Cloud Governance

Stories on Cloud Governance by Teri Radichel

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Multicloud Security | Data Breaches | Cloud Governance

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Cloud Governance is one of the most critical things you can do to prevent data breaches in your cloud accounts. But you must do it in a manner that actually prevents attacks. Stop writing paper polices and automate your governance. Allow your governance team to develop and deploy the rules. New tools from cloud providers make this much easier than it has been in the past.

Use a proper Software Development Lifecycle (SDLC) that includes separate development, QA, and operations or production teams for governance code. Use separation of duties to design architectures that require multiple parties to take an action to help prevent egregious misconfiguration and limit the blast radius should an administrators credentials get compromised.

Stop Writing Paper Policies

ACM.112 A look at how effective your PDF and Word policy documents are in a cloud environment — and how to fix it

medium.com

A Cloud Security Center of Excellence

ACM.241 What I think is most effective and why

medium.com

Letting Governance Teams Govern

ACM.138 Preventing the riskiest actions and most egregious mistakes with cloud organizational policies

medium.com

Defining AWS Accounts and Organizational Units

ACM.180 Defining accounts and organizational units based on by trust boundaries and roles to protect critical assets

medium.com

Governance Foundations in the Cloud

Getting security controls in place from the ground up

medium.com

Cloud Governance

Stopping data breaches in the cloud more effectively

medium.com

Security Teams are Not Enforcers

Your cybersecurity efforts are an exercise in futility without executive support

medium.com

Cloud Governance on AWS

AWS Organizations

Stories about AWS Organizations by Teri Radichel

medium.com

Automated AWS Organization Creation

ACM.152 Automating the creation of an AWS Organization, Organizational Unit, Account, and Delegated Administrator

medium.com

AWS Service Control Policies

Governance: Setting security controls at the organizational level

medium.com

Creating an AWS Governance Account

ACM.139 Creating OUs and Accounts in an AWS Organization

medium.com

Delegated Administrator for AWS Organizations

ACM.139 Delegating governance via service control policies to an AWS Governance account

medium.com

Had some issues with AWS Organizations and Control Tower. Some of this has been resolved, but not all.

Wishlist for Cloud Governance

Make it easier to secure multiple accounts

medium.com

The chapters not published in my blog that are in my book — Cybersecurity for Executives in the Age of Cloud.

Cybersecurity for Executives in the Age of Cloud

Cybersecurity for Executives in the Age of Cloud - Kindle edition by Radichel, Teri. Download it once and read it on…

amzn.to

Most of my blog series on automating cybersecurity metrics has an element of Cloud Governance to it:

Automating Cybersecurity Metrics (ACM)

A series of blog posts on cybersecurity metrics and security automation

medium.com

GitHub — tradichel/SecurityMetricsAutomation

This code is associated with a series of blog posts.

github.com

Naming conventions for AWS resources in an organization.

AWS Resources Organization and Naming Conventions

ACM.40 Organizing AWS resources to find resources, reduce errors, plan for growth, and handle security incidents more…

medium.com

Tags are useful for tracking resources on AWS, but also come with some caveats. Hint: Automate tags and lock them down if you are counting on them.

Tags on AWS for Governance, Security, and Cost Allocation

ACM.237 Leveraging tags to support AWS operations and cost tracking — benefits and caveats

medium.com

Autoamted VPC Flow Logs Governance

VPC Flow Logs Governance

ACM.63 Enforce the existence of VPC Flow Logs on All VPCs

medium.com

I opted to remove or decommission AWS Control Tower in favor of more customized governance and SCPs I can better control.

Remove AWS Control Tower

ACM.219 Steps to Decommission AWS Control Tower

medium.com

At some point I started over without Control Tower, creating a new AWS account from scratch but can reuse a lot of the elements I had already created to improve governance in AWS. This post covers some of the elements and proceed from there to see how they are used in the new AWS Organization structure.

Baking Security In From the Ground Up on AWS

Starting from scratch in a new AWS account and building out a secure architecture

medium.com

Increase the number of accounts you can have in an organization:

Increase AWS Organizations Account Limit

ACM.221 Increasing the number of accounts we can create in an AWS Organization

medium.com

On closing and migrating accounts:

Closing An AWS Account Associated With AWS Control Tower

ACM.185 Removing AWS Control Tower management of an AWS Account

medium.com

AWS Organizations Close Account Constraint

ACM.220 Beware of the limitations of closing accounts through AWS Organizations

medium.com

SCP to Allow Closing and Removing AWS Accounts — Part 3

ACM.183b Trying out the new AWS billing actions in our SCP

medium.com

Close an AWS Account in an Organization

ACM.168 Challenges and risks related to removing AWS accounts, OUs, and organizations

medium.com

Governance for Executives, risk management, policies, and exceptions

Cybersecurity policies that reduce risk

Why your current cybersecurity policies are probably ineffective

medium.com

Security exceptions are the norm

Do you know who is causing the most exceptions — and why?

medium.com

Manage your data like you manage your money

Organizations don’t seem to have the same level of comprehensive measurement they do for financial systems when it…

medium.com

Measuring Security

How do you create metrics for something with so many variables?

medium.com

A Value-Based Approach to Cybersecurity Metrics

ACM.3 Are we security enough to avoid a data breach?

medium.com

Root OU Service Control Policies

ACM.170 Secure your organization — before — not after- you start creating new accounts

medium.com

AWS Service Control Policy Architecture

ACM.169 Designing maintainable, readable, and secure service control policies

medium.com

Programmatic Governance in AWS

Multicloud.7 Using CloudFormation, Accounts, OUs, and Service Control Policies for governance on AWS

medium.com

Creating an Organizational Unit (OU) and Service Control Policies (SCPs) with CloudFormation

ACM.171 Recreating our OUs and SCPs with CloudFormation

medium.com

Enabling Cost and Usage

ACM.204 Monitoring for security issues by watching account spending

medium.com

SCP to Allow Closing and Removing AWS Accounts — Part 1

ACM.182 Only allow closing and removing accounts moved to an organizational unit for suspended accounts

medium.com

Setting up a User and Role for Domain Name Administration

ACM.242 Adding a user who can modify NS records on domains for configuration of static websites

medium.com

Analyzing CloudTrail Requests Related to SCPs

ACM.140 Trying to figure out conditions and ARNs to create a delegated administrator for SCPs

medium.com

Generic Scripts For Deploying an Organization, Environments, and Applications

ACM.359 Biting the bullet and cleaning up my deployment scripts to work for any environment

medium.com

Organization-Environment Naming Convention on AWS

ACM.357 Modifying our naming convention for cross-account resource policies

medium.com

Adding Environments to An AWS Infrastructure Naming Convention

ACM.411 Adding permissions and aligning with naming convention changes to include the environment

medium.com

Why I Am Not Using AWS Organizational Unit for My Environment Name

ACM.363 Complications querying organizational data from AWS child accounts

medium.com

KMS Keys for AWS Organizations Environments

ACM.358 A common template for key deployment that includes organization and environment names — logs, deploy, and…

medium.com

Repository Accounts and Administrators

ACM.391 Thinking about software development environments, permissions, complexity, and naming conventions

medium.com

The Importance of Parameter Management in Cybersecurity and Application Security

ACM.430 Architecting a secure parameter management system

medium.com

Deployment systems — danger or defense?

How the systems that deploy software can dramatically increase or decrease cybersecurity risk

medium.com

It’s Friday.

ACM.340 Sometimes you just need to think on a complex technical problem for a bit

medium.com

Structuring Accounts For A Common Job Execution Framework

ACM.433 Revisiting the catch-22 of deployments from the root account

medium.com

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab