IT AI Skill
Cloud Infrastructure Management
Manage cloud infrastructure across AWS, Azure, and GCP including resource provisioning, tagging governance, account structure, landing zones, and infrastructure automation. Use when setting up cloud accounts, implementing guardrails, managing multi-account...
Cloud Infrastructure Management
Manage cloud infrastructure across AWS, Azure, and GCP including resource provisioning, tagging governance, account structure, landing zones, and infrastructure automation.
Workflow
1. Cloud Account Structure
AWS MULTI-ACCOUNT STRATEGY
═══════════════════════════════════════
Organization Hierarchy:
═══════════════════════════════════════
Root Organization
├── Management Account ( billing, org management)
│
├── Sandbox OU (no guardrails, for testing)
│ ├── sandbox-team-a
│ └── sandbox-team-b
│
├── Dev OU (moderate guardrails)
│ ├── dev-team-alpha
│ ├── dev-team-beta
│ └── dev-shared-services
│
├── Staging OU (strict guardrails)
│ ├── staging-app-1
│ └── staging-app-2
│
├── Production OU (strictest guardrails)
│ ├── prod-app-1
│ ├── prod-app-2
│ └── prod-shared-services
│
└── Security OU (restricted)
├── security-monitoring
├── security-response
└── audit-logging
SERVICE CONTROL POLICIES (SCPs):
═══════════════════════════════════════
SCP Name OU Applied Effect Description
───────────────────────────────────────────────────────────────────────
DenyNonTLS All Deny Require TLS for S3
DenyRegion Prod, Staging Deny Allow only us-east-1, eu-west-1
DenyRootUser Prod Deny Deny root user API access
RestrictInstanceTypes Dev Deny Block large instance types
DenyDeleteDR Prod Deny Prevent DR region deletion
RequireTags All Deny Deny resource creation without tags
MaxInstances Dev Deny Limit EC2 instances per account
DenyPublicS3 All Deny Prevent public S3 buckets2. Landing Zone Architecture
CLOUD LANDING ZONE
═══════════════════════════════════════
Foundation Services (Deployed to All Accounts):
═══════════════════════════════════════
→ IAM:
· Central identity (SSO via Entra ID / Okta)
· Permission sets by role
· MFA enforcement (all users)
· Break-glass account
→ Networking:
· Transit Gateway (shared networking hub)
· VPC per account (standardized CIDR)
· VPC endpoints (private API access)
· DNS (Route 53 Private Hosted Zones)
· NAT Gateway per AZ (egress)
→ Security:
· GuardDuty (threat detection)
· Security Hub (compliance)
· Config (resource compliance)
· CloudTrail (management events)
· KMS keys (customer-managed)
→ Monitoring:
· CloudWatch (metrics, logs)
· CloudWatch Logs → Centralized Log Account
· X-Ray (distributed tracing)
→ Cost:
· Cost Explorer (cost analysis)
· Budgets (per-account budgets)
· Tags (mandatory tagging policy)
LANDING ZONE DEPLOYMENT:
═══════════════════════════════════════
Tool: AWS Control Tower / Azure Landing Zones / Terraform
→ Automated account factory
→ Guardrail deployment (preventive + detective)
→ Central logging pipeline
→ Central monitoring
→ Network connectivity (transit hub)
Time to deploy new account: <30 minutes3. Cloud Tagging Governance
TAGGING STRATEGY
═══════════════════════════════════════
Required Tags (Enforced via SCP):
═══════════════════════════════════════
Tag Required Values Purpose
────────────────────────────────────────────────────────────────────────
Environment YES production/staging/dev Cost separation
Team YES eng/finance/hr/sales Chargeback
Application YES <app-name> Service mapping
CostCenter YES CC-XXXX Financial report
Owner YES <email> Accountability
Project NO <project-name> Budget tracking
Compliance NO pci/hipaa/standard Regulatory
Backup NO enabled/disabled Backup policy
TAG COMPLIANCE:
═══════════════════════════════════════
Current compliance: 92%
Target: 100%
Enforcement:
→ SCP: Deny resource creation without required tags
→ Config Rule: Tag non-compliant resources (auto-remediate)
→ Cost report: Flag untagged resources weekly
→ Notification: Alert team owner of untagged resources
COST BY TAG:
═══════════════════════════════════════
Environment:
→ Production: 65% ($29,835)
→ Staging: 15% ($6,885)
→ Development: 18% ($8,262)
→ Untagged: 2% ($918) ← ACTION NEEDED
Team:
→ Engineering: 52% ($23,868)
→ Analytics: 20% ($9,180)
→ Finance: 8% ($3,672)
→ HR: 3% ($1,377)
→ Sales: 5% ($2,295)
→ Other: 10% ($4,590)
→ Untagged: 2% ($918)4. Infrastructure Automation
INFRASTRUCTURE AS CODE (IaC)
═══════════════════════════════════════
Tools:
═══════════════════════════════════════
→ Terraform (primary): Multi-cloud, state management
→ CloudFormation (AWS-native): AWS-specific resources
→ Pulumi (alternative): Programming language-based
→ Ansible: Configuration management
Terraform Structure:
═══════════════════════════════════════
infrastructure/
modules/
vpc/ (VPC, subnets, route tables)
eks/ (EKS cluster, node groups)
rds/ (RDS instance, parameter group)
s3/ (S3 bucket, policy, lifecycle)
iam/ (Roles, policies, users)
cloudwatch/ (Alarms, dashboards, log groups)
environments/
dev/
main.tf (module calls)
variables.tf
terraform.tfvars
staging/
production/
state/
dev.tfstate
staging.tfstate
production.tfstate
CI/CD for IaC:
═══════════════════════════════════════
1. Developer creates branch + Terraform changes
2. PR triggers:
→ terraform fmt (formatting check)
→ terraform validate (syntax check)
→ terraform plan (diff review)
→ Security scan (tfsec, checkov)
→ Cost estimate (infracost)
3. Review: Team reviews plan output
4. Merge: terraform apply (automated)
5. State: Remote state (S3 + DynamoDB lock)5. Cloud Governance & Compliance
CLOUD GOVERNANCE FRAMEWORK
═══════════════════════════════════════
Detective Guardrails (Monitoring):
═══════════════════════════════════════
Guardrail Tool Alert On
───────────────────────────────────────────────────────────────────────
Public S3 bucket Config Rule Immediately
Unencrypted EBS Config Rule Immediately
Root user usage CloudTrail Immediately
Unauthorized region Config Rule Daily
Large instance launch CloudWatch Alert
Unusual API calls GuardDuty Immediately
Cost anomaly Cost Anomaly Daily
Compliance Standards:
═══════════════════════════════════════
Standard Scope Status Last Audit
────────────────────────────────────────────────────────────────────
SOC 2 Type II Production ✓ Compliant Q4 2024
PCI-DSS Payment systems ✓ Compliant Q3 2024
HIPAA Healthcare data In Progress Q1 2025
ISO 27001 Organization ✓ Certified Q2 2024
GDPR EU data ✓ Compliant Ongoing
CLOUD POSTURE SCORE:
═══════════════════════════════════════
Security Hub Score: 92/100
Critical findings: 0
High findings: 2 (remediating)
Medium findings: 5
Low findings: 12Edge Cases
- Multi-cloud: Consistent governance across AWS, Azure, GCP
- Sovereign clouds: China, Germany regions with specific compliance
- Air-gapped: AWS GovCloud, Azure Government
- Hybrid: On-prem + cloud with Direct Connect/ExpressRoute
- Break glass: Emergency access procedures
Integration Points
- Cloud providers: AWS, Azure, GCP
- IaC: Terraform, CloudFormation, Pulumi
- Governance: Control Tower, Azure Policy, Org Policy
- Monitoring: CloudWatch, Monitor, Cloud Monitoring
- Security: GuardDuty, Defender, Security Center
- Cost: Cost Explorer, Cost Management, Billing
Output
Cloud Infrastructure Status
CLOUD INFRASTRUCTURE — Q4 2024
═══════════════════════════════════════
Accounts: 18 (3 OU, 15 workload)
Monthly spend: $45,900
Tag compliance: 92% (target: 100%)
Security posture: 92/100
Guardrails: 24 active (8 preventive, 16 detective)
Compliance: SOC 2 ✓, PCI-DSS ✓, ISO 27001 ✓
Actions:
→ Tag 92 untagged resources
→ Remediate 2 high findings
→ Begin HIPAA assessment (Q1 2025)