Skip to main content
Compliance

9 Cloud Governance Practices That Pay For Themselves

Tagging, cost allocation, policy as code, and the governance patterns that stop cloud environments from becoming ungovernable sprawl.

John Lane 2021-11-23 5 min read
9 Cloud Governance Practices That Pay For Themselves

Cloud environments decay fast. What starts as a clean subscription with five resources becomes 3,000 resources across 14 accounts with no consistent tagging, nobody sure who owns what, and a bill nobody can explain. Governance is what prevents that. It's not glamorous work, but the teams that take it seriously spend dramatically less time later on cleanup, cost overruns, and compliance findings.

Here are nine governance practices that pay for themselves, in rough order of leverage.

1. Landing Zone Architecture Before Workloads

A landing zone is the baseline structure your cloud environment runs inside — account or subscription layout, network topology, identity integration, logging, policies. Build it before you deploy workloads. Retrofitting governance onto an existing cloud environment is 3 to 5 times more work than building it in.

What a good landing zone has:

  • Multi-account / multi-subscription structure (prod, non-prod, sandbox, security, logging, shared services)
  • Centralized identity via SSO from a single directory
  • Centralized logging with forwarding rules from every account
  • Network topology that scales (hub-spoke, transit gateway)
  • Baseline policy deployed at the management group / organization level
  • Default tags enforced at account creation

Microsoft has Azure Landing Zones, AWS has Control Tower, Google has the Cloud Foundation Toolkit. Start from one of these, don't build from scratch.

2. Tagging Strategy (Enforced, Not Suggested)

Untagged resources are the root of every cloud bill problem. You cannot allocate costs, optimize waste, or clean up unused resources without knowing what each resource is for.

Minimum viable tag set:

  • Environment (prod, staging, dev)
  • CostCenter (for chargeback / showback)
  • Owner (email or team name)
  • Project (business project or product)
  • Lifecycle (permanent, temporary with end-date, auto-shutdown schedule)

How to enforce:

  • Azure Policy, AWS Config, or GCP Organization Policy deny creation of resources without required tags. Not alert. Deny.
  • CI/CD pipelines inject tags automatically where possible.
  • Monthly report of untagged resources, emailed to the team lead responsible.

3. Cost Allocation and Showback

If you can't tell a team what their cloud spend is, you cannot expect them to manage it. Showback (telling them) is the minimum. Chargeback (billing them internally) is stronger but politically harder.

What to report monthly:

  • Spend by cost center / team
  • Trend over the last 6 months
  • Top 10 most expensive resources
  • Projected spend for the rest of the month
  • Unused resources costing money (unattached disks, idle VMs, orphaned load balancers)

Tools: Azure Cost Management, AWS Cost Explorer + Cost and Usage Reports, GCP Billing Reports, or a third party like CloudHealth, Flexera, or Vantage. CloudZero and KubeCost are good for Kubernetes-heavy environments.

4. Policy as Code

Written policies that live in Word documents get ignored. Enforced policies that live in code don't.

What to enforce via policy:

  • No unencrypted storage
  • No public-facing databases
  • No resources in unapproved regions
  • No unapproved resource types (if you don't need GPUs, block GPU SKUs)
  • Required tags
  • Required audit logging
  • Minimum TLS versions
  • Required backup protection for tier-1 workloads

Azure Policy, AWS Config + SCPs, GCP Organization Policy. For multi-cloud or Kubernetes, tools like Open Policy Agent (OPA) or Kyverno provide portable policy.

5. Separation of Environments

Production workloads must not share an account or subscription with non-production workloads. The blast radius of a mistake in dev should not touch production.

The minimum structure:

  • Separate prod and non-prod accounts
  • Separate production IAM from non-production IAM
  • Production deployments require additional approvals
  • Test data in non-prod is masked or synthetic, never real customer data

6. Just-in-Time Privileged Access

Standing admin access is a liability. If your cloud admins are always admin, a compromised admin laptop is a full-environment breach. JIT access means the admin is granted elevated rights for a time window with a justification.

Tools:

  • Azure Privileged Identity Management (PIM)
  • AWS IAM Identity Center with session policies and short-lived access
  • Google Cloud Identity with Privileged Access Manager
  • Third-party: StrongDM, Teleport, Okta ASA

Every elevation is logged with the justification. Quarterly reviews audit the justifications.

7. Lifecycle Management and Orphan Cleanup

The cheapest resource is the one you deleted. The most expensive resource is the one everybody forgot about running for three years.

What to automate:

  • Unattached disks deleted after 14 days
  • Unattached public IPs deleted after 7 days
  • Stopped VMs flagged after 30 days for a decision
  • Snapshots older than retention policy deleted
  • Orphaned load balancers and NAT gateways deleted

Watch out for: Deleting something that was "stopped for a reason." Notify owners before deletion, wait for an ack.

8. Centralized Logging With Real Retention

Every account forwards logs to a centralized security/audit account. That account has stricter IAM (nobody in the production team can delete logs), immutable storage, and long retention.

Retention guidance:

  • 90 days for active SIEM / alerting
  • 1 year for general audit investigation
  • 6 years minimum for HIPAA, varies by regulation
  • 7 years for SOX-related logs

9. Regular Governance Reviews

Governance decays if nobody is checking. Monthly or quarterly reviews should examine:

  • Compliance with policies (how many violations this period)
  • Cost trends (where is spend growing, is it justified)
  • Access reviews (who has access to what, is it still needed)
  • Unused resources (what can be cleaned up)
  • New services enabled (does anyone need to approve?)

Light review meetings, clear action items, measurable over time.

What We'd Actually Do

For a new cloud environment starting today:

  1. Day 1: Pick Azure Landing Zones, AWS Control Tower, or equivalent. Deploy the baseline.
  2. Day 2: Enforced tag policy. Five tags, deny on missing.
  3. Week 1: Centralized logging to a dedicated account.
  4. Week 2: Cost reporting with email digest to team leads.
  5. Month 1: Policy as code for the top 10 compliance controls.
  6. Month 2: JIT privileged access.
  7. Quarterly: Governance review meeting.

For an environment that already exists and is a mess:

  1. Phase 1: Tag everything. This is the prerequisite for everything else.
  2. Phase 2: Move production into a dedicated account if it isn't already.
  3. Phase 3: Implement policies in audit mode first, deny mode once violations are cleaned up.
  4. Phase 4: Cleanup of orphaned resources.

Three Takeaways

  1. Landing zones before workloads. Retrofitting governance is painful and expensive.
  2. Tagging enforced at deployment time is the highest-leverage governance control. Everything downstream depends on it.
  3. Cost showback changes behavior faster than any policy. When teams see their spend, they care about their spend.

Talk with us about your infrastructure

Schedule a consultation with a solutions architect.

Schedule a Consultation
Talk to an expert →