Delivus Cloud Infrastructure — Cloud governance
This article illustrate how to setup AWS cloud environment, account, IAM user and permissions.
This article is a first part of a series. If you want to jump to other sections please refer to links below
Part1 — Cloud governance (this article)
Part2 — Setting up Superwerker (TBD)
Part3 — Account Creation (TBD)
Team Delivus
Delivus stands for Delivery + Universe with the aspiration of “Let’s build an innovative logistics infrastructure that provides delivery that is possible in every corner of the universe”. Team’s service goal is to provide “the fastest small cargo delivery service in the world”, and to enable real-time delivery tracking in major cities across the country, in the fastest time, at the same price as conventional parcel delivery. Ultimately we are trying to build a platform that provides Delivery as a Service.
Cloud Governance
Before diving into immediately setting up the cloud environment, let’s talk about the governance first. Governance is the foundation of every cloud environment. Cloud governance is a framework that guides how end users make use of cloud services by defining and creating policies to control costs, minimize security risks, improve efficiency and accelerate deployment. It is not an easy task to set up a perfect governance unless you have years of experiences. Also it take a lot of effort to adapt a governance in midst of operation.
Every company holds their own style of cloud policies; our infra team will focus on 1)account management, 2)budget and cost management and 3) security and compliance automation. In short, we aim to build a governance on security and control.
Requirements for Delivus Cloud Environment
Our requirement are shown below.
- Delivus Cloud Governance
1. account management
2. budget and cost management
3. security and compliance automation - No proprietary services
- Minimize time setting up AWS Cloud Infrastructure
- Account Management
Instead of deploying all developers and workloads into a single AWS account, we want to separate multiple deployment environments into different organizational units (OUs) for each purpose, as follows, so that each AWS account does not have any influence on each other.
This how we divided our AWS account in categories.
AWS Control Tower, AWS Organization, AWS Single Sign-On (SSO), will be used for governance and leverage AWS services for account management such as policy automation, centralized management, and account grouping.
2. Budget and Cost Management
You need cost management for your accounts, workloads, and users. If you don’t consider your service budget and costs, you may end up incurring unnecessary costs, and even worse, you may not have a good infrastructure architecture.
The most important thing in budget and cost management is monitoring of expenses and budget. Many functions are required to monitor cost and budget, but typically, it should be able to set for workload status, resource consumption insight, and event-based triggers. The aforementioned monitoring settings can be fully accomplished by using the AWS CloudWatch service.
Next important function is budgeting, cost control and tracking. Improve planning and cost control using the flexible budgeting and forecasting capabilities built into AWS Budgets. Also you can track actual or projected costs and usage exceed budget thresholds using custom budget settings, and alerts and automated actions.
We will also leverage saving plans, RI and other methods to reduce unnecessary cost.
3. Security and Compliance Automation
Currently, We are in the process of setting the regulatory compliance standards that the cloud must comply with, but we are thinking a lot about how to consistently maintain the regulatory standards that we must comply with. So we looked into AWS services that can help us automate security and compliance. We decided to use AWS Config, which helps us measure, audit, and evaluate resource configurations, and AWS CloudTrail, which supports logging, monitoring, and retention of account activity related to actions in AWS. We also decided to leverage AWS Security Hub which provides a central dashboard where you can manage security alerts and take action on findings, and Amazon GuardDuty, which continuously monitors for malicious activity and unauthorized behavior.
It takes a lot of time to individually set up and integrate with other AWS services. Fortunately, “Superwerker” can do exactly what we want and better with out manual configration. (Disclaimer: I have not developed Superwerker, nor am I a salesperson.)
Superwerker also help us with account management. AWS Single Sign-On (SSO) provide access to multiple accounts with a single sign-in. Traditionally it was not easy to manipulate multiple accounts(such as switching roles or accessing different URLs for each account), but you can intuitively access multiple accounts using AWS SSO.
Regulations and policy patterns and guardrails take time to initially set up, but once set up, they can scale up to 20 or 2,000 times faster while maintaining security or consistency. Superwerker provides standard pre-built templates that allow end users to provision resources and quickly build applications while meeting the security and compliance requirements of their organizations. Using these pre-built template you worry less about these boring stuff and focus on developing applications that will differentiate your business.
Continuing on part 2, we explain how to setup Superwerker.
