White Paper Automation & Orchestration AWS Continuous Compliance Financial Management
Last updated on January 31st, 2023 at 6:32pm
AWS provides many native services to help you achieve a well-governed and well-managed cloud. Here’s an overview of some of these services, how they support the key pillars of cloud enablement, and how you can build on these services with Kion to go even farther, faster.
Automation and Orchestration
To get the cloud’s promise of speed and agility, you need automation and orchestration. More specifically, you need these elements to deploy policy guardrails and make your cloud accounts ready for all your users. Your guardrail strategy should support these goals:
- Allow users freedom within the cloud estate to do their jobs.
- Protect your critical configurations.
- Restrict access to unauthorized services.
AWS Control Tower supports this cloud enablement pillar by automating the setup of a baseline environment or landing zone. You can use AWS Control Tower within your AWS Organization to establish governance over existing accounts, apply guardrails for your accounts, and vend new accounts with guardrails and a network.
Kion integrates with AWS Control Tower: If you’re using AWS Control Tower to manage central logging for your accounts, you can use Kion to manage all the other aspects of the account that AWS Control Tower does not cover, such as user management, financial management, and continuous compliance. And, Kion can take it a step further when it comes to automation.
Here’s a brief overview of how you can go farther by pairing AWS Control Tower with Kion:
- Pre-built, customizable guardrails. AWS Control Tower allows customers to set up approximately 62 pre-built guardrails. Most of these guardrails are used to protect the infrastructure set up for centralized logging and to provide a few best practice checks. Kion allows you to create your own guardrails and customize the 300 guardrails we deliver out of the box.
- Support for GovCloud. AWS Control Tower can be enabled on new and existing organizations, and works across most commercial regions. However, AWS Control Tower is not currently available in AWS GovCloud. Kion works across AWS commercial regions, AWS GovCloud, and even AWS secret regions. With Kion, you get a single place to see your entire AWS cloud estate.
- Define once, deploy to many. Define your account baselines once within Kion and easily deploy that same configuration to GovCloud and multiple AWS Organizations. Kion handles all the complexity required to cross organization and partition boundaries.
Financial Management
Financial management in the cloud encompasses everything from initial planning and budgeting, to enforcing those budgets, optimizing current spend, and forecasting future spend. To ensure you get the promise of cost efficiency in the cloud, there must be accountability for cloud spend because your cloud resources are easily scalable (which can be good and bad). And monitoring spend isn’t just a financial need — a blown budget or a spend spike can be an indicator of unauthorized user activity.
AWS Budgets provides notifications and actions when spend reaches specified thresholds. You can leverage AWS Budgets to:
- Set budgets for your overall costs.
- Generate alerts based on spending.
- Use Lambdas to take automation action.
Kion provides a unique set of financial management features that you may find better meets your needs:
- Kion delivers automation in response to a financial event; we call these enforcements and they’re a no-code approach to budget management. Instead of code, you apply one of your existing Kion cloud rules based on a financial threshold being met, for example. Enforcements are flexible: notifications can be sent via email, or you can use webhooks to call out to other services like Slack.
- Enforcements can be defined on groups of accounts using the Kion organization structure. You can set enforcements at an organization level (such as a department) or at an account level and then filter to global- or service-level spend to trigger notifications or a cloud rule (to freeze resource creation, as an example). Kion also supports monitoring Reserved Instances so notifications can be set on usage used/remaining or time before the RI expires.
- Finally, Kion provides financial attribution through funding sources so you can track where spend comes from and attribute the cost back within your organization. This capability is particularly useful if you have varied funding sources. For example, you might have your corporate budget, contracts, grants, and other funding sources in your organization. With Kion, you’ll know who spent what funds, from where, and during what date ranges.
Continuous Compliance
When it comes to security and compliance, a basic question to answer is “Does your AWS cloud estate work like you think it does?” You may have one or more policies in place, but you need to take measures to make sure these policies are working as intended. This means relying on validation, not assumptions.
AWS Security Hub is a security findings dashboard that runs checks, aggregates alerts, and supports automated remediation. You can enable one of the 224 pre-defined checks that AWS supplies across one of three standards: AWS Best Practices, PCI DSS, and CIS.
Kion integrates with AWS Security Hub in four ways: Kion can post findings into the service, query findings from the service, create an AWS Lambda that triggers off a finding in the service, and create an AWS Lambda that can be triggered by manual actions/remediations in the service.
Here are a few ways that you can use Kion to go farther and faster with compliance:
- Kion has its own Compliance Engine that can run with or without AWS Security Hub and provides a very easy rule language as well as remediations that don’t require deploying Lambda functions. Kion has over 1,600 AWS-specific checks across 13 compliance regimes, including CIS, PCI, NIST, ISO 27001, SOC 2, FedRAMP, HIPAA, and more.
- Kion provides even more with these managed resources: you get configuration and IAM policies as well. So not only are you able to scan and assess your posture, we provide you with Cloud Formation Templates that go into each of your accounts and prepares the account from a configuration standpoint to be compliant with a regime such as NIST 800-53. We provide the IAM policies that are attached to users that federate through Kion so their behavior and their activities are confined to what’s approved within that particular compliance regime.
- Finally, seeing compliance check results is just one piece of the puzzle. Many of our checks include automatic remediation steps that leverage your configuration files. You don’t need to write code but, rather, you can leverage simple YAML configuration files and comment in a line or two to remediate across findings and across accounts.