Governance at scale: Enforce permissions and compliance by using policy as code

The article discusses how to implement and enforce permissions and compliance policies at scale using a "policy as code" approach. It covers key AWS services and practices for governing access control and resource configurations across multiple AWS accounts.

Specifically, the article covers:

• Policy as code - treating policies like code in structured text files to enable automation
• Access control for AWS resources using IAM policies, attribute-based access control (ABAC), and service control policies (SCPs)
• Access control for customer applications using Amazon Verified Permissions and the Cedar policy language
• Compliance controls: proactive (scanning infrastructure templates), preventative (restricting non-compliant actions), and detective (monitoring deployed resources)
• Implementing proactive controls using AWS CloudFormation Guard, CloudFormation hooks, and CI/CD pipelines
• Implementing preventative controls using SCPs in AWS Organizations
• Implementing detective controls using AWS Config rules, conformance packs, and remediation actions
• Conclusion on automating governance processes at scale while increasing quality and transparency