Why
Written governance rules are easily ignored. Technology guardrails prevent waste at the provisioning layer before non-compliant spend occurs — restricting unapproved instance types, enforcing approved regions, and blocking untagged deployments. They translate governance decisions into automated enforcement.
What
Implement cloud-native policies that enforce governance rules automatically: instance type restrictions, region restrictions, mandatory tagging (links to S1-02), and spending limits.
How
Translate Governance Rules into Policy Definitions
From the governance framework (S8-01), identify rules that can be automated:
| Rule | Policy Type | Provider Tool |
|---|---|---|
| Only approved instance families | Deny unapproved instance types | AWS SCP / Azure Policy / GCP Org Policy |
| Restrict to approved regions | Deny resource creation outside list | AWS SCP / Azure Policy / GCP Org Policy |
| Mandatory tags on all resources | Deny if tags missing | (covered in S1-02) |
| No public S3 buckets / storage | Deny public access configuration | AWS SCP / Azure Policy / GCP Org Policy |
| Budget alerts on all accounts | Require budget at provisioning | (covered in S2-02) |
Deploy in Audit Mode First
Roll out all policies in audit/report mode for 2 weeks before enforcing. This identifies legitimate workloads that would be blocked and allows exception handling.
AWS — SCPs with Deny Effect
SCPs with Deny effect — start with a narrow action list. AWS Tag Policies in report mode.
Azure — Azure Policy with Audit Effect
Azure Policy with Audit effect → monitor compliance blade → promote to Deny after stabilisation.
GCP — Organisation Policy Constraints
Organisation Policy constraints. Use dry-run mode where available. GCP’s constraint library is narrower — supplement with CI/CD gates.
Define Exception Process
Not every guardrail applies universally. Define a lightweight exception process: request form → FinOps review → time-limited exception with expiry date. Track exceptions in a register and review quarterly.
Promote to Enforcement
After 2 weeks in audit mode with exceptions handled, promote policies from Audit → Deny. Monitor for blocked deployments in the first week and respond quickly to legitimate breakage.
Deliverable Checklist
- Governance rules translated into policy definitions
- Policies deployed in audit mode (all providers)
- 2-week observation period completed
- Exception process defined and published
- Policies promoted to enforcement (Deny)
- Monitoring for blocked deployments active