Migration Optimization Tips

Best Practices For Building Cloud Governance Policies

For many organizations, defining and implementing governance policies—and later automating those policies to take actions on your behalf—is the only way to scale and free up employee time for more strategic tasks. 

Once organizations have gained visibility into their cloud environment(s) and worked on optimizing their resources and time management, they can begin to build governance policies—starting with defining best practices, then implementing policies themselves (updating these policies as they are rolled out and tested by teams), and finally introducing automation when they feel comfortable. 

To help you get started, here are some things to consider about the different types of frameworks you can use when creating your governance policies.

Different ways to implement governance policies 

Governance policies can be implemented in a few different ways, each coming with advantages and disadvantages. The more proactive approach is known as In-Band, while the reactive approach is known as Out-of-Band. Here’s a brief breakdown of both: 


An in-band policy is evaluated before a user takes an action that would potentially violate best practices. The advantage of this approach is that it prevents users from taking actions that could be dangerous or expensive, while the disadvantage of this approach is that proactive barriers can potentially hamper user productivity and processes. When using an in-band approach, it’s important to frequently revisit policies that aren’t working for teams to ensure that productivity isn’t hindered for teams. 


An out-of-band policy is evaluated after a best practice violation is detected. The advantage of this approach is that it stays out of the users’ way and performs clean up after the fact. Conversely, the disadvantage is that this approach allows users to violate best practices, and if they aren’t fixed in a timely manner (you can see the risk involved here). 

In addition to in-band and out-of-band detection, there are two primary ways that companies can take action on governance policies: guidelines and guardrails. Here’s a breakdown of the two below: 


Policies that will communicate a risk boundary via an alert that informs the user of the best practice, but will not take action to prevent or correct action. 


Policies that will both communicate and take action to correct a violated best practice. 

Here’s an example to illustrate these different approaches: 


Tackling financial, operational, and security governance 

The first step of defining the best practice state will be different for every organization, but there are some common approaches that can serve as good starting places. 

Financial governance

Many organizations start with setting budgets and then tracking adherence to them. They’ll also define what’s in the realm of ‘normal’ or ‘acceptable’ for a cost increase (this can be different depending on the project, team, environment, etc.) so they can easily find spending anomalies. 

Operational governance

There are several operational governance standards that can help form the basis of an organization’s operational governance policy, the most common being the AWS Well-Architected Framework (WAF). While WAF is specific to AWS, it does contain concepts that are easily extendable to other clouds. You’ll also need to go further than what’s included in WAF and consider what your organization says is standard configuration and infrastructure.

Areas to consider include: tagging policy, standards for configuration, region, infrastructure types, OS, as well as high/low watermarks for underutilized infrastructure. 

Security and compliance governance

LIke operational governance, there are many industry-recognized standards and governing bodies that provide robust sets of security and compliance governance policies. Many organizations will start with something like the Center for Internet Security’s standards and then customize from there to meet the needs of their specific organization and industry. 

Once these governance policies have been created, it’s time to start testing. See what’s working for teams (especially your developers) and adjust these policies as needed. Once you’ve got a handle on policies that work for your organization, you can start introducing automation into the mix. 

To hear advice from industry-leading organizations who’ve successfully tackled cloud governance and automation, as well as learn example KPIs to track for success, read our whitepaper: Building a Successful Cloud Operations and Governance Practice