Lessons from AWS re:Invent: proactive governance and compliance for AWS workloads
The promise of cloud is self-service, improved automation and scale. However, when bringing cloud into enterprise environments with existing processes, tools and systems it can be all too easy to break this self-service model. Cloud operations therefore need to integrate with this existing tooling and existing processes must be adapted to facilitate agile and smooth cloud operations.
MaSonya Scott, Senior Product Manager at AWS, led a great session at AWS re:Invent discussing how to overcome some of the problems and challenges of cloud operations, and illustrated this with two real-life customer case studies - NextEra Energy and CapitalOne.
Watch the full session:
Ensuring compliance and governance is enabled at provisioning
Cloud governance is about aligning Cloud Operations and ITSM teams to enable enterprise IT policies and processes with automation whilst still using your familiar operational tooling. This applies the full lifecycle of a service, from ideation through to retirement.
To facilitate this, there are a range of integrations available between popular ITSM tools like ServiceNow and Atlassian Jira Service Management Cloud and AWS services for each component of lifecycle management and governance.
This is managed through the AWS Service Management Connector, for which Cloudsoft is an AWS launch partner for both the ServiceNow and the recently launched Atlassian Jira Connectors. This means we assisted AWS with the development, customisation and implementation of the AWS Connectors:
Common ITSM tooling integration scenarios
MaSonya outlined a range of ITSM scenarios which are supported by AWS services, and using AWS Service Management Connector helps to integrate your existing tooling with these AWS services for more efficient cloud operations:
Self-service and automation at NextEra Energy
Ximena Carrillo, who leads the CloudOps team at NextEra Energy, spoke about how they adopted AWS Service Management Connector to deliver:
- 84% reduction in time to provision and deprovision resources
- 91% reduction in manual tasks
- simplified IT asset inventory and audit requirements
Prior to their project, it could take up to 5 days for the cloud support team to provision and support requests for new AWS instances. This manual process created friction which slowed down developers and was expensive to internal customers. Ximena and her team wanted to align with a ‘shift-left’ development culture to reduce human interaction, empower their internal customers, and reduce costs.
The Cloud Operations team’s project had two big pillars:
- Enable self-service provisioning via their ITSM tool, ServiceNow.
- Enable real-time integration between their CMDB and AWS.
They settled on AWS Service Management Connector, AWS Config, AWS ServiceCatalog and AWS Systems Manager to deliver this, and created runbooks approved by the CyberSecurity and ITSM Platform teams to ensure governance and compliance was baked into the resources teams were now able to self-serve.
Implementing an ‘easy to use, easy to find automated provisioning process’ at CapitalOne
CapitalOne famously exited their last on-premises data centre in 2020, following a five year journey to the cloud. However, they faced a similar challenge to NextEra Energy in adapting their manual provisioning processes for their cloud operations.
They were heavily invested in ServiceNow, and so needed to find a way to integrate this with their AWS environments for an easy to use automated provisioning process:
In this example, AWS Service Management Connector interfaces between AWS Service Catalog and the ServiceNow Service Catalog which means end-users can use their familiar tooling and experience little disruption to their day to day processes.
Automating compliance in complex enterprise environments
The following diagram shows how various AWS services integrate for compliance throughout the software lifecycle. These can be broken into ‘preventative controls’ and ‘detective controls’.
Preventative controls include using Infrastructure-as-Code tools such as AWS CloudFormation and AWS Service Catalog to provide “pre-vetted, curated templates with governance baked into them”.
Detective controls, like Amazon CloudWatch are essential for identifying when resources aren’t compliant and effecting automatic remediation to make them compliant. A common example is making public S3 buckets private.
As you can see, integrating your ITSM tools like ServiceNow with your AWS environments can be a complex task. As the AWS Launch Partner for AWS Service Management Connector for ServiceNow, and Atlassian Jira Service Management Cloud, we know both ends of the integration inside out and can help you to develop, build and manage customised integration scenarios.