Blog Automation & Orchestration AWS
Last updated on May 17th, 2023 at 1:39pm
We often get questions about how cloudtamer.io compares to or differs from capabilities provided by public cloud providers. So, over the next few posts, we'll look at how cloudtamer.io complements and extends native AWS functionality.
cloudtamer.io delivers on the three pillars of governance - account management, budget enforcement, and compliance automation - to meet the requirements outlined within the AWS Governance at Scale framework.
Let's kick off by covering some of the challenges with provisioning, and then we'll share how cloudtamer.io complements and extends AWS provisioning functionalities. Specifically, we'll look at AWS CloudFormation, Amazon Machine Images, AWS Service Catalog, AWS Landing Zones, and AWS Control Tower.
AWS Provisioning Challenges
Provisioning in AWS is a broad topic that covers many different areas and skill sets. When working in AWS, provisioning usually covers infrastructure, applications, and cloud access. For these three areas, provisioning can be time-consuming work if done manually. Manual provisioning can include:
- Setting up infrastructure, such as EC2 instances, VPCs, and load balancers and configuring security groups and defining network topologies.
- Installing and configuring application-specific software, defining database schemas, and configuring application-level security settings.
- Defining access policies for IAM users and roles (user provisioning), S3 buckets, and other resources.
- Monitoring and enforcing compliance with internal policies, industry standards, and regulations by checking configuration settings and logs, as well as enforcing security policies.
Aside from the immense amount of manual effort, budgeting and cost management can be a significant challenge for AWS provisioning, particularly for larger organizations. Ensuring that teams and individuals stay within budget and avoid unnecessary costs requires effective monitoring and reporting tools, as well as a clear understanding of the cost implications of different provisioning decisions.
For financials, Kion provides no-code enforcements, flexible enforcement definitions, and financial attribution through funding sources, to give administrators the same control over financials and spending that they have over permissions and policies as a part of the AWS provisioning process.
AWS provisioning can be a time-consuming process that involves setting up infrastructure, configuring applications, defining access policies, and ensuring compliance with internal policies, industry standards, and regulations. While AWS provides native tools like AWS CloudFormation and AWS Control Tower to alleviate the burden of manual configuration, those can be further expanded to make it easy to govern a large scale AWS environment.
Kion significantly enhances AWS Control Tower by offering customizable guardrails, enabling organizations to tailor their policies to their needs. It also extends support to AWS GovCloud, ensuring comprehensive cloud management across various regions and compliance requirements. Kion’s construct of cloud rules provides administrators a "define once, deploy to many" capability to simplify baselining accounts and allowing consistent configuration of cloud accounts across multiple AWS Organizations.
Security and compliance are a vital step in the AWS provisioning process. Kion integrates with AWS Security Hub, offering a Compliance Engine with an easy rule language, over 1,600 AWS-specific checks across 13 compliance regimes, and managed resources to ensure compliance with standards like NIST 800-53. Most importantly, if users drift from those standards or new requirements arise, Kion regularly scans for findings against its checks and can automatically remediate those findings to bring those users into compliance with a few clicks.
By integrating these features, Kion provides a more flexible, efficient, and comprehensive solution for managing multi-cloud environments, ensuring seamless governance and streamlined account provisioning across diverse organizational requirements.
AWS CloudFormation
Working With
AWS CloudFormation simplifies provisioning of AWS resources through templates for quick and reliable setup of services or applications.
cloudtamer.io Cloud Rules bundle multiple AWS services, including AWS CloudFormation, into a single object for ease of use.
Building On
cloudtamer.io reduces manual labor and minimizes risk and errors by:
- Consistently applying AWS CloudFormation templates across AWS accounts based on where the accounts live within your organizational hierarchy.
- Simplifying the update of AWS CloudFormation stacks in AWS regions where StackSets are not available.
- Helping non-technical security and financial stakeholders to implement template libraries and manage their responsibilities within the cloud.
AMIs and AWS Service Catalog
Working With
Amazon Machine Images (AMIs) provide the operating system and software configurations required to launch a computing instance in the cloud.
AWS Service Catalog enables organizations to create and manage catalogs of IT services that are approved for use on AWS.
cloudtamer.io Cloud Rules bundle multiple AWS services, including AMIs and Service Catalog portfolios, into a single entity for ease of use.
Building On
cloudtamer.io reduces manual labor and minimizes risk and errors by:
- Including AMIs and Service Catalog portfolios in cloudtamer.io Cloud Rules to allow you to easily share, update, and deploy approved instance and product configurations with AWS accounts within specific parts of your organization.
AWS Landing Zones and AWS Control Tower
Working With
AWS Landing Zones provides a framework of core accounts to provide shared services, logging, and security to new accounts automatically.
AWS Control Tower automates the set-up of a baseline environment, or landing zone.
Landing Zones are a starting point to build around; cloudtamer.io takes this starting point and uses this to scale up and across an organization.
Building On
cloudtamer.io helps you scale growth and remain within budget by:
- Importing existing accounts for initial and ongoing governance and aligning these accounts to your organizational hierarchy via a visual, non-technical interface.
- Encouraging delegation through roles and responsibilities to minimize the size and labor of a centralized cloud team.
- Providing financial enforcement capabilities to ensure users remain within budget.
- Enhancing Single Sign On (SSO) into AWS accounts to provide greater context into spending and policies applied.
That’s it! Next up, we’ll look at how cloudtamer.io complements AWS native capabilities around account management and permissions.