# Management and Governance Cloud Environment Guide
<a name="management-and-governance-cloud-environment-guide"></a>

Publication date: **November 22, 2021** ([Document history](document-history.md))

 Customers of every size and industry type are moving to the cloud to increase their security, agility, cost efficiency, scalability, and ability to deploy more easily. Many customers are asking for our guidance to help them ensure their AWS environments meet those requirements. The Amazon Web Services (AWS) Well-Architected Management and Governance Cloud Environment Guide (M&G Guide) provides clear guidance for you to follow. This guidance includes answers to key questions, recommended guardrails, and identifying AWS services and solutions from AWS Partners to help you build development, test, and production workloads at scale regardless of the stage of cloud adoption you are in. This document can be read in its entirety or by individual section depending on the focus of the reader. 

 The [AWS Cloud Adoption Framework (AWS CAF)](https://aws.amazon.com/professional-services/CAF/) helps you develop and run efficient and effective plans for your cloud adoption journey focused on people and processes. The M&G Guide builds on the CAF principles, offering prescriptive guidance with a focus on the technology. Cerner Corporation, a global health platform and technology company, completed an initiative in collaboration with AWS Professional Services to re-shape their cloud capabilities to support a growing, diverse, and global customer base: 

****  
 “Cerner has been operating about 50–100 accounts in AWS for years, but our strategy was very decentralized with regard to governance. We have business drivers to enable HITRUST compliance, which we combined with many other frameworks to create our Cerner Controls Framework (for example, compliance requirements). These requirements drove us to rethink how we applied governance principles in our cloud operating model through centralized governance. We could have moved faster and delivered value to our business in a more deliberate way had the AWS Management & Governance Cloud Environment Guide been available at the time. Every section would have created value for us as it really plants a flag in the ground to help distill AWS Best Practices from all the various people and places into a clear starting point. "   
 - Eric Wright, Senior Director Cloud Engineering, Cerner Corporation   
 - Phil Brown, Director & Principal Engineer Cloud Engineering, Cerner Corporation 

 Based on our experiences from thousands of successful migrations, the M&G Guide helps decision makers, cloud, networking, and security architects configure their AWS environments to prepare for scale and evaluate if their environment is configured properly. The M&G Guide includes the following: 
+  Description of each of the management and governance functions. 
+  Information on how the functions interact and interoperate with each other to provide efficient management and governance. 
+  Detailed implementation priorities helping you to know what steps to take, and in what order. 
+  Recommended AWS services for each function. 
+  AWS Partner solutions available in [AWS Marketplace](https://aws.amazon.com/marketplace) that support multi-account environments and work with [AWS Control Tower](https://aws.amazon.com/controltower). 
+  Implementation guidance as architectural diagrams, guides, and product videos. 
+  Aligned offerings and delivery kits from [AWS Professional Services](https://aws.amazon.com/professional-services/). 
+  Turnkey complementary solutions and consulting services from [Built on Control Tower - AWS Partners](https://aws.amazon.com/controltower/partners/). 

![\[Diagram showing how the Well-Architected Framework pillars and the eight management and governance functions interoperate to provide a migration ready, scale ready, innovation ready, optimized, and efficient AWS environment.\]](http://docs.aws.amazon.com/wellarchitected/latest/management-and-governance-guide/images/how-to-prepare-aws-environments.png)


# Journey to cloud-ready environments
<a name="journey-to-cloud-ready-environments"></a>

A cornerstone of a successful, cost-efficient, secure, and compliant cloud strategy is to emphasize proactive management and governance. Incorporating best practices from the M&G Guide helps you grow with AWS, whether you are in the setup, migrate, or operate phase of the cloud journey. The progression along that journey includes the adoption of management and governance capabilities as you mature. The three phases of a typical cloud journey are described in the following sections. 

Customer use case examples for this guide include those that are just getting started with AWS, those that are considering an expansion into a multi-account experience, or those that are planning an expansion, such as the launch of new applications or a data center migration.

## Setup
<a name="journey-gs"></a>

 Getting started with AWS, you should configure identity management, logging, monitoring, observability, network connectivity to on-premises, and integrate security capabilities to their existing solutions. Gain a head-start on these capabilities by using AWS Control Tower to provision a landing zone embedded with controls. This is extended with basic network isolation, a base set of identities, and extending incident management and security capabilities to the new environments.  In this phase, you begin building cloud-ready environments tuned to your enterprise needs. This lets you scale your management and governance functions alongside your workloads. 

## Build and migrate
<a name="journey-build-migrate"></a>

 In this phase, you want to extend and enhance your management and governance functions. This includes, extending network isolation boundaries, configuring further environment and workload-based controls, tuning change and incident management, and updating your observability to accommodate application-specific insights. Whether you are using a migration factory to quickly and efficiently migrate applications or workloads, or you are beginning to build out larger sets of applications or workloads, you should also add integration to your service management capabilities and enhance your security management tooling. 

## Operate
<a name="journey-innovate"></a>

 Evolving interoperability of the management and governance functions give you greater operational efficiency as you continue migrating, building, or modernizing your workloads. This phase typically includes the addition of full sourcing and distribution functions for your infrastructure templates or software solutions. Proactively using financial insights spanning across your workloads, accounts, and environments also position you for accelerating innovation activities. 

![\[Diagram showing example paths for adopting the best practices described in the M&G Guide.\]](http://docs.aws.amazon.com/wellarchitected/latest/management-and-governance-guide/images/mglens-eight-functions.png)


# Manage and govern functions to interoperate
<a name="manage-and-govern-functions-to-interoperate"></a>

 The eight management and governance functions, supported by AWS services and AWS Partner solutions, should interoperate together in an informative relationship to help you manage and govern your environments at scale. Outputs from these functions are used to inform or integrate with other functions. 

 As an example, a report in [AWS Cost Explorer](https://aws.amazon.com/aws-cost-management/aws-cost-explorer/) shows a spike in month-to-month EC2 usage in a development environment. Further investigation leads you to discover that a new team has been launching `m5.16xlarge` instances, but using less than two percent of the CPU capacity. AWS Cost Explorer insights reveal that the development environment did not require the same instance size as test or production. As an input to controls, you can define a detective AWS Config rule in the development environment to alert on unapproved `m5.16xlarge` instances. In addition, you can permit builders to only self-service provision `nano` instance types in the development environment by using template constraints from Service Catalog, or you can assign an AWS Organizations service control policy to restrict the instance types that can be launched in that environment. 

 With this interoperability example, you can tune the financial operations of your IT functions to automate cost controls, which permit you to continually evaluate mechanisms that can reduce your AWS costs. Although similar manual mechanisms might be effective, they are not as efficient as you scale further workloads on AWS. Throughout this M&G Guide, you will see the additive benefits of an interoperable and automated foundation of the proposed eight capabilities in your AWS environments. 

 

# Manage and govern with a multi-account point of view
<a name="manage-and-govern-with-a-multi-account-point-of-view"></a>

 AWS helps enable you to experiment, innovate, and scale more quickly, while providing flexible and secure cloud environments. An AWS account provides natural security, access, and billing boundaries for your AWS resources. The AWS account as a boundary helps you to achieve resource isolation as described in the [Security Pillar whitepaper](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html). The Security Pillar specifically recommends the following best practices: separate workloads using accounts, secure AWS accounts, manage accounts centrally, set controls centrally, configure services and resources centrally. 

 The multi-account strategy prescriptive guidance provided in the [Organizing Your AWS Environment Using Multiple Accounts whitepaper](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.html) describes specific mechanisms to organize accounts. In addition, it describes how to apply a consistent set of controls so that you can efficiently manage your cloud assets. In AWS, accounts are a hard boundary. Account-level separation is recommended for isolating production workloads from development and test workloads. For instance, sandbox environments might need a different set of controls, network, change processes, and financial limits compared to other environments. Using this strategy helps you to centrally manage resources, permissions, and security standards across environments and accounts, improving your operational efficacy. 

 The M&G Guide complements the Security Pillar and the multi-account strategy to further define a set of eight foundational capabilities required to prepare your environments and operate efficiently in the AWS Cloud. You can start automating provisioning your accounts following this strategy with [AWS Control Tower](https://aws.amazon.com/controltower). With this service you will provision a landing zone from your home Region, and deploy further accounts following your multi-account strategy. 

 The [Organizing Your AWS Environment Using Multiple Accounts whitepaper](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.html) recommends that you build a multi-account strategy using account boundaries to separate workloads. However, it is important to evaluate and plan your account management with automation and operational capacity in mind. That is, your accounts should employ the least privilege access, and provide boundaries to limit the effect of workload failures. Do not create more accounts than are feasible to operationally manage or scale. Furthermore, as you scale, consider reviewing your service quotas and deployment latencies when performing actions on a large number of accounts.