EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securitygovernanceSCPWell-Architected

Cloud Governance, FinOps & Establishing a Security Posture Baseline

Cloud governance defines the policies and guardrails that prevent misconfiguration at scale. This article covers AWS Organizations, Service Control Policies, the Well-Architected Framework security pillar, FinOps controls, and the baseline every cloud account must reach before workloads are deployed.

Ashish Revar3 July 202622 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

Tech Talk EP 07 — The Hypervisor Is Your True Security Perimeter

Audio deep-dive covering NIST SP 800-145, the SPI stack, shared responsibility, deployment models, Type-1/2 hypervisors, and Spectre/Meltdown side-channel attacks. ~30 min.

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

AWS Well-Architected Framework: Security Pillar

AWS security pillar whitepaper covering seven design principles and implementation guidance.

AWS Well-Architected Framework: Security Pillar

AWS security pillar whitepaper covering seven design principles and implementation guidance.

CIS Controls Cloud Companion Guide

CIS guidance mapping the CIS Controls to cloud environments.

CIS Controls Cloud Companion Guide

CIS guidance mapping the CIS Controls to cloud environments.

CERT-In Directions 2022 — Full Text

CERT-In 2022 cybersecurity directions applicable to cloud service customers in India.

CERT-In Directions 2022 — Full Text

CERT-In 2022 cybersecurity directions applicable to cloud service customers in India.

AWS Service Control Policies Documentation

AWS documentation on writing and applying Service Control Policies in AWS Organizations.

AWS Service Control Policies Documentation

AWS documentation on writing and applying Service Control Policies in AWS Organizations.

More articlesTest your knowledge

Why Governance Must Precede Workloads

Organisations that migrate workloads to the cloud and implement governance afterwards are already operating in a remediation posture. A misconfigured S3 bucket in production cannot be made private retroactively without risk. Governance — the set of policies, guardrails, and standards that constrain what can be deployed — must be established before the first production workload is created.

The 2019 Capital One breach exposed 106 million customer records because a misconfigured Web Application Firewall allowed a Server-Side Request Forgery (SSRF) attack to reach the Instance Metadata Service. A properly configured Service Control Policy (SCP) that blocked IMDS v1 access would have significantly limited the blast radius.

AWS Organizations and Service Control Policies

AWS Organizations is the management layer for multiple AWS accounts. An organisation has a root, Organizational Units (OUs), and member accounts. Service Control Policies (SCPs) are permission boundaries applied at the OU or account level — they restrict what IAM permissions are available, regardless of what individual IAM policies grant.

Example SCP: Deny all actions from regions outside ap-south-1 and ap-southeast-1

{
  "Effect": "Deny",
  "Action": "*",
  "Resource": "*",
  "Condition": {
    "StringNotEquals": {
      "aws:RequestedRegion": ["ap-south-1", "ap-southeast-1"]
    }
  }
}

This SCP prevents any IAM user or role in the affected accounts from launching resources in non-approved regions — even if their IAM policy grants full admin access. SCPs are a critical control for DPDP Act 2023 compliance: Indian personal data must not be processed in regions outside India without explicit consent.

AWS Well-Architected Framework: Security Pillar

AWS WAF (not to be confused with the Web Application Firewall) defines six pillars: Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimisation, and Sustainability. The Security Pillar organises cloud security across seven design principles:

Design PrincipleImplementation
Implement a strong identity foundationCentralise identity; use IAM Identity Center; eliminate root user usage
Enable traceabilityCloudTrail in all regions; Config continuous recording
Apply security at all layersVPC, Security Group, OS, application, data — all have controls
Automate security best practicesAWS Config rules, GuardDuty, Security Hub
Protect data in transit and at restTLS everywhere; KMS encryption for all storage
Keep people away from dataUse roles and automation; avoid direct data access by humans
Prepare for security eventsRunbooks, IR playbooks, game days

Security Posture Baseline

Before any workload is deployed into an AWS account, the following baseline should be in place:

ControlVerification
MFA on root accountIAM → Security recommendations
No root account access keysIAM → Security credentials
CloudTrail enabled, all regionsCloudTrail → Trails
S3 Block Public Access at account levelS3 → Block Public Access settings
GuardDuty enabled in all regionsGuardDuty → Detector status
Config enabled with all resource typesConfig → Settings
Security Hub enabledSecurity Hub → Summary
VPC default security group: deny allEC2 → Security Groups
No EC2 instances with instance profile having admin policyIAM Access Analyzer
Budget alert at 80% and 110% of expected spendBilling → Budgets

This baseline maps to CIS AWS Foundations Benchmark Level 1 — the internationally recognised minimum security standard for AWS accounts.

FinOps and Cloud Security

Financial Operations (FinOps) is often treated as a separate concern from security, but they are closely related:

  • Billing anomalies are security signals: A sudden spike in EC2 instance launches or S3 data transfer often indicates an account compromise. Enable AWS Cost Anomaly Detection with SNS alerts.
  • Untagged resources evade security policy: Governance requires that every resource carries cost centre, environment, and owner tags. Untagged resources cannot be mapped to security responsibilities.
  • Economic Denial of Sustainability (EDoS): An attacker with compromised credentials can incur massive cloud bills to cause financial harm. Budget alerts and automatic spending limits (via SCPs or AWS Service Quotas) mitigate this.

Cloud Centre of Excellence (CCoE)

Larger organisations should establish a Cloud Centre of Excellence — a cross-functional team responsible for:

CCoE FunctionResponsibility
Landing ZoneStandard account structure, network, logging baselines
Security EngineeringSCP design, guardrail automation, security tool rollout
IdentityIdP federation, access review cadence
Cost ManagementTagging standards, budget governance, reserved capacity planning
Developer EnablementSelf-service pipelines, approved service catalogue

The CCoE does not own every cloud deployment. It owns the standards and guardrails within which development teams operate autonomously.

Indian Regulatory Context

For Indian regulated entities, the governance framework must satisfy:

RegulationKey Cloud Governance Requirement
DPDP Act 2023Data localisation for personal data; Data Fiduciary accountable for processor controls
CERT-In 2022 Directions6-hour breach reporting; 180-day log retention; ICT infrastructure audit
RBI IT Framework (2021)Board-approved cloud risk policy; audit trails; third-party risk management
SEBI CSCRF 2024Classified market infrastructure; cloud providers must meet baseline security norms
MeitY Cloud Policy 2023Government data classification; empanelled provider list for sensitive workloads