Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

ADR 006: Automated Policy Enforcement

Status: Proposed | Date: 2025-07-29

Context

Cloud infrastructure requires automated policy enforcement to prevent misconfigurations, ensure compliance, and provide secure network access patterns. Manual checking cannot scale effectively across multiple accounts and services.

Decision

Implement comprehensive automated policy enforcement using AWS native services for governance, network security, and access control.

Governance Foundation

  • AWS Control Tower: Account factory, guardrails, and compliance monitoring across organisation
  • Service Control Policies: Preventive controls blocking non-compliant resource creation
  • AWS Config Rules: Detective controls for compliance monitoring and drift detection

Network Security & Access

  • Transit Gateway: Central hub for intra-account resource exposure via security groups
  • Security Group References: Use security group IDs instead of hardcoded IP addresses for dynamic, maintainable access policies
  • Shield Advanced: DDoS protection and egress intrusion detection for public-facing resources
  • VPC Flow Logs: Complete egress traffic monitoring and analysis per WA SOC Cyber Network Management Guideline

Note: This approach creates dependency on AWS for traffic and network protection. Open-source equivalents include Security Onion for network security monitoring, OPNsense and pfSense for firewall and intrusion detection capabilities.

Core Policy Areas

  • Encryption: Mandatory encryption for all data stores and communications
  • Access Control: IAM least-privilege access and security group-based resource access
  • Resource Tagging: Governance and cost allocation requirements
  • Data Sovereignty: Geographic restrictions for jurisdiction compliance
  • Network Segmentation: Security group-based micro-segmentation over IP-based rules

Consequences

Benefits:

  • Proactive prevention of security misconfigurations through Control Tower guardrails
  • Complete egress traffic visibility and monitoring capabilities
  • Dynamic, maintainable access policies using security group references
  • Centralised network access management via Transit Gateway
  • Automated compliance with jurisdiction requirements
  • DDoS protection for critical public resources

Risks:

  • Dependency on AWS native services for policy enforcement
  • Complexity in multi-account Transit Gateway routing
  • Potential performance impact from comprehensive logging

Mitigation:

  • Implement policy validation in CI/CD pipelines following ADR 010: Infrastructure as Code
  • Use security group references over hardcoded IPs for maintainable policies
  • Monitor VPC Flow Logs for egress traffic analysis and anomaly detection