AWS Governance
AWS Tutorial: AWS Governance (Control Tower & Config)
Welcome to the AWS Governance lesson. How do you ensure that out of the hundreds of developers at your company, absolutely no one creates an unencrypted hard drive or an insecure network?
Why Learn AWS Governance?
Governance is about building "guardrails" instead of "gates." You want developers to build fast, but you must prevent them from accidentally violating corporate security policies.
Tutorial Overview
In this tutorial, you will learn about two core governance services:
- AWS Config
- AWS Control Tower
AWS Config
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
You define rules (e.g., "All EC2 instances must be tagged with a 'Department' name," or "All EBS Volumes must be encrypted"). If a developer creates a resource that violates a rule, AWS Config immediately flags it as non-compliant and can even automatically trigger a script to fix it!
AWS Control Tower
AWS Control Tower offers the easiest way to set up and govern a secure, multi-account AWS environment based on best practices. It orchestrates multiple other services (like AWS Organizations, CloudTrail, and Config) to establish a "landing zone." It applies high-level guardrails across all your AWS accounts ensuring constant governance from day one.
Exercise
?Which service allows you to define rules to continuously evaluate and audit your AWS resource configurations for compliance?