--- name: cloud-infrastructure-management description: Manage cloud infrastructure across AWS, Azure, and GCP including resource provisioning, tagging governance, account structure, landing zones, and infrastructure automation. Use when setting up cloud accounts, implementing guardrails, managing multi-account strategies, or automating infrastructure deployment. Triggers on phrases like "cloud infrastructure", "AWS account", "Azure subscription", "GCP project", "landing zone", "cloud governance", "account structure", "organization policy", "service control policy", "SCP", "guardrails", "cloud setup", "multi-account", "management account", "cloud automation", "cloud onboarding". --- # Cloud Infrastructure Management Manage cloud infrastructure across AWS, Azure, and GCP including resource provisioning, tagging governance, account structure, landing zones, and infrastructure automation. ## Workflow ### 1. Cloud Account Structure ``` AWS MULTI-ACCOUNT STRATEGY ═══════════════════════════════════════ Organization Hierarchy: ═══════════════════════════════════════ Root Organization ├── Management Account ( billing, org management) │ ├── Sandbox OU (no guardrails, for testing) │ ├── sandbox-team-a │ └── sandbox-team-b │ ├── Dev OU (moderate guardrails) │ ├── dev-team-alpha │ ├── dev-team-beta │ └── dev-shared-services │ ├── Staging OU (strict guardrails) │ ├── staging-app-1 │ └── staging-app-2 │ ├── Production OU (strictest guardrails) │ ├── prod-app-1 │ ├── prod-app-2 │ └── prod-shared-services │ └── Security OU (restricted) ├── security-monitoring ├── security-response └── audit-logging SERVICE CONTROL POLICIES (SCPs): ═══════════════════════════════════════ SCP Name OU Applied Effect Description ─────────────────────────────────────────────────────────────────────── DenyNonTLS All Deny Require TLS for S3 DenyRegion Prod, Staging Deny Allow only us-east-1, eu-west-1 DenyRootUser Prod Deny Deny root user API access RestrictInstanceTypes Dev Deny Block large instance types DenyDeleteDR Prod Deny Prevent DR region deletion RequireTags All Deny Deny resource creation without tags MaxInstances Dev Deny Limit EC2 instances per account DenyPublicS3 All Deny Prevent public S3 buckets ``` ### 2. Landing Zone Architecture ``` CLOUD LANDING ZONE ═══════════════════════════════════════ Foundation Services (Deployed to All Accounts): ═══════════════════════════════════════ → IAM: · Central identity (SSO via Entra ID / Okta) · Permission sets by role · MFA enforcement (all users) · Break-glass account → Networking: · Transit Gateway (shared networking hub) · VPC per account (standardized CIDR) · VPC endpoints (private API access) · DNS (Route 53 Private Hosted Zones) · NAT Gateway per AZ (egress) → Security: · GuardDuty (threat detection) · Security Hub (compliance) · Config (resource compliance) · CloudTrail (management events) · KMS keys (customer-managed) → Monitoring: · CloudWatch (metrics, logs) · CloudWatch Logs → Centralized Log Account · X-Ray (distributed tracing) → Cost: · Cost Explorer (cost analysis) · Budgets (per-account budgets) · Tags (mandatory tagging policy) LANDING ZONE DEPLOYMENT: ═══════════════════════════════════════ Tool: AWS Control Tower / Azure Landing Zones / Terraform → Automated account factory → Guardrail deployment (preventive + detective) → Central logging pipeline → Central monitoring → Network connectivity (transit hub) Time to deploy new account: <30 minutes ``` ### 3. Cloud Tagging Governance ``` TAGGING STRATEGY ═══════════════════════════════════════ Required Tags (Enforced via SCP): ═══════════════════════════════════════ Tag Required Values Purpose ──────────────────────────────────────────────────────────────────────── Environment YES production/staging/dev Cost separation Team YES eng/finance/hr/sales Chargeback Application YES Service mapping CostCenter YES CC-XXXX Financial report Owner YES Accountability Project NO Budget tracking Compliance NO pci/hipaa/standard Regulatory Backup NO enabled/disabled Backup policy TAG COMPLIANCE: ═══════════════════════════════════════ Current compliance: 92% Target: 100% Enforcement: → SCP: Deny resource creation without required tags → Config Rule: Tag non-compliant resources (auto-remediate) → Cost report: Flag untagged resources weekly → Notification: Alert team owner of untagged resources COST BY TAG: ═══════════════════════════════════════ Environment: → Production: 65% ($29,835) → Staging: 15% ($6,885) → Development: 18% ($8,262) → Untagged: 2% ($918) ← ACTION NEEDED Team: → Engineering: 52% ($23,868) → Analytics: 20% ($9,180) → Finance: 8% ($3,672) → HR: 3% ($1,377) → Sales: 5% ($2,295) → Other: 10% ($4,590) → Untagged: 2% ($918) ``` ### 4. Infrastructure Automation ``` INFRASTRUCTURE AS CODE (IaC) ═══════════════════════════════════════ Tools: ═══════════════════════════════════════ → Terraform (primary): Multi-cloud, state management → CloudFormation (AWS-native): AWS-specific resources → Pulumi (alternative): Programming language-based → Ansible: Configuration management Terraform Structure: ═══════════════════════════════════════ infrastructure/ modules/ vpc/ (VPC, subnets, route tables) eks/ (EKS cluster, node groups) rds/ (RDS instance, parameter group) s3/ (S3 bucket, policy, lifecycle) iam/ (Roles, policies, users) cloudwatch/ (Alarms, dashboards, log groups) environments/ dev/ main.tf (module calls) variables.tf terraform.tfvars staging/ production/ state/ dev.tfstate staging.tfstate production.tfstate CI/CD for IaC: ═══════════════════════════════════════ 1. Developer creates branch + Terraform changes 2. PR triggers: → terraform fmt (formatting check) → terraform validate (syntax check) → terraform plan (diff review) → Security scan (tfsec, checkov) → Cost estimate (infracost) 3. Review: Team reviews plan output 4. Merge: terraform apply (automated) 5. State: Remote state (S3 + DynamoDB lock) ``` ### 5. Cloud Governance & Compliance ``` CLOUD GOVERNANCE FRAMEWORK ═══════════════════════════════════════ Detective Guardrails (Monitoring): ═══════════════════════════════════════ Guardrail Tool Alert On ─────────────────────────────────────────────────────────────────────── Public S3 bucket Config Rule Immediately Unencrypted EBS Config Rule Immediately Root user usage CloudTrail Immediately Unauthorized region Config Rule Daily Large instance launch CloudWatch Alert Unusual API calls GuardDuty Immediately Cost anomaly Cost Anomaly Daily Compliance Standards: ═══════════════════════════════════════ Standard Scope Status Last Audit ──────────────────────────────────────────────────────────────────── SOC 2 Type II Production ✓ Compliant Q4 2024 PCI-DSS Payment systems ✓ Compliant Q3 2024 HIPAA Healthcare data In Progress Q1 2025 ISO 27001 Organization ✓ Certified Q2 2024 GDPR EU data ✓ Compliant Ongoing CLOUD POSTURE SCORE: ═══════════════════════════════════════ Security Hub Score: 92/100 Critical findings: 0 High findings: 2 (remediating) Medium findings: 5 Low findings: 12 ``` ## Edge Cases - **Multi-cloud**: Consistent governance across AWS, Azure, GCP - **Sovereign clouds**: China, Germany regions with specific compliance - **Air-gapped**: AWS GovCloud, Azure Government - **Hybrid**: On-prem + cloud with Direct Connect/ExpressRoute - **Break glass**: Emergency access procedures ## Integration Points - **Cloud providers**: AWS, Azure, GCP - **IaC**: Terraform, CloudFormation, Pulumi - **Governance**: Control Tower, Azure Policy, Org Policy - **Monitoring**: CloudWatch, Monitor, Cloud Monitoring - **Security**: GuardDuty, Defender, Security Center - **Cost**: Cost Explorer, Cost Management, Billing ## Output ### Cloud Infrastructure Status ``` CLOUD INFRASTRUCTURE — Q4 2024 ═══════════════════════════════════════ Accounts: 18 (3 OU, 15 workload) Monthly spend: $45,900 Tag compliance: 92% (target: 100%) Security posture: 92/100 Guardrails: 24 active (8 preventive, 16 detective) Compliance: SOC 2 ✓, PCI-DSS ✓, ISO 27001 ✓ Actions: → Tag 92 untagged resources → Remediate 2 high findings → Begin HIPAA assessment (Q1 2025) ```