Also See GCP Gov Cloud - Assured Workloads

To implement proper governance, any cloud provider needs these 3 elements (tagging, RBAC, policies and optionally locking). Governance is around both cost management (tagging) and resource management (policies)

Taking Azure as our cloud, Azure provides

  1. Policies - Azure Policies ensure that resource operations can be denied or audited. Azure policies  govern various aspects related to the deployment of resources. The policies will also govern the updates after initial deployment.
  2. RBAC - ensures the right team members have permissions to access their resources.
  3. Tagging
  4. (Optional) Locks - Azure Locks ensure that resources cannot be modified or deleted accidentally.

Azure Policies - Sample Policies

Deployments to certain location

Azure resources and deployments can only be executed for certain chosen locations. It would not be possible to deploy resources in regions out of the policy. For example, the regions that are allowed are West Europe and East US. It should be not possible to deploy resources in any other region.

Tags of resources and Resource Groups

Every resource in Azure including the resource groups will mandatorily have tags assigned to it. The tags will include details about the department, environment, creation data, and project name at minimum.

Diagnostic logs and Application Insights for all resources

Every resource deployed on Azure should have diagnostic logs and application logs enabled wherever possible.

An example RBAC assignment (by an azure admin) might look like

 

Role Assigned to Description
Owner Administrator Manages all resource groups and the subscription.
Security manager Security administrators This role allows users to look at Azure Security Center and the status of the resources.
Contributor Infrastructure management Managing virtual machines and other resources.
Reader Developers Can view resources, but cannot modify them. Developers are expected to work in their

development/testing environments.