Cloud Governance Frameworks
Establish cloud governance that balances developer velocity with security, compliance, and cost control. Covers account structure, guardrails, policy-as-code, tagging standards, and the organizational model that makes governance work at scale.
Cloud governance is the set of rules, processes, and automated controls that ensure cloud resources are used securely, efficiently, and in compliance with organizational standards. Without governance, cloud environments become ungoverned sprawl — security holes, wasted spend, and compliance failures accumulating quietly.
Account/Project Structure
AWS Landing Zone
Organization Root
├── Security OU
│ ├── Log Archive Account
│ └── Security Audit Account
├── Infrastructure OU
│ ├── Shared Services Account
│ └── Networking Account
├── Workloads OU
│ ├── Production OU
│ │ ├── Team A Production
│ │ └── Team B Production
│ └── Non-Production OU
│ ├── Team A Staging
│ └── Team B Development
└── Sandbox OU
└── Developer Sandbox AccountsGuardrails
# AWS Service Control Policies (SCPs)
# Preventive guardrails that cannot be overridden
deny_regions_outside_approved:
effect: Deny
actions: ["*"]
conditions:
aws:RequestedRegion:
not_in: ["us-east-1", "us-west-2", "eu-west-1"]
deny_public_s3:
effect: Deny
actions:
- "s3:PutBucketPolicy"
- "s3:PutBucketAcl"
conditions:
s3:AccessGranted: public
deny_root_user:
effect: Deny
actions: ["*"]
conditions:
aws:PrincipalType: "Root"Tagging Standards
required_tags:
- key: "Team"
values: ["order-team", "payment-team", "platform-team"]
purpose: "Cost allocation and ownership"
- key: "Environment"
values: ["production", "staging", "development", "sandbox"]
purpose: "Environment classification"
- key: "CostCenter"
pattern: "CC-[0-9]{4}"
purpose: "Finance cost allocation"
- key: "DataClassification"
values: ["public", "internal", "confidential", "restricted"]
purpose: "Data protection requirements"
- key: "Service"
purpose: "Service-level cost tracking"
enforcement:
- AWS Config rule: required-tags
- CI/CD: Terraform plan check for tags
- Alerting: Weekly compliance reportPolicy-as-Code
# Open Policy Agent (OPA) policy for Terraform plans
package terraform
deny[msg] {
resource := input.planned_values.root_module.resources[_]
resource.type == "aws_s3_bucket"
not resource.values.server_side_encryption_configuration
msg := sprintf("S3 bucket '%s' must have encryption enabled", [resource.name])
}
deny[msg] {
resource := input.planned_values.root_module.resources[_]
resource.type == "aws_instance"
not resource.values.tags.Team
msg := sprintf("EC2 instance '%s' must have a Team tag", [resource.name])
}
deny[msg] {
resource := input.planned_values.root_module.resources[_]
resource.type == "aws_db_instance"
not resource.values.storage_encrypted
msg := sprintf("RDS instance '%s' must have storage encryption", [resource.name])
}Governance Operating Model
Central Cloud Team (2-4 people):
├── Sets policies and standards
├── Manages account structure
├── Operates shared infrastructure
└── Provides compliance reporting
Team Cloud Champions (1 per team):
├── Implements standards within team
├── Represents team in governance reviews
└── Escalates exceptions
Governance Board (monthly):
├── Reviews compliance metrics
├── Approves exception requests
├── Updates policies based on evolution
└── Aligns governance with business goalsAnti-Patterns
| Anti-Pattern | Consequence | Fix |
|---|---|---|
| No guardrails | Security incidents, compliance failures | SCPs + OPA + automated enforcement |
| Governance without automation | Manual compliance checks do not scale | Policy-as-code, automated scanning |
| Too restrictive | Developers work around controls | Balance security with velocity |
| No tagging enforcement | Cost allocation impossible | Automated tagging enforcement in CI |
| Annual compliance review | 11 months of drift | Continuous compliance monitoring |
Cloud governance is not about saying “no.” It is about making the right thing the easy thing through guardrails, automation, and clear standards that enable teams to move fast without creating risk.
