Click to learn more about author Jay Chapel.
The deliverability of cloud governance models has improved as public cloud usage continues to grow and mature. These models allow large enterprises to tier and scale their AWS Accounts, Azure Subscriptions, and Google Projects across hundreds and thousands of cloud users and services. When we first started talking to customers five-plus years ago – mostly AWS users at the time – they often had a single AWS account for their entire organization and required third-party tools to manage usage and costs by project, line of business, or application owner. But now, the “Big 3” cloud providers offer an array of ways for even the largest Fortune 500 enterprises to set up, run, and manage their use of the dizzying volume of cloud services.
Why Cloud Governance Models Are Important
The main way cloud providers allow cloud administrators to manage and grant access to their services is by leveraging Identity and Access Management (IAM) and providing options for roles and policies that govern both access and usage. IAM lets you grant granular access to specific AWS, Azure, and/or Google Cloud resources and helps prevent access to other resources. IAM lets you adopt the security principle of least privilege, where you grant only necessary permissions to access specific resources like VMs, databases, storage, containers, etc. With IAM, you manage access control by defining who (identity) has what access (role) for which resource.
At our company, we apply this with teams and roles. Admins can create teams (equivalent to projects, applications, or lines of business) and can invite a team lead to manage that PMC team, and they can in turn grant users access and set permissions for them, which can then be automated based on policies, usually by leveraging tags, but you can use other metadata as well.
What if you want more flexibility with the cloud providers to both manage user access and to more tightly align your cloud services and usage to your organizational structure, projects, and applications? Each of the major providers has designed ways for large enterprises to implement a hierarchical usage of cloud users and services that can probably look very similar to that enterprise’s organization chart (if you can understand their jargon).
How AWS, Azure, and Google Apply Cloud Governance Models
We dug into AWS, Azure, and Google and this is what we found:
Amazon Web Services (AWS)
- Tier 1: AWS Organization
- Tier 2: Organization Unit
- Tier 3: AWS Accounts
- Tier 4: Tags
- Tier 1: Azure Enterprise Portal
- Tier 2: Departments
- Tier 3: Accounts
- Tier 4: Subscriptions
- Tier 5: Resource Groups
- Tier 6: Tags
- Tier 1: Organization
- Tier 2: Folders
- Tier 3: Projects
- Tier 4: Resources
- Tier 6: Tags
Tips for Implementing Cloud Governance Models
- Research and attend web sessions on these cloud governance models to ensure you understand the nuance
- Implement your cloud provider’s latest hierarchies and governance models prior to mainstream cloud adoption in your organization
- Make sure you run the hierarchies you plan to implement by CloudOps, ITOps, DevOps, and FinOps to ensure proper organizational mapping and reporting
The cloud providers have done a pretty good job of documenting their roles, policies, and hierarchies and creating a graphical representation of their current hierarchical structures cloud governance models. Of course, none of them uses the same terminology. I mean, why would you – too easy, right? (And why does Google rank a “Folder” above a “Project”? )
With these options available to you, your cloud operations team can make sure to use this to your advantage when planning new resources, accounts, and use cases within your organization. Let us know your thoughts and if you use any of these models to improve your cloud usage.