefits does it provide?
Ease of deployment of security controls @ Scale using CI/CD pipeline.
Dashboard of Security Hub.
Dashboard for Asset Management.
Dashboard of AWS Config Aggregator.
What is still missing in maturity at this Level?
No integration with Security monitoring of resources and accounts – Static or Dynamic.
Proactive Monitoring of Health of Assets is missing.
Level-3 (Proactive and Preventive Governance)
Covers AWS Security Hub and AWS Monitoring tools integration
Provides Proactive and integrated monitoring of real time security and health parameters for appropriate early warning systems and actions. This can help early detection of adverse events, diagnosis and action
Additional 8-10 weeks
What is Proactive and Preventive Governance?
Use the ITSM/Custom Cloud Portal to look at the compliance status across your multi-account cloud Infrastructure.
Get a single pane of glass view for your multi-account cloud assets.
Enable SSM to run periodic vulnerability assessments on your resources.
How does it work?
Integration of AWS Security Hub with AWS Control Tower.
Use of GuardDuty and Inspector.
What benefits does it provide?
Dashboard of Security Hub.
Dashboard of Proactive Health Monitoring.
Dashboard of Vulnerability and Missing Patches.
What is still missing in maturity at this Level?
Granular policies for Account and Resource level control are missing.
Continuous Compliance and Remediation is missing.
Vulnerability and Patch Management fix is missing.
Industry Specific extensions for specialized compliances – HITRUST, HIPAA, GRC, GDPR etc.
Level-4 (Intelligent Compliance with Remeditions)
Covers Cloud Custodian and Intelligent Automation with BOTs and Policies
Helps achieve Continuous Compliance
Helps achieve Industry-Specific Security Standards (Depends on the type of compliance.)
Typically, 4-6 weeks per compliance standards
What is Intelligent and Continuous Compliance with Industry Specific Coverage?
Continuous monitoring, detection and auto-remediations achieved as scale.
Ability to learn from previous incidents and increase coverage & compliance.
Enterprise grade Automation covering full-lifecycle of cloud resources, system changes and people interactions.
Baseline the requirements for the Industry specific compliance needs like HITRUST, HIPAA, GDPR, SOC2 etc.
Deploy Quick Starts for these specific standards.
How does it work?
Integration with RLCatalyst BOTs Server and Command Centre.
Application and Business Service level Monitoring and Diagnosis.
Integration with Cloud Custodian.
Launch Compliance Standard Specific Quick Starts.
Enable AWS Systems Manager (or Manage Engine) and patch management.
How to get started
Relevance Lab is a consulting partner of AWS and helps organizations achieve automation led Cloud Management using Governance360, based on the best practices of AWS. While Enterprises can try and build some of these solutions, it is a time-consuming activity and error-prone and needs a specialist partner. Relevance Lab has helped 10+ Enterprises on this need and has a reusable automated solution and pre-built library to meet the security and compliance needs.
Compliance on the Cloud is an important aspect in today’s world of remote working. As enterprises accelerate the adoption of cloud to drive frictionless business, there can be surprises on security, governance and cost without a proper framework. Relevance Lab (RL) helps enterprises speed up workload migration to the cloud with the assurance of Security, Governance and Cost Management using an integrated solution built on AWS standard products and open source framework. The key building blocks of this solution are.
Why do enterprises need Compliance as a Code?
For most enterprises, the major challenge is around governance and compliance and lack of visibility into their Cloud Infrastructure. They spend enormous time on trying to achieve compliance in a silo manner. Enterprises also spend enormous amounts of time on security and compliance with thousands of man hours. This can be addressed by automating compliance monitoring, increasing visibility across cloud with the right set of tools and frameworks. Relevance Labs Compliance as a Code framework, addresses the need of enterprises on the automation of these security & compliance. By a combination of preventive, detective and responsive controls, we help enterprises, by enforcing nearly continuous compliance and auto-remediation and there-by increase the overall security and reduce the compliance cost.
Key tools and framework of Cloud Governance 360°
AWS Control Tower: AWS Control Tower (CT) helps Organizations set up, manage, monitor, and govern a secured multi-account using AWS best practices. Setting up a Control Tower on a new account is relatively simpler when compared to setting it up on an existing account. Once Control Tower is set up, the landing zone should have the following.
2 Organizational Units
3 accounts, a master account and isolated accounts for log archive and security audit
20 preventive guardrails to enforce policies
2 detective guardrails to detect config violations
Apart from this, you can customize the guard rails and implement them using AWS Config Rules. For more details on Control Tower implementation, refer to our earlier blog here.
Cloud Custodian: Cloud Custodian is a tool that unifies the dozens of tools and scripts most organizations use for managing their public cloud accounts into one open-source tool. It uses a stateless rules engine for policy definition and enforcement, with metrics, structured outputs and detailed reporting for Cloud Infrastructure. It integrates tightly with serverless runtimes to provide real time remediation/response with low operational overhead.
Organizations can use Custodian to manage their cloud environments by ensuring compliance to security policies, tag policies, garbage collection of unused resources, and cost management from a single tool. Custodian adheres to a Compliance as Code principle, to help you validate, dry run, and review changes to your policies. The policies are expressed in YAML and include the following.
The type of resource to run the policy against
Filters to narrow down the set of resources
Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed Cloud Infrastructure, that’s both secure and cost optimized. It consolidates many of the ad hoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.
Security Hub: AWS Security Hub gives you a comprehensive view of your security alerts and security posture across your AWS accounts. It’s a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from AWS Partner solutions like Cloud Custodian. You can also take action on these security findings by investigating them in Amazon Detective or by using Amazon CloudWatch Event rules to send the findings to an ITSM, chat, Security Information and Event Management (SIEM), Security Orchestration Automation and Response (SOAR), and incident management tools or to custom remediation playbooks.
Below is the snapshot of features across AWS Control Tower, Cloud Custodian and Security Hub, as shown in the table, these solutions complement each other across the common compliance needs.
AWS Control Tower
Easy to implement or configure AWS Control Tower within few clicks
Light weight and flexible framework (Open source) which helps to deploy the cloud policies
Gives a comprehensive view of security alerts and security posture across AWS accounts
It helps to achieve “Governance at Scale” – Account
Management, Security, Compliance Automation, Budget
and Cost Management
Helps to achieve Real-time Compliance and Cost
It’s a single place that aggregates, organizes, and prioritizes
your security alerts, or findings, from multiple AWS services
Predefined Guardrails based on best practices – Establish / Enable Guardrails
We need to define the rules and Cloud Custodian will enforce them
Continuously monitors the account using automated
security checks based on AWS best practices
Guardrails are enabled at Organization level
If an account has any specific requirement to either include
or exclude certain policies, those exemptions can be
With a few clicks in the AWS Security Hub console, we can connect multiple AWS accounts and consolidate findings across those accounts
Automate Compliant Account Provisioning
Can be included in Account creation workflow to deploy the
set of policies to every AWS account as part of the
Automate continuous, account and resource-level
configuration and security checks using industry standards
and best practices
Separate Account for Centralized logging of all activities
Offers comprehensive logs whenever the policy is executed
and can be stored to S3 bucket
Create and customize your own insights, tailored to your
specific security and compliance needs
Separate Account for Audit. Designed to provide security
and compliance teams read and write access to all accounts
Can be integrated with AWS Config, AWS Security Hub, AWS
System Manager and AWS X-Ray Support
Diverse ecosystem of partner integrations
Single pane view dashboard to get visibility on all OU’S, accounts and guardrails
Needs Integration with Security Hub to view all the policies
which have been implemented in regions / across accounts
Monitor your security posture and quickly identify security
issues and trends across AWS accounts in Security Hub’s
Relevance Lab Compliance as a Code Framework
Relevance Lab’s Compliance as a Code framework is an integrated model between AWS Control Tower (CT), Cloud Custodian and AWS Security Hub. As shown below, CT helps organizations with pre-defined multi-account governance based on the best practices of AWS. The account provision is standardized across your hundreds and thousands of accounts within the organization. By enabling Config rules, you can bring in the additional compliance checks to manage your security, cost and account management. To implement events and action based policies, Cloud Custodian is implemented as a complementary solution to the AWS CT which helps to monitor, notify and take remediation actions based on the events. As these policies run in AWS Lambda, Cloud Custodian enforces Compliance-As-Code and auto-remediation, enabling organizations to simultaneously accelerate towards security and compliance. The real-time visibility into who made what changes from where, enables us to detect human errors and non-compliance. Also take suitable remediations based on this. This helps in operational efficiency and brings in cost optimization.
For eg: Custodian can identify all the non tagged EC2 instances or EBS volumes that are not mounted to an EC2 instance and notify the account admin that the same would be terminated in next 48 to 72 hours in case of no action. Having a Custom insight dashboard on Security Hub helps admin monitor the non-compliances and integrate it with an ITSM to create tickets and assign it to resolver groups. RL has implemented the Compliance as a Code for its own SaaS production platform called RLCatalyst Research Gateway, a custom cloud portal for researchers.
Common Use Cases
How to get started
Relevance Lab is a consulting partner of AWS and helps organizations achieve Compliance as a Code, using the best practices of AWS. While enterprises can try and build some of these solutions, it is a time consuming activity and error prone and needs a specialist partner. RL has helped 10+ enterprises on this need and has a reusable framework to meet the security and compliance needs. To start with Customers can enroll for a 10-10 program which gives an insight of their current cloud compliance. Based on an assessment, Relevance Lab will share the gap analysis report and help design the appropriate “to-be” model. Our Cloud governance professional services group also provides implementation and support services with agility and cost effectiveness.
With the growing need for cloud adoption from various enterprises, there is a need to move end-user computing workload and traditional data center capacity to the cloud. Relevance Lab is working with AWS partner groups to simplify the cloud adoption process and bring in best practices for the entire lifecycle of Plan-Build-Run on the cloud. Following is the suggested blueprint for cloud adoption and moving new workload on to the cloud.
CloudEndure to enable automated Cloud Migration
AWS Control Tower is used to set up and govern a new, secure multi-account AWS environment
AWS Security, Identity and Compliance
AWS Service Management Connector for ServiceNow with Service Catalog management
AWS Systems Manager for Operational Insights
RLCatalyst Intelligent Automation
As part of our own organization’s experience to adopt AWS for both our workspace and server needs, we have followed the following process to cater to needs, of multiple organization roles.
Since we already had an AWS Master account but did not use AWS Control tower initially, the steps followed were as follows.
Setup & launch AWS Control Tower in our Master Account and build multiple Custom OUs (Organizational Units) & corresponding accounts using account factory
Use CloudEndure to migrate existing workloads to the new organizations under Control Tower
For two different organizational units, there is a need to publish separate service catalogs and access to the catalogs controlled by User Roles defined in AD integrated with ServiceNow. Based on the setup only approved users can order items relevant to their needs
Used AWS Service Management Connector to publish the catalogs and integrate with AWS resources
Implementation of RLCatalyst BOTs Automation for 1-Click provisioning
Different guardrails for workload being provisioned for AWS Workspaces and AWS Server Assets based on organization needs
Management of AWS server assets by AWS Systems Manager
Mature ITSM processes based on ServiceNow
Proactive monitoring of workspaces and servers for any incidents using RLCatalyst Command Centre
Based on our internal experience in adopting full-lifecycle of Plan-Build-Run use cases, it is evident that multiple solutions from AWS integrated with ServiceNow and automated with RLCatalyst product provides a reusable blueprint for intelligent and automated cloud adoption. Answering the following quick questions can get your Cloud adoption jumpstarted.
List down your desktop assets and server assets to be migrated to the cloud with an underlying OS, third party software and applications
Designing your AWS Landing zone with security considerations between public- facing and private facing assets
Designing your networking elements between your organization’s business unit segmentation of assets and different environments needed for development, testing and production
List down your cloud cost segmentation and governance needs based on which a multi-organization setup can be designed upfront, and granular asset tags may be implemented
Capacity planning and use of Reserved Instances for Cost optimization
User Management and Identity management needs with possible integration to existing Microsoft AD infrastructure (On-Cloud or On-Prem) and Single Sign-On
Capture the needs from the IT department to provide the organization with Self-Service Portals to be able to Order Assets and Services in a frictionless manner with automated fulfilment using BOTs
The use of Systems Manager, Runbook design & automation and Command Center are used to proactively monitor any critical assets and applications to manage incidents efficiently
Ability to provision and deprovision assets on-demand with automated templates
Automation of User Onboarding and Off-boarding
ITSM Service management with Change, Configuration management database, Asset Tracking and SecOps
Disaster Recovery strategy and internal assessments for readiness
Cloud Security, Vulnerability testing, Ongoing patch management lifecycle and GRC
DevOps adoption for higher velocity of achieving Continuous Integration and Continuous Deliveries
Most organizations moving to cloud is a competency discovery process which lacks best practices and a maturity model. A better approach is to use a solid framework of technology, people and processes to make your cloud adoption frictionless. Relevance Lab with its pre-built solution in partnership with AWS and ServiceNow can help enterprises adopt cloud faster.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.