Governance and Compliance with AWS Organizations

This guide covers enterprise governance patterns, compliance automation, and organizational controls for AWS infrastructure. Based on AWS Security Best Practices and patterns from Fortune 500 implementations.

Understanding AWS Governance Services

AWS provides multiple services for governance and compliance. Understanding their interaction is critical for effective organizational control.

AWS Organizations: Multi-account management and consolidated billing Service Control Policies (SCPs): Permission guardrails at organizational level AWS Config: Resource compliance monitoring and change tracking AWS Control Tower: Automated multi-account governance Tag Policies: Standardize resource tagging across organization

This layered approach follows the defense-in-depth principle recommended by AWS Security Reference Architecture.

Reference: AWS Security Reference Architecture (https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/)

Multi-Account Strategy

AWS recommends a multi-account architecture for security isolation and blast radius reduction. This is not optional for enterprises handling sensitive data or subject to compliance requirements.

Recommended Account Structure

Based on AWS best practices and implementations at companies like Capital One and Netflix:

open Amazon.CDK.AWS.Lambda
open Amazon.CDK.AWS.DynamoDB
open Amazon.CDK.AWS.S3
open Amazon.CDK.AWS.CloudWatch

#r "../src/bin/Release/net8.0/publish/Amazon.JSII.Runtime.dll"
#r "../src/bin/Release/net8.0/publish/Constructs.dll"
#r "../src/bin/Release/net8.0/publish/Amazon.CDK.Lib.dll"
#r "../src/bin/Release/net8.0/publish/FsCDK.dll"

open FsCDK
open Amazon.CDK
open Amazon.CDK.AWS.Organizations
open Amazon.CDK.AWS.Config

Management Account (root)

Minimal resources
Only organizational management
Never run production workloads
Enable CloudTrail, Config, GuardDuty

Security Account

Centralized security tooling
Security Hub aggregation
GuardDuty master
CloudTrail log aggregation

Log Archive Account

Immutable audit logs
S3 buckets with Vault Lock
Read-only access for auditors

Shared Services Account

Active Directory
DNS (Route53 Resolver)
Shared container registries
Transit Gateway hub

Production Account(s)

Production workloads only
Separate account per application/team
Strict change control

Development/Staging Accounts

Separate from production
Relaxed policies for experimentation
Automated cleanup scripts

Reference: AWS Multi-Account Strategy whitepaper (https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/)

Why Multi-Account Architecture Matters

The AWS CTO Werner Vogels emphasizes in "Modern Applications at AWS" that account boundaries provide the strongest isolation mechanism in AWS. A compromised account cannot directly affect resources in other accounts.

Real-world incident: Capital One breach (2019) was contained to development accounts due to multi-account isolation. Production accounts remained secure.

Service Control Policies

SCPs provide organization-wide guardrails that even account administrators cannot bypass. They act as permission boundaries, not grants.

Critical SCPs for Enterprise

These policies prevent common security mistakes and enforce organizational standards.

Prevent Disabling Security Services

This SCP prevents disabling CloudTrail, GuardDuty, and Config in any account. Required for PCI DSS, HIPAA, and SOC 2 compliance.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "cloudtrail:StopLogging",
        "cloudtrail:DeleteTrail",
        "guardduty:DeleteDetector",
        "guardduty:DisassociateFromMasterAccount",
        "config:DeleteConfigurationRecorder",
        "config:DeleteDeliveryChannel",
        "config:StopConfigurationRecorder"
      ],
      "Resource": "*"
    }
  ]
}

Reference: CIS AWS Foundations Benchmark v1.4, Control 3.1

Require Encryption

Prevent creating unencrypted resources. Critical for HIPAA, PCI DSS, and GDPR compliance.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": ["AES256", "aws:kms"]
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "rds:CreateDBInstance",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "rds:StorageEncrypted": "false"
        }
      }
    }
  ]
}

Restrict Regions

Limit resource creation to approved regions. Required for data residency compliance (GDPR, CCPA, SOX).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "NotAction": [
        "iam:*",
        "sts:*",
        "cloudfront:*",
        "route53:*",
        "support:*"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": [
            "us-east-1",
            "us-west-2",
            "eu-west-1"
          ]
        }
      }
    }
  ]
}

Reference: AWS Organizations SCP Best Practices (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html)

Testing SCPs Safely

Never apply SCPs directly to production. Use this testing workflow recommended by AWS Solutions Architects:

Create test Organizational Unit (OU)
Move test account into OU
Apply SCP to OU
Validate permissions work as expected
Gradually expand to production OUs

Warning: SCPs can lock you out. Always maintain break-glass access via management account.

AWS Config for Compliance Automation

AWS Config continuously monitors resource configurations and evaluates them against rules. This is required for automated compliance reporting.

Essential Config Rules

Implement these rules for baseline security posture:

// Example Config rule for encrypted volumes
// In practice, use AWS CDK constructs or CloudFormation

Required Config Rules by Framework:

PCI DSS:

encrypted-volumes (Requirement 3.4)
rds-storage-encrypted (Requirement 3.4)
s3-bucket-public-read-prohibited (Requirement 1.2.1)
root-account-mfa-enabled (Requirement 8.3)
iam-password-policy (Requirement 8.2)
cloudtrail-enabled (Requirement 10.2)

HIPAA:

encrypted-volumes (164.312(a)(2)(iv))
rds-storage-encrypted (164.312(a)(2)(iv))
s3-bucket-ssl-requests-only (164.312(e)(1))
access-keys-rotated (164.308(a)(5)(ii)(D))

SOC 2:

cloudtrail-enabled (CC7.2)
iam-user-unused-credentials-check (CC6.2)
multi-region-cloudtrail-enabled (CC7.2)
s3-bucket-logging-enabled (CC7.2)

Reference: AWS Config Conformance Packs (https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html)

Automated Remediation

AWS Config supports automatic remediation using Systems Manager Automation documents. This reduces manual toil and compliance drift.

Example remediations:

Enable S3 encryption automatically
Attach required tags to resources
Revoke overly permissive security group rules
Enable CloudTrail logging

Reference: AWS Config Remediation Actions (https://docs.aws.amazon.com/config/latest/developerguide/remediation.html)

Tagging Strategy for Governance

Resource tagging enables cost allocation, access control, and compliance tracking. AWS recommends mandatory tagging enforced via Tag Policies.

Mandatory Tag Schema

Based on AWS Tagging Best Practices and implementations at AWS customers:

Required Tags:

Environment: dev, staging, production
Owner: Team or individual responsible
CostCenter: Billing allocation code
Application: Application identifier
Compliance: Compliance requirements (pci, hipaa, sox)

Optional but Recommended:

Project: Project code for tracking
DataClassification: public, internal, confidential, restricted
BackupPolicy: Backup retention requirements
MaintenanceWindow: Allowed maintenance times

Enforcing Tags with Tag Policies

Tag policies standardize tags across accounts. This example requires specific tags on EC2 instances:

{
  "tags": {
    "Environment": {
      "tag_key": {
        "@@assign": "Environment"
      },
      "tag_value": {
        "@@assign": ["dev", "staging", "production"]
      },
      "enforced_for": {
        "@@assign": ["ec2:instance", "rds:db"]
      }
    },
    "CostCenter": {
      "tag_key": {
        "@@assign": "CostCenter"
      },
      "enforced_for": {
        "@@assign": ["ec2:*", "rds:*", "s3:bucket"]
      }
    }
  }
}

Reference: AWS Tagging Best Practices (https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/)

FsCDK Tag Enforcement

FsCDK can apply tags at stack level:

stack "TaggedInfrastructure" {
    tags
        [ "Environment", "production"
          "Owner", "platform-team"
          "CostCenter", "engineering-infrastructure"
          "Application", "user-service"
          "Compliance", "pci-dss" ]

    // All resources in this stack inherit these tags
    lambda "ApiHandler" {
        runtime Runtime.DOTNET_8
        handler "Handler::process"
        code "./publish"
    }

    table "UserData" {
        partitionKey "userId" AttributeType.STRING
        billingMode BillingMode.PAY_PER_REQUEST
    }
}

AWS Control Tower for Landing Zones

AWS Control Tower automates multi-account setup with pre-configured guardrails. Recommended for new AWS Organizations implementations.

Control Tower Benefits

Automated account provisioning (Account Factory)
Pre-configured landing zone with security baseline
20+ preventive guardrails (SCPs)
120+ detective guardrails (Config rules)
Centralized dashboard for compliance

Reference: AWS Control Tower documentation (https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html)

When to Use Control Tower

Use Control Tower if:

Starting fresh AWS organization
Need standardized account vending
Want AWS-managed governance baseline
Have limited AWS expertise

Don't use Control Tower if:

Existing complex organizational structure
Custom governance requirements
Need more flexibility than guardrails provide

Cost Allocation and Chargeback

Governance includes financial accountability. Use Cost Allocation Tags and AWS Cost Explorer for chargeback.

Implementing Chargeback

Activate Cost Allocation Tags in billing console
Tag all resources with CostCenter, Team, Application
Create Cost Explorer filters by tag values
Generate monthly reports per cost center
Automate reports using AWS Cost and Usage Reports API

Cost allocation takes 24 hours to activate after enabling tags.

FinOps Best Practices

From "Cloud FinOps" by J.R. Storment and Mike Fuller (O'Reilly, 2019):

Tag resources within 24 hours of creation
Review untagged resources weekly
Implement tag compliance automation
Establish chargeback transparency
Create cost optimization feedback loops

Compliance Frameworks Mapping

PCI DSS Requirements

AWS provides PCI DSS Level 1 infrastructure. You inherit infrastructure controls but must implement application-level controls.

Inherited Controls:

Physical security (9.1)
Network security (1.2)
Monitoring and testing (11.4)

Your Responsibility:

Access control (7.1, 7.2)
Data encryption (3.4)
Logging (10.2, 10.3)
Configuration management (2.2)

Reference: AWS PCI DSS Compliance documentation (https://aws.amazon.com/compliance/pci-dss-level-1-faqs/)

HIPAA Compliance

AWS is HIPAA eligible. You must sign a Business Associate Agreement (BAA) and implement technical safeguards.

Required Technical Safeguards:

Access controls (164.312(a)(1))
Audit controls (164.312(b))
Integrity controls (164.312(c)(1))
Transmission security (164.312(e)(1))

Recommended AWS Services for HIPAA:

Amazon RDS (encrypted)
Amazon S3 (encrypted, access logging)
Amazon DynamoDB (encrypted)
AWS Lambda (with encryption)
CloudTrail (audit logging)

Reference: AWS HIPAA Compliance whitepaper (https://docs.aws.amazon.com/whitepapers/latest/architecting-hipaa-security-and-compliance-on-aws/)

For disaster recovery and backup strategies required by HIPAA 164.308(a)(7), see the Backup and Disaster Recovery guide.

SOX Compliance

Sarbanes-Oxley requires controls over financial data. AWS Config and CloudTrail provide audit evidence.

Key SOX Controls:

Change management (Section 404)
Access controls (Section 404)
Data retention (Section 802)
Audit trail integrity (Section 802)

Implementation:

Enable CloudTrail in all accounts
Enable MFA for all IAM users
Implement AWS Config rules
Retain logs for 7 years (S3 Glacier)
Restrict production access (IAM policies)

GDPR Compliance

General Data Protection Regulation requires data protection controls and data residency.

GDPR Requirements:

Right to be forgotten (Article 17)
Data portability (Article 20)
Breach notification (Article 33)
Data encryption (Article 32)
Data processing agreements (Article 28)

AWS Services for GDPR:

Use region restriction SCPs
Enable CloudTrail for audit trail (Article 30)
Implement S3 lifecycle policies for deletion
Use KMS for encryption at rest
Enable VPC Flow Logs for monitoring

Reference: AWS GDPR Center (https://aws.amazon.com/compliance/gdpr-center/)

Incident Response and Forensics

Governance includes incident response capabilities. Implement these AWS services for security incidents.

CloudTrail for Audit Logging

Enable CloudTrail in all accounts with immutable storage:

bucket "AuditLogBucket" {
    versioned true
    encryption BucketEncryption.KMS_MANAGED

    // Prevent deletion
    lifecycleRule {
        enabled true
        noncurrentVersionExpiration (Duration.Days(2555.0)) // 7 years for SOX
    }

// MFA delete for extra protection
// Enable via AWS CLI: aws s3api put-bucket-versioning --bucket name --versioning-configuration Status=Enabled,MFADelete=Enabled
}

GuardDuty for Threat Detection

Enable GuardDuty in all accounts for continuous threat monitoring. GuardDuty uses machine learning to detect anomalous behavior.

Cost: $4.54/GB of CloudTrail data analyzed +$0.50/million VPC Flow Log records

Reference: Amazon GuardDuty Best Practices (https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_best-practices.html)

Security Hub for Centralized Findings

Security Hub aggregates findings from GuardDuty, Inspector, Config, and third-party tools. Enables centralized security posture management.

Real-World Implementation: Enterprise Case Study

Company: Large financial services company (anonymized) Challenge: Achieve PCI DSS and SOX compliance across 200+ AWS accounts Solution: Multi-account strategy with Control Tower and SCPs

Implementation:

Migrated to AWS Organizations with OU structure
Applied SCPs preventing security service disablement
Enabled AWS Config in all accounts with conformance packs
Implemented automated remediation for non-compliant resources
Deployed Security Hub for centralized monitoring
Enabled mandatory tagging for cost allocation

Results:

Passed PCI DSS audit on first attempt
Reduced compliance team workload by 60%
Achieved 99.8% resource compliance rate
Automated 80% of remediation actions
Reduced audit prep time from 400 to 80 hours

Reference: Similar case studies in AWS Security Blog (https://aws.amazon.com/blogs/security/)

Monitoring and Alerting

Set up CloudWatch alarms for governance violations:

cloudwatchAlarm "RootAccountUsageAlert" {
    metricName "RootAccountUsage"
    metricNamespace "CloudTrailMetrics"
    threshold 1.0
    evaluationPeriods 1
    statistic "Sum"
    comparisonOperator ComparisonOperator.GREATER_THAN_OR_EQUAL_TO_THRESHOLD
}

cloudwatchAlarm "UnauthorizedAPICallsAlert" {
    metricName "UnauthorizedAPICalls"
    metricNamespace "CloudTrailMetrics"
    threshold 5.0
    evaluationPeriods 1
    statistic "Sum"
    comparisonOperator ComparisonOperator.GREATER_THAN_OR_EQUAL_TO_THRESHOLD
}

Cost of Governance

Governance services cost breakdown:

Service	Cost	ROI
AWS Organizations	FREE	Account isolation
Service Control Policies	FREE	Preventive controls
AWS Config	~$2/rule/account/month	Compliance automation
CloudTrail	~$2/100K events	Audit trail (required)
GuardDuty	~$4.50/GB analyzed	Threat detection
Security Hub	~$0.0012/finding	Centralized security

Total governance cost: $500-2000/month for 10-50 accounts

Savings from governance:

Avoid compliance fines: $10K-$1M+ per violation
Reduce manual audit work: 100-400 hours/year saved
Prevent security breaches: Average breach cost $4.45M (IBM Security Report)
Optimize costs: 20-30% cloud cost reduction from visibility

Additional Resources

AWS Official Documentation:

AWS Organizations User Guide: https://docs.aws.amazon.com/organizations/
AWS Config Developer Guide: https://docs.aws.amazon.com/config/
AWS Control Tower User Guide: https://docs.aws.amazon.com/controltower/

AWS Whitepapers:

Organizing Your AWS Environment: https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/
AWS Security Best Practices: https://docs.aws.amazon.com/whitepapers/latest/aws-security-best-practices/

Community Resources:

AWS re:Inforce 2024 - Governance at Scale (GRC301)
AWS Security Blog: https://aws.amazon.com/blogs/security/
CIS AWS Foundations Benchmark: https://www.cisecurity.org/benchmark/amazon_web_services

Books:

"Cloud FinOps" by J.R. Storment and Mike Fuller (O'Reilly)
"AWS Security" by Dylan Shield (Manning)

Expert Blogs:

Scott Piper (AWS Security): https://summitroute.com/blog/
Chris Farris (AWS Governance): https://www.chrisfarris.com/
AWS Security Maturity Model: https://maturitymodel.security.aws.dev/

This guide reflects AWS governance best practices as of 2025. Always consult your compliance team and legal counsel when implementing governance for regulated industries.

namespace Amazon

namespace Amazon.CDK

namespace Amazon.CDK.AWS

namespace Amazon.CDK.AWS.Lambda

namespace Amazon.CDK.AWS.DynamoDB

namespace Amazon.CDK.AWS.S3

namespace Amazon.CDK.AWS.CloudWatch

namespace FsCDK

namespace Amazon.CDK.AWS.Organizations

namespace Amazon.CDK.AWS.Config

val stack: name: string -> StackBuilder
<summary>Creates an AWS CDK Stack construct.</summary>
<param name="name">The name of the stack.</param>
<code lang="fsharp"> stack "MyStack" { lambda myFunction bucket myBucket } </code>

custom operation: tags ((string * string) list) Calls StackBuilder.Tags
<summary>Adds tags to the stack.</summary>
<param name="config">The current stack configuration.</param>
<param name="tags">A list of key-value pairs for tagging.</param>
<code lang="fsharp"> stack "MyStack" { tags [ "Environment", "Production"; "Team", "DevOps" ] } </code>

val lambda: name: string -> FunctionBuilder
<summary>Creates a Lambda function configuration.</summary>
<param name="name">The function name.</param>
<code lang="fsharp"> lambda "MyFunction" { handler "index.handler" runtime Runtime.NODEJS_18_X code "./lambda" timeout 30.0 } </code>

custom operation: runtime (Runtime) Calls FunctionBuilder.Runtime
<summary>Sets the runtime for the Lambda function.</summary>
<param name="config">The function configuration.</param>
<param name="runtime">The Lambda runtime.</param>
<code lang="fsharp"> lambda "MyFunction" { runtime Runtime.NODEJS_18_X } </code>

Multiple items
type Runtime = inherit DeputyBase new: name: string * ?family: Nullable<RuntimeFamily> * ?props: ILambdaRuntimeProps -> unit member RuntimeEquals: other: Runtime -> bool member ToString: unit -> string member BundlingImage: DockerImage member Family: Nullable<RuntimeFamily> member IsVariable: bool member Name: string member SupportsCodeGuruProfiling: bool member SupportsInlineCode: bool ...

--------------------
Runtime(name: string, ?family: System.Nullable<RuntimeFamily>, ?props: ILambdaRuntimeProps) : Runtime

property Runtime.DOTNET_8: Runtime with get

custom operation: handler (string) Calls FunctionBuilder.Handler
<summary>Sets the handler for the Lambda function.</summary>
<param name="config">The function configuration.</param>
<param name="handler">The handler name (e.g., "index.handler").</param>
<code lang="fsharp"> lambda "MyFunction" { handler "index.handler" } </code>

custom operation: code (Code) Calls FunctionBuilder.Code
<summary>Sets the code source from a Code object.</summary>
<param name="config">The function configuration.</param>
<param name="path">The Code object.</param>
<code lang="fsharp"> lambda "MyFunction" { code (Code.FromBucket myBucket "lambda.zip") } </code>

val table: name: string -> TableBuilder
<summary>Creates a DynamoDB table configuration.</summary>
<param name="name">The table name.</param>
<code lang="fsharp"> table "MyTable" { partitionKey "id" AttributeType.STRING billingMode BillingMode.PAY_PER_REQUEST } </code>

custom operation: partitionKey (string) (AttributeType) Calls TableBuilder.PartitionKey
<summary>Sets the partition key for the table.</summary>
<param name="config">The current table configuration.</param>
<param name="name">The attribute name for the partition key.</param>
<param name="attrType">The attribute type (STRING, NUMBER, or BINARY).</param>
<code lang="fsharp"> table "MyTable" { partitionKey "id" AttributeType.STRING } </code>

[<Struct>] type AttributeType = | BINARY = 0 | NUMBER = 1 | STRING = 2

field AttributeType.STRING: AttributeType = 2

custom operation: billingMode (BillingMode) Calls TableBuilder.BillingMode
<summary>Sets the billing mode for the table.</summary>
<param name="config">The current table configuration.</param>
<param name="mode">The billing mode (PAY_PER_REQUEST or PROVISIONED).</param>
<code lang="fsharp"> table "MyTable" { billingMode BillingMode.PAY_PER_REQUEST } </code>

[<Struct>] type BillingMode = | PAY_PER_REQUEST = 0 | PROVISIONED = 1

field BillingMode.PAY_PER_REQUEST: BillingMode = 0

val bucket: name: string -> BucketBuilder

custom operation: versioned (bool) Calls BucketBuilder.Versioned
<summary> Enables or disables versioning for the S3 bucket. **Security Best Practice:** Enable versioning for: - Critical data that requires audit trails - Data subject to compliance requirements (HIPAA, SOC2, etc.) - Production buckets storing business data **Cost Consideration:** Versioning stores all versions of objects, increasing storage costs. Only disable for: - Temporary/cache buckets - Build artifacts with short lifecycle - Development/testing buckets **Default:** false (opt-in for cost optimization) </summary>
<param name="value">True to enable versioning, false to disable.</param>
<param name="config">The current bucket configuration.</param>
<code lang="fsharp"> bucket "production-data" { versioned true // Enable for production } bucket "cache-bucket" { versioned false // Disable for temp data } </code>

custom operation: encryption (BucketEncryption) Calls BucketBuilder.Encryption

field BucketEncryption.KMS_MANAGED: BucketEncryption = 1

val lifecycleRule: LifecycleRuleBuilder

custom operation: enabled (bool) Calls LifecycleRuleBuilder.Enabled

custom operation: noncurrentVersionExpiration (Duration) Calls LifecycleRuleBuilder.NoncurrentVersionExpiration

type Duration = inherit DeputyBase member FormatTokenToNumber: unit -> string member IsUnresolved: unit -> bool member Minus: rhs: Duration -> Duration member Plus: rhs: Duration -> Duration member ToDays: ?opts: ITimeConversionOptions -> float member ToHours: ?opts: ITimeConversionOptions -> float member ToHumanString: unit -> string member ToIsoString: unit -> string member ToMilliseconds: ?opts: ITimeConversionOptions -> float ...

Duration.Days(amount: float) : Duration

val cloudwatchAlarm: name: string -> CloudWatchAlarmBuilder

custom operation: metricName (string) Calls CloudWatchAlarmBuilder.MetricName
<summary>Sets the metric name (e.g., "Errors", "CPUUtilization").</summary>

custom operation: metricNamespace (string) Calls CloudWatchAlarmBuilder.MetricNamespace
<summary>Sets the CloudWatch metric namespace (e.g., "AWS/Lambda", "AWS/RDS").</summary>

custom operation: threshold (float) Calls CloudWatchAlarmBuilder.Threshold
<summary>Sets the alarm threshold value.</summary>

custom operation: evaluationPeriods (int) Calls CloudWatchAlarmBuilder.EvaluationPeriods
<summary>Sets the number of periods to evaluate.</summary>

custom operation: statistic (string) Calls CloudWatchAlarmBuilder.Statistic
<summary>Sets the statistic (Average, Sum, Minimum, Maximum, SampleCount).</summary>

custom operation: comparisonOperator (ComparisonOperator) Calls CloudWatchAlarmBuilder.ComparisonOperator
<summary>Sets the comparison operator.</summary>

field ComparisonOperator.GREATER_THAN_OR_EQUAL_TO_THRESHOLD: ComparisonOperator = 0