Governance and SCP
SCP is a powerful tool used in cloud environments like Amazon Web Services (AWS) to manage and enforce permissions across accounts. Within Moneta, SCPs help administrators define fine-grained access controls, ensuring that users and services operate within specific security guidelines.
Governance in the context of cloud platforms refers to the strategic oversight and management of cloud resources to ensure compliance, security, and efficiency across an organization's cloud infrastructure. It involves setting rules and policies that govern how cloud resources are used, who can access them, and what actions are permitted.
In the Moneta Platform, Service Control Policies (SCPs) play a key role in governance by acting as guardrails for cloud accounts. SCPs allow administrators to define policies at the organizational level in environments like AWS Organizations. These policies are used to enforce limits on what actions users or services can take across all accounts within the organization. For example, you can create SCPs that restrict certain cloud services, block regions, or enforce security best practices.
Moneta's role in governance is to provide visibility and insights into how SCPs are applied across your cloud accounts. The platform helps track these policies, ensuring they are properly enforced and that your cloud environment is compliant with organizational standards. By analyzing and reporting on SCPs, Moneta enables organizations to maintain strong cloud governance with greater transparency and control.
AWS Service Control Policies for Cost Management and Optimization
Service Control Policies (SCPs) are a feature of AWS Organizations that provide centralized control over the maximum available permissions for all accounts in your organization. SCPs offer a powerful way to ensure compliance, security, and cost management across your entire AWS environment.
AWS SCP documentation: Service control policies (SCPs) - AWS Organizations (amazon.com)
Format and Purpose of Service Control Policies
SCPs are JSON-coded policies that specify the maximum permissions for Organizations entities (organizational units, accounts). They don't grant any permissions themselves, but instead act as a filter on what actions are allowed or denied.
Benefits of Using SCPs for Cost Management
SCPs enable administrators to enforce compliance with budgetary constraints and organizational policies, leading to more predictable and manageable expenses.
- Centralized Control: Implement cost-saving measures across all accounts from a single point.
- Prevent Overspending: Restrict access to expensive services or limit resource creation.
- Enforce Best Practices: Ensure that cost-optimization features are always enabled.
- Compliance: Meet budgetary requirements by restricting certain actions.
- Scalability: Easily apply policies to new accounts as your organization grows.
SCP Strategies for Cost Management
Implementing Service Control Policies (SCPs) for cost management involves several strategic approaches.
- Restrict High-Cost Services
- Enforce Resource Tagging
- Limit Resource Sizes
- Mandate Cost-Optimization Features
- Control Regional Usage
Restrict High-Cost Services
Prevent the use of services that are typically expensive or not needed in your organization. By limiting access to expensive resources and services, organizations can significantly reduce unnecessary expenditures.
Enforce Resource Tagging
Ensure all resources are properly tagged for accurate cost allocation. Enforcing resource tagging is a powerful strategy for cost management and operational efficiency. Organizations can gain better visibility into their resource usage and associated costs.
Limit Resource Sizes
Restrict the creation of oversized and costly resources. Limiting resource sizes is an effective strategy for managing costs and ensuring efficient resource utilization. This approach involves defining policies that restrict the allocation of oversized resources, ensuring that only appropriately sized resources are used based on actual needs.
Mandate Cost-Optimization Features
Require the use of cost-saving features like Savings Plans or Reserved Instances. Implementing this strategy not only helps in maintaining financial discipline but also enhances overall operational efficiency
Control Regional Usage
Limit AWS usage to specific regions to manage data transfer costs and simplify operations. By restricting the deployment of resources to specific regions, organizations can take advantage of lower-cost regions and avoid higher-cost ones. This strategy involves setting policies that limit where resources can be provisioned, ensuring that they are only deployed in regions that align with budgetary constraints and operational requirements.
Implementation Checklist
- Start Restrictive: Begin with more restrictive policies and loosen as needed.
- Test Thoroughly: Use AWS Policy Simulator to test SCPs before applying them.
- Monitor and Adjust: Regularly review the impact of SCPs on costs and operations.
- Combine with Other Tools
Examples of Cost-Focused SCPs
JSON coded policy examples follow.
Restrict High-Cost Services
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyHighCostServices",
"Effect": "Deny",
"Action": [
"sagemaker:*",
"dlm:*",
"rds:*"
],
"Resource": "*"
}
]
}
This policy prevents the use of potentially high-cost services like SageMaker, Data Lifecycle Manager, and RDS across all accounts.
Enforce Mandatory Tagging
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyResourcesWithNoProjectTag",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateVolume"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/Project": "true"
}
}
}
]
}
This policy ensures that EC2 instances and EBS volumes are created with a "Project" tag, facilitating better cost tracking and allocation.
Limit EC2 Instance Sizes
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LimitEC2InstanceSize",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:InstanceType": [
"t3.*",
"m5.*"
]
}
}
}
]
}
This policy restricts EC2 instance creation to only t3 and m5 families, preventing the use of more expensive instance types.
Mandate Use of Savings Plans
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceSavingsPlans",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"rds:CreateDBInstance"
],
"Resource": "*",
"Condition": {
"Bool": {
"aws:RequestTag/UseSavingsPlan": "false"
}
}
}
]
}
This policy requires a tag indicating the use of Savings Plans when launching EC2 instances or RDS databases, encouraging cost-optimized resource usage.
SCP is a Powerful Tool
Service Control Policies are a powerful tool for implementing organization-wide cost management and optimization strategies in AWS. By carefully crafting and applying SCPs, organizations can prevent overspending, enforce cost-conscious practices, and maintain better control over their AWS environments. Regular review and refinement of these policies, in conjunction with other AWS cost management tools, will help ensure ongoing cost optimization across your entire AWS organization.
Reference
Service control policies (SCPs)
Enforce Preventive Guardrails Using Service Control Policies | Amazon Web Services