Shared posts
Juez estadounidense ordena frenar tácticas de agentes de inmigración hacia manifestantes de Minnesota [ENG]
Más de 100 muertos por lluvias torrenciales e inundaciones en el sur de África
El cheque con el que el Sha de Persia financió la transición española
"Lo dejaron tirado": el duro relato de Paca Sauquillo sobre la muerte de su hijo, que cambió la ley
¿Es posible un mundo sin guerra ni esclavitud?
💥 Aprende Filosofía como nunca antes👉🏽 https://amzn.to/3XTb9a2
🔴 DALE A LIKE🙏
⭐️ Descubre los vídeos de mi Curso de Filosofía 👉🏽 https://www.youtube.com/watch?v=33PYT1aIQxI&list=PLilfcYrZp3-IsNzmi5z-p4p6XMWckfYQC&index=1
🤓 Y si te mola la Filosofía y quieres APRENDER MÁS de un modo sencillo, ameno y accesible, consigue MI LIBRO: "¿Hay filosofía en tu nevera?". ¡TE ENCANTARÁ!
¡Hola, filoadictos! Soy Enric, tu profesor de filosofía en Youtube, y esto es Adictos a la Filosofía, el canal en el que amamos a Platón, Aristóteles y todos los grandes filósofos. YouTube video descriptions are probably the last thing video creators want to concentrate on when uploading their content to YouTube. However, by spending time on your YouTube description you can help YouTube understand what your content is about as well as give potential viewers more context about what they are watching today and well as everything about your channel.
🕘 ÍNDICE:
😱 Y si estás leyendo ESTO, es que perteneces al 0.5% de la gente que se lee las descripciones HASTA EL FINAL! 👏 Déjame un comentario con un emoji de león 🦁 para hacérmelo saber; si veo muchos, ¡me alegrarás el día! 😄
📚 FUENTES principales:
(¡Enlaces en el comentario fijado!)
❤️ PATREONS y MIEMBROS (¡mil gracias!)
Bruce, Elias Aram, Fabrizio Barone, David Castro, Magdalena Villena, Will Luzader, Fabiola L., Juan Diego Sánchez, José Luis Garrido, Juan Ignacio Cantarero, Matías Ochoa, MrNetaar, Andrés E. Castaño, Ana Alvarez, Rodrigo Banegas, Tojo labal, Alfredo Sánchez
Si disfrutas de mi contenido y quieres ayudarme a seguir haciéndolo 👇🏾
😍 Apóyame en PATREON 👉 https://www.patreon.com/filoadictos
😎 Conviértete en MIEMBRO del canal 👉
https://www.youtube.com/channel/UCBgi-68fpmF6yIEDOqd4kPw/join
🙃 Dame argo por PAYPAL 👉 https://paypal.me/filoadictos
CRÉDITOS
Edición ►
💬 Contacto: adictosalafilosofia@gmail.com
👇🏾 ¡Mira el comentario destacado! 👇🏾
Soto Ivars: ESTE es el PARTIDO al que VOY A VOTAR en las SIGUIENTES ELECCIONES
Si nadie te representa, sientes que el sistema es invulnerable, o simplemente
quieres ahorrarte algunos sueldos de diputados. Escaños en Blanco es una magnífica opción.
Su canal de ytb: https://www.youtube.com/@UCPVPYiWHPtFbqIvSIi_yRHA
Dormir poco no es normal
👉 Mira la entrevista completa en el video recomendado
#oriolroda #genteinteresante #salud #bienestar #podcast
Se acabó el amor entre los turistas y Barcelona.


Y es que este fenómeno de movimiento hacia localidades más pequeñas hace que los cambios que ha sufrido la gran ciudad -como la disminución de su identidad propia- también lleguen a estos lugares. “Se mudan a Mataró, Girona, Sitges, etc, esperando paella, flamenco y una ciudad más ‘española’. Sin embargo, se encuentran con cafés donde todo el mundo habla su mismo idioma, comen el mismo brunch que en Londres y pagan con Revolut. Se desilusionan”, afirma el arquitecto. @lavanguardia

Ver post completo: Se acabó el amor entre los turistas y Barcelona.
Un youtuber estadounidense ha pasado cinco años recreando la ciudad de Nueva York en Minecraft, a escala 1:1, junto a un equipo de constructores.

Calles, rascacielos y barrios replicados bloque a bloque. Todo el proyecto ha sido documentado en su canal de YouTube.

Enviado por Andoni.
Ver post completo: Un youtuber estadounidense ha pasado cinco años recreando la ciudad de Nueva York en Minecraft, a escala 1:1, junto a un equipo de constructores.
La IA es un perfecto generador de material para nuestras pesadillas.

Los que le tienen miedo a los parques acuáticos creo que deben de imaginarse que les pasará algo así. @ThePoor_Bunny
Y hablando de material para pesadillas…

Ver post completo: La IA es un perfecto generador de material para nuestras pesadillas.
Anna Gosudareva intentando el cuádruple salto mortal. Un movimiento tan peligroso que ni siquiera los mejores trapecistas del mundo lo intentan.

Se cae 2 veces. A la tercera hace historia.
Ver post completo: Anna Gosudareva intentando el cuádruple salto mortal. Un movimiento tan peligroso que ni siquiera los mejores trapecistas del mundo lo intentan.
Implementing data governance on AWS: Automation, tagging, and lifecycle strategy – Part 2
In Part 1, we explored the foundational strategy, including data classification frameworks and tagging approaches. In this post, we examine the technical implementation approach and key architectural patterns for building a governance framework.
We explore governance controls across four implementation areas, building from foundational monitoring to advanced automation. Each area builds on the previous one, so you can implement incrementally and validate as you go:
- Monitoring foundation: Begin by establishing your monitoring baseline. Set up AWS Config rules to track tag compliance across your resources, then configure Amazon CloudWatch dashboards to provide real-time visibility into your governance posture. By using this foundation, you can understand your current state before implementing enforcement controls.
- Preventive controls: Build proactive enforcement by deploying AWS Lambda functions that validate tags at resource creation time. Implement Amazon EventBridge rules to trigger real-time enforcement actions and configure service control policies (SCPs) to establish organization-wide guardrails that prevent non-compliant resource deployment.
- Automated remediation: Reduce manual intervention by setting up AWS Systems Manager Automation Documents that respond to compliance violations. Configure automated responses that correct common issues like missing tags or improper encryption and implement classification-based security controls that automatically apply appropriate protections based on data sensitivity.
- Advanced features: Extend your governance framework with sophisticated capabilities. Deploy data sovereignty controls to help ensure regulatory compliance across AWS Regions, implement intelligent lifecycle management to optimize costs while maintaining compliance, and establish comprehensive monitoring and reporting systems that provide stakeholders with clear visibility into your governance effectiveness.
Prerequisites
Before beginning implementation, ensure you have AWS Command Line Interface (AWS CLI) installed and configured with appropriate credentials for your target accounts. Set AWS Identity and Access Managment (IAM) permissions so that you can create roles, Lambda functions, and AWS Config rules. Finally, basic familiarity with AWS CloudFormation or Terraform will be helpful, because we’ll use CloudFormation throughout our examples.
Tag governance controls
Implementing tag governance requires multiple layers of controls working together across AWS services. These controls range from preventive measures that validate resources at creation to detective controls that monitor existing resources. This section describes each control type, starting with preventive controls that act as first line of defense.
Preventive controls
Preventive controls help ensure resources are properly tagged at creation time. By implementing Lambda functions triggered by AWS CloudTrail events, you can validate tags before resources are created, preventing non-compliant resources from being deployed:
# AWS Lambda function for preventive tag enforcement def enforce_resource_tags(event, context):
required_tags = ['DataClassification', 'DataOwner', 'Environment']
# Extract resource details from the event
resource_tags =
event['detail']['requestParameters'].get('Tags', {})
# Validate required tags are present
missing_tags = [tag for tag in required_tags if tag not in resource_tags]
if missing_tags:
# Send alert to security team
# Log non-compliance for compliance reporting
raise Exception(f"Missing required tags: {missing_tags}")
return {‘status’: ‘compliant’}
For complete, production-ready implementation, see Implementing Tag Policies with AWS Organizations and EventBridge event patterns for resource monitoring.
Organization-wide policy enforcement
AWS Organizations tag policies provide a foundation for consistent tagging across your organization. These policies define standard tag formats and values, helping to ensure consistency across accounts:
{
"tags": {
"DataClassification": {
"tag_key": {
"@@assign": "DataClassification"
},
"tag_value": {
"@@assign": ["L1", "L2", "L3"]
},
"enforced_for": {
"@@assign": [
"s3:bucket",
"ec2:instance",
"rds:db",
"dynamodb:table"
]
}
}
}
}
Detailed implementation guidance: Getting started with tag policies & Best practices for using tag policies
Tag-based access control
Tag-based access control gives you detailed permissions using attribute-based access control (ABAC). By using this approach, you can define permissions based on resource attributes rather than creating individual IAM policies for each use case:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/DataClassification": "L1",
"aws:ResourceTag/Environment": "Prod"
}
}
}
]
}
Multi-account governance strategy
While implementing tag governance within a single account is straightforward, most organizations operate in a multi-account environment. Implementing consistent governance across your organization requires additional controls:
# This SCP prevents creation of resources without required tags
OrganizationControls:
SCPPolicy:
Type: AWS::Organizations::Policy
Properties:
Content:
Version: "2012-10-17"
Statement:
- Sid: EnforceTaggingOnResources
Effect: Deny
Action:
- "ec2:RunInstances"
- "rds:CreateDBInstance"
- "s3:CreateBucket"
Resource: "*"
Condition:
'Null':
'aws:RequestTag/DataClassification': true
'aws:RequestTag/Environment': true
For more information, see implementation guidance for SCPs.
Integration with on-premises governance frameworks
Many organizations maintain existing governance frameworks for their on-premises infrastructure. Extending these frameworks to AWS requires careful integration and applicability analysis. The following example shows how to use AWS Service Catalog to create a portfolio of AWS resources that align with your on-premises governance standards.
# AWS Service Catalog portfolio for on-premises aligned resources
ServiceCatalogIntegration:
Portfolio:
Type: AWS::ServiceCatalog::Portfolio
Properties:
DisplayName: Enterprise-Aligned Resources
Description: Resources that comply with existing governance framework
ProviderName: Enterprise IT
# Product that maintains on-prem naming conventions and controls
CompliantProduct:
Type: AWS::ServiceCatalog::CloudFormationProduct
Properties:
Name: Compliant-Resource-Bundle
Owner: Enterprise Architecture
Tags:
- Key: OnPremMapping
Value: "EntArchFramework-v2"
Automating security controls based on classification
After data is classified, use these classifications to automate security controls and use AWS Config to track and validate that resources are properly tagged through defined rules that assess your AWS resource configurations, including a built-in required-tags rule. For non-compliant resources, you can use Systems Manager to automate the remediation process.
With proper tagging in place, you can implement automated security controls using EventBridge and Lambda. By using this combination, you can create a cost-effective and scalable infrastructure for enforcing security policies based on data classification. For example, when a resource is tagged as high impact, you can use EventBridge to trigger a Lambda function to enable required security measures.
def apply_security_controls(event, context):
resource_type = event['detail']['resourceType']
tags = event['detail']['tags']
if tags['DataClassification'] == 'L1':
# Apply Level 1 security controls
enable_encryption(resource_type)
apply_strict_access_controls(resource_type)
enable_detailed_logging(resource_type)
elif tags['DataClassification'] == 'L2':
# Apply Level 2 security controls
enable_standard_encryption(resource_type)
apply_basic_access_controls(resource_type)
This example automation applies security controls consistently, reducing human error and maintaining compliance. Code-based controls ensure policies match your data classification.
Implementation resources:
- Remediating Noncompliant Resources with AWS Config
- AWS Systems Manager – Creating your own runbooks
- AWS Encryption SDK Developer Guide
- Lambda error handling patterns
- EventBridge event patterns
Data sovereignty and residency
Data sovereignty and residency requirements help you comply with regulations like GDPR. Such controls can be implemented to restrict data storage and processing to specific AWS Regions:
# Config rule for region restrictions
AWSConfig:
ConfigRule:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: s3-bucket-region-check
Description: Checks if S3 buckets are in allowed regions
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_REGION
InputParameters:
allowedRegions:
- eu-west-1
- eu-central-1
Note: This example uses eu-west-1 and eu-central-1 because these Regions are commonly used for GDPR compliance, providing data residency within the European Union. Adjust these Regions based on your specific regulatory requirements and business needs. For more information, see Meeting data residency requirements on AWS and Controls that enhance data residence protection.
Disaster recovery integration with governance controls
While organizations often focus on system availability and data recovery, maintaining governance controls during disaster recovery (DR) scenarios is important for compliance and security. To implement effective governance in your DR strategy, start by using AWS Config rules to check that DR resources maintain the same governance standards as your primary environment:
AWSConfig:
ConfigRule:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: dr-governance-check
Description: Ensures DR resources maintain governance controls
Source:
Owner: AWS
SourceIdentifier: REQUIRED_TAGS
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
- "AWS::RDS::DBInstance"
- "AWS::DynamoDB::Table"
InputParameters:
tag1Key: "DataClassification"
tag1Value: "L1,L2,L3"
tag2Key: "Environment"
tag2Value: "DR"
For your most critical data (classified as Level 1 in part 1 of this post), implement cross-Region replication while maintaining strict governance controls. This helps ensure that sensitive data remains protected even during failover scenarios:
Cross-Region:
ReplicationRule:
Type: AWS::S3::Bucket
Properties:
ReplicationConfiguration:
Role: !GetAtt ReplicationRole.Arn
Rules:
- Status: Enabled
TagFilters:
- Key: "DataClassification"
Value: "L1"
Destination:
Bucket: !Sub "arn:aws:s3:::${DRBucket}"
EncryptionConfiguration:
ReplicaKmsKeyID: !Ref DRKMSKey
Automated compliance monitoring
By combining AWS Config for resource compliance, CloudWatch for metrics and alerting, and Amazon Macie for sensitive data discovery, you can create a robust compliance monitoring framework that automatically detects and responds to compliance issues:
Figure 1: Compliance monitoring architecture
This architecture (shown in Figure 1) demonstrates how AWS services work together to provide compliance monitoring:
- AWS Config, CloudTrail, and Macie monitor AWS resources
- CloudWatch aggregates monitoring data
- Alerts and dashboards provide real-time visibility
The following CloudFormation template implements these controls:
Resources:
EncryptionRule:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: s3-bucket-encryption-enabled
Source:
Owner: AWS
SourceIdentifier:
S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
MacieJob:
Type: AWS::Macie::ClassificationJob
Properties:
JobType: ONE_TIME
S3JobDefinition:
BucketDefinitions:
- AccountId: !Ref AWS::AccountId
Buckets:
- !Ref DataBucket
ScoreFilter:
Minimum: 75
SecurityAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: UnauthorizedAccessAttempts
MetricName: UnauthorizedAPICount
Namespace: SecurityMetrics
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 3
AlarmActions:
- !Ref SecurityNotificationTopic
ComparisonOperator: GreaterThanThreshold
These controls provide real-time visibility into your security posture, automate responses to potential security events, and use Macie for sensitive data discovery and classification. For a complete monitoring setup, review List of AWS Config Managed Rules and Using Amazon CloudWatch dashboards.
Using AWS data lakes for governance
Modern data governance strategies often use data lakes to provide centralized control and visibility. AWS provides a comprehensive solution through the Modern Data Architecture Accelerator (MDAA), which you can use to help you rapidly deploy and manage data platform architectures with built-in security and governance controls. Figure 2 shows an MDAA reference architecture.
Figure 2: MDAA reference architecture
For detailed implementation guidance and source code, see Accelerate the Deployment of Secure and Compliant Modern Data Architectures for Advanced Analytics and AI.
Access patterns and data discovery
Understanding and managing access patterns is important for effective governance. Use CloudTrail and Amazon Athena to analyze access patterns:
SELECT
useridentity.arn,
eventname,
requestparameters.bucketname,
requestparameters.key,
COUNT(*) as access_count
FROM cloudtrail_logs
WHERE eventname IN ('GetObject', 'PutObject')
GROUP BY 1, 2, 3, 4
ORDER BY access_count DESC
LIMIT 100;
This query helps identify frequently accessed data and unusual patterns in access behavior. These insights help you to:
- Optimize storage tiers based on access frequency
- Refine DR strategies for frequently accessed data
- Identify of potential security risks through unusual access patterns
- Fine-tune data lifecycle policies based on usage patterns
For sensitive data discovery, consider integrating Macie to automatically identify and protect PII across your data estate.
Machine learning model governance with SageMaker
As organizations advance in their data governance journey, many are deploying machine learning models in production, necessitating governance frameworks that extend to machine learning (ML) operations. Amazon SageMaker offers advanced tools that you can use to maintain governance over ML assets without impeding innovation.
SageMaker governance tools work together to provide comprehensive ML oversight:
- Role Manager provides fine-grained access control for ML roles
- Model Cards centralize documentation and lineage information
- Model Dashboard offers organization-wide visibility into deployed models
- Model Monitor automates drift detection and quality control
The following example configures SageMaker governance controls:
# Basic/High-level ML governance setup with role and monitoring SageMakerRole:
Type: AWS::IAM::Role
Properties:
# Allow SageMaker to use this role
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: sagemaker.amazonaws.com
Action: sts:AssumeRole
# Attach necessary permissions
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSageMakerFullAccess
ModelMonitor:
Type: AWS::SageMaker::MonitoringSchedule
Properties:
# Set up hourly model monitoring
MonitoringScheduleName: hourly-model-monitor
ScheduleConfig:
ScheduleExpression: 'cron(0 * * * ? *)' # Run hourly
This example demonstrates two essential governance controls: role-based access management for secure service interactions and automated hourly monitoring for ongoing model oversight. While these technical implementations are important, remember that successful ML governance requires integration with your broader data governance framework, helping to ensure consistent controls and visibility across your entire data and analytics ecosystem. For more information, see Model governance to manage permissions and track model performance.
Cost optimization through automated lifecycle management
Effective data governance isn’t just about security—it’s also about managing cost efficiently. Implement intelligent data lifecycle management based on classification and usage patterns, as shown in Figure 3:
Figure 3: Tag-based lifecycle management in Amazon S3
Figure 3 illustrates how tags drive automated lifecycle management:
- New data enters Amazon Simple Storage Service (Amazon S3) with the tag
DataClassification: L2 - Based on classification, the data starts in
Standard/INTELLIGENT_TIERING - After 90 days, the data transitions to Amazon S3 Glacier storage for cost-effective archival
- The
RetentionPeriodtag (84 months) determines final expiration
Here’s the implementation of the preceding lifecycle rules:
LifecycleConfiguration:
Rules:
- ID: IntelligentArchive
Status: Enabled
Transitions:
- StorageClass: INTELLIGENT_TIERING
TransitionInDays: 0
- StorageClass: GLACIER
TransitionInDays: 90
Prefix: /data/
TagFilters:
- Key: DataClassification
Value: L2
- ID: RetentionPolicy
Status: Enabled
ExpirationInDays: 2555 # 7 years
TagFilters:
- Key: RetentionPeriod
Value: "84" # 7 years in months
S3 Lifecycle automatically optimizes storage costs while maintaining compliance with retention requirements. For example, data initially stored in Amazon S3 Intelligent-Tiering automatically moves to Glacier after 90 days, significantly reducing storage costs while helping to ensure data remains available when needed. For more information, seeManaging the lifecycle of objects and Managing storage costs with Amazon S3 Intelligent-Tiering.
Conclusion
Successfully implementing data governance on AWS requires both a structured approach and adherence to key best practices. As you progress through your implementation journey, keep these fundamental principles in mind:
- Start with a focused scope and gradually expand. Begin with a pilot project that addresses high-impact, low-complexity use cases. By using this approach, you can demonstrate quick wins while building experience and confidence in your governance framework.
- Make automation your foundation. Apply AWS services such as Amazon EventBridge for event-driven responses, implement automated remediation for common issues, and create self-service capabilities that balance efficiency with compliance. This automation-first approach helps ensure scalability and consistency in your governance framework.
- Maintain continuous visibility and improvement. Regular monitoring, compliance checks, and framework updates are essential for long-term success. Use feedback from your operations team to refine policies and adjust controls as your organization’s needs evolve.
Common challenges to be aware of:
- Initial resistance to change from teams used to manual processes
- Complexity in handling legacy systems and data
- Balancing security controls with operational efficiency
- Maintaining consistent governance across multiple AWS accounts and regions
For more information, implementation support, and guidance, see:
- AWS Security Blog
- AWS Architecture Center
- AWS Compliance Resources
- Amazon Macie User Guide
- AWS Organizations Best Practices
By following this approach and remaining mindful of potential challenges, you can build a robust, scalable data governance framework that grows with your organization while maintaining security, compliance, and efficient data operations.
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.
Omar Ahmed
Omar Ahmed is an Auto and Manufacturing Solutions Architect who specializes in analytics. Omar’s journey in cloud computing began as an AWS data center operations technician, where he developed hands on infrastructure expertise. Outside of work, he enjoys motorsports, gaming, and swimming.
Omar Mahmoud
Omar is a Solutions Architect helping small-medium businesses with their cloud journey. He specializes in Amazon Connect and next-gen developer services like Kiro. Omar began at AWS as a data center operations technician, gaining hands-on cloud infrastructure experience. Outside work, Omar enjoys gaming, hiking, and soccer.
Changil Jeong
Changil Jeong is a Solutions Architect at Amazon Web Services (AWS) partnering with Independent software vendor customers on their cloud transformation journey, with strong interests in security. He joined AWS as an SDE apprentice before transitioning to SA. Previously served in the U.S. Army as a financial and budgeting analyst and worked at a large IT consulting firm as a SaaS security analyst.
Paige Broderick
Paige Broderick is a Solutions Architect at Amazon Web Services (AWS) who works with Enterprise customers to help them achieve their AWS objectives. She specializes in cloud operations, focusing on governance and using AWS to develop smart manufacturing solutions. Outside of work, Paige is an avid runner and is likely training for her next marathon.
Implementing data governance on AWS: Automation, tagging, and lifecycle strategy – Part 1
Generative AI and machine learning workloads create massive amounts of data. Organizations need data governance to manage this growth and stay compliant. While data governance isn’t a new concept, recent studies highlight a concerning gap: a Gartner study of 300 IT executives revealed that only 60% of organizations have implemented a data governance strategy, with 40% still in planning stages or uncertain where to begin. Furthermore, a 2024 MIT CDOIQ survey of 250 chief data officers (CDOs) found that only 45% identify data governance as a top priority.
Although most businesses recognize the importance of data governance strategies, regular evaluation is important to ensure these strategies evolve with changing business needs, industry requirements, and emerging technologies. In this post, we show you a practical, automation-first approach to implementing data governance on Amazon Web Services (AWS) through a strategic and architectural guide—whether you’re starting at the beginning or improving an existing framework.
In this two-part series, we explore how to build a data governance framework on AWS that’s both practical and scalable. Our approach aligns with what AWS has identified as the core benefits of data governance:
- Classify data consistently and automate controls to improve quality
- Give teams secure access to the data they need
- Monitor compliance automatically and catch issues early
In this post, we cover strategy, classification framework, and tagging governance—the foundation you need to get started. If you don’t already have a governance strategy, we provide a high-level overview of AWS tools and services to help you get started. If you have a data governance strategy, the information in this post can assist you in evaluating its effectiveness and understanding how data governance is evolving with new technologies.
In Part 2, we explore the technical architecture and implementation patterns with conceptual code examples, and throughout both parts, you’ll find links to production-ready AWS resources for detailed implementation.
Prerequisites
Before implementing data governance on AWS, you need the right AWS setup and buy-in from your teams.
Technical foundation
Start with a well-structured AWS Organizations setup for centralized management. Make sure AWS CloudTrail and AWS Config are enabled across accounts—you’ll need these for monitoring and auditing. Your AWS Identity and Access Management (IAM) framework should already define roles and permissions clearly.
Beyond these services, you’ll use several AWS tools for automation and enforcement. The AWS service quick reference table that follows lists everything used throughout this guide.
Organizational readiness
Successful implementation of data governance requires clear organizational alignment and preparation across multiple dimensions.
- Define roles and responsibilities. Data owners classify data and approve access requests. Your platform team handles AWS infrastructure and builds automation, while security teams set controls and monitor compliance. Application teams then implement these standards in their daily workflows.
- Document your compliance requirements. List the regulations you must follow—GDPR, PCI-DSS, SOX, HIPAA, or others. Create a data classification framework that aligns with your business risk. Document your tagging standards and naming conventions so everyone follows the same approach.
- Plan for change management. Get executive support from leaders who understand why governance matters. Start with pilot projects to demonstrate value before rolling out organization-wide. Provide role-based training and maintain up-to-date governance playbooks. Establish feedback mechanisms so teams can report issues and suggest improvements.
Key performance indicators (KPIs) to monitor
To measure the effectiveness of your data governance implementation, track the following essential metrics and their target objectives.
- Resource tagging compliance: Aim for 95%, measured through AWS Config rules with weekly monitoring, focusing on critical resources and sensitive data classifications.
- Mean time to respond to compliance issues: Target less than 24 hours for critical issues. Tracked using CloudWatch metrics with automated alerting for high-priority non-compliance events
- Reduction in manual governance tasks: Target reduction of 40% in the first year. Measured through automated workflow adoption and remediation success rates.
- Storage cost optimization based on data classification: Target 15–20% reduction through intelligent tiering and lifecycle policies, monitored monthly by classification level.
With these technical and organizational foundations in place, you’re ready to implement a sustainable data governance framework.
AWS services used in this guide – Quick reference
This implementation uses the following AWS services. Some are prerequisites, while others are introduced throughout the guide.
| Category |
Services |
Description |
| Foundation |
Multi-account management structure that enables centralized policy enforcement and governance across your entire AWS environment. |
|
|
|
Controls who can access what resources through roles, policies, and permissions—the foundation of your security model. |
|
| Monitoring and auditing |
Records every API call made in your AWS accounts, creating a complete audit trail of who did what, when, and from where. |
|
|
|
Continuously monitors resource configurations and evaluates them against rules you define (such as requiring that all S3 buckets much be encrypted). When it finds resources that don’t meet your rules, it flags them as non-compliant so you can fix them manually or automatically. |
|
|
|
Aggregates metrics, logs, and events from across AWS for real-time monitoring, dashboards, and automated alerting on governance non-compliance. |
|
| Automation and enforcement |
Acts as a central notification system that watches for specific events in your AWS environment (such as when an S3 bucket has been created) and automatically triggers actions in response (such as by running a Lambda function to check if it has the required tags). Think of it as an if this happens, then do that automation engine. |
|
|
|
Runs your governance code (tag validation, security controls, remediation) in response to events without managing servers. |
|
|
|
Automates operational tasks across your AWS resources. In governance, it’s primarily used to automatically fix non-compliant resources—for example, if AWS Config detects an unencrypted database, Systems Manager can run a pre-defined script to enable encryption without manual intervention. |
|
| Data protection |
Uses machine learning to automatically discover, classify, and protect sensitive data like personal identifiable information (PII) across your S3 buckets. |
|
|
|
Manages encryption keys for protecting data at rest, essential for high-impact data classifications. |
|
| Analytics & Insights |
Serverless query service that analyzes data in Amazon S3 using SQL—perfect for querying CloudTrail logs to understand access patterns. |
|
| Standardization |
Creates catalogs of pre-approved, governance-compliant resources that teams can deploy through self-service. |
|
| ML Governance |
Provides specialized tools for governing machine learning operations including model monitoring, documentation, and access control. |
Understanding the data governance challenge
Organizations face complex data management challenges, from maintaining consistent data classification to ensuring regulatory compliance across their environments. Your strategy should maintain security, ensure compliance, and enable business agility through automation. While this journey can be complex, breaking it down into manageable components makes it achievable.
The foundation: Data classification framework
Data classification is a foundational step in cybersecurity risk management and data governance strategies. Organizations should use data classification to determine appropriate safeguards for sensitive or critical data based on their protection requirements. Following the NIST (National Institute of Standards and Technology) framework, data can be categorized based on the potential impact to confidentiality, integrity, and availability of information systems:
- High impact: Severe or catastrophic adverse effect on organizational operations, assets, or individuals
- Moderate impact: Serious adverse effect on organizational operations, assets, or individuals
- Low impact: Limited adverse effect on organizational operations, assets, or individuals
Before implementing controls, establishing a clear data classification framework is essential. This framework serves as the backbone of your security controls, access policies, and automation strategies. The following is an example of how a company subject to the Payment Card Industry Data Security Standard (PCI-DSS) might classify data:
-
Level 1 – Most sensitive data:
- Examples: Financial transaction records, customer PCI data, intellectual property
- Security controls: Encryption at rest and in transit, strict access controls, comprehensive audit logging
-
Level 2 – Internal use data:
- Examples: Internal documentation, proprietary business information, development code
- Security controls: Standard encryption, role-based access control
-
Level 3 – Public data:
- Examples: Marketing materials, public documentation, press releases
- Security controls: Integrity checks, version, control
To help with data classification and tagging, AWS created AWS Resource Groups, a service that you can use to organize AWS resources into groups using criteria that you define as tags. If you’re using multiple AWS accounts across your organization, AWS Organizations supports tag policies, which you can use to standardize the tags attached to the AWS resources in an organization’s account. The workflow for using tagging is shown in Figure 1. For more information, see Guidance for Tagging on AWS.
Figure 1: Workflow for tagging on AWS for a multi-account environment
Your tag governance strategy
A well-designed tagging strategy is fundamental to automated governance. Tags not only help organize resources but also enable automated security controls, cost allocation, and compliance monitoring.
Figure 2: Tag governance workflow
As shown in Figure 2, tag policies use the following process:
- AWS validates tags when you create resources.
- Non-compliant resources trigger automatic remediation, while compliant resources deploy normally.
- Continuous monitoring catches variation from your policies.
The following tagging strategy enables automation:
{
"MandatoryTags": {
"DataClassification": ["L1", "L2", "L3"],
"DataOwner": "<Department/Team Name>",
"Compliance": ["PCI", "SOX", "GDPR", "None"],
"Environment": ["Prod", "Dev", "Test", "Stage"],
"CostCenter": "<Business Unit Code>"
},
"OptionalTags": {
"BackupFrequency": ["Daily", "Weekly", "Monthly"],
"RetentionPeriod": "<Time in Months>",
"ProjectCode": "<Project Identifier>",
"DataResidency": "<Region/Country>"
}
}
While AWS Organizations tag policies provide a foundation for consistent tagging, comprehensive tag governance requires additional enforcement mechanisms, which we explore in detail in Part 2.
Conclusion
This first part of the two-part series established the foundational elements of implementing data governance on AWS, covering data classification frameworks, effective tagging strategies, and organizational alignment requirements. These fundamentals serve as building blocks for scalable and automated governance approaches. Part 2 focuses on technical implementation and architectural patterns, including monitoring foundations, preventive controls, and automated remediation. The discussion extends to tag-based security controls, compliance monitoring automation, and governance integration with disaster recovery strategies. Additional topics include data sovereignty controls and machine learning model governance with Amazon SageMaker, supported by AWS implementation examples.
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.
Omar Ahmed
Omar Ahmed is an Auto and Manufacturing Solutions Architect who specializes in analytics. Omar’s journey in cloud computing began as an AWS data center operations technician, where he developed hands on infrastructure expertise. Outside of work, he enjoys motorsports, gaming, and swimming.
Omar Mahmoud
Omar is a Solutions Architect helping small-medium businesses with their cloud journey. He specializes in Amazon Connect and next-gen developer services like Kiro. Omar began at AWS as a data center operations technician, gaining hands-on cloud infrastructure experience. Outside work, Omar enjoys gaming, hiking, and soccer.
Changil Jeong
Changil Jeong is a Solutions Architect at Amazon Web Services (AWS) partnering with Independent software vendor customers on their cloud transformation journey, with strong interests in security. He joined AWS as an SDE apprentice before transitioning to SA. Previously served in the U.S. Army as a financial and budgeting analyst and worked at a large IT consulting firm as a SaaS security analyst.
Paige Broderick
Paige Broderick is a Solutions Architect at Amazon Web Services (AWS) who works with Enterprise customers to help them achieve their AWS objectives. She specializes in cloud operations, focusing on governance and using AWS to develop smart manufacturing solutions. Outside of work, Paige is an avid runner and is likely training for her next marathon.
Lo que han conseguido los médicos con la huelga en Asturias: guardias de 12 horas, más sueldo para los MIR, menos penalización si trabajan en la privada...
Principado y el sindicato SIMPA alcanzan un acuerdo para poner fin a la huelga, que incluye además estudiar un coeficiente reductor para que los facultativos que hagan guardias puedan jubilarse antes
etiquetas: médicos, huelga, asturias, guardias, sueldo, mir
» noticia original (www.lne.es)
Israel ha matado a más de 100 niños desde el alto el fuego en Gaza, según Unicef
Israel ha matado a más de 100 niños en la Franja de Gaza desde el alto el fuego pactado con Hamás el 10 de octubre n Gaza, según Unicef. El balance de muertos, no obstante, puede ser muy superior, ya que Unicef solo ha contabilizado las muertes de las que tenía suficiente información. Casi todas las muertes de menores (60 niños y 40 niñas) han sido causados por ataques militares que incluyen ataques aéreos, de drones, disparos de tanques, disparos de armas de fuego o cuadricópteros.
etiquetas: israel, alto, fuego, gaza, unicef
» noticia original (www.rtve.es)
Matt Damon desata el debate sobre el ICE en el estreno de The Rip, advierte sobre las tácticas de los «camisas pardas» (Eng)
En el estreno de The Rip, Damon califica un reciente incidente relacionado con la aplicación de la ley federal como «increíblemente alarmante» y afirma que la gente está «al límite» por la falta de formación y la forma en que algunos agentes están gestionando los enfrentamientos en las calles. Afirma que sus amigos de las fuerzas del orden le han dicho que ellos no lo habrían gestionado de esa manera y compara las tácticas teatrales y enmascaradas con la sensación que provocaban las «camisas pardas», advirtiendo que este estilo performativo
etiquetas: ice, camisa parda, nazi, trump, extrema derecha
» noticia original (news.meaww.com)
Canadá da impulso a sus relaciones con China para emanciparse de Estados Unidos
El primer ministro canadiense, Mark Carney, ha elogiado este viernes la "asociación estratégica" entre su nación y China durante una visita a este Estado asiático. Ambas partes buscan profundizar sus lazos bilaterales tras casi diez años de turbulentas relaciones entre Pekín y Ottawa. Al inicio de la reunión bilateral con su homólogo Xi Jinping, Carney ha declarado que está "extremadamente satisfecho" de que Ottawa y Pekín estén avanzando con rapidez en sus acuerdos. "No solo profundizará nuestros lazos bilaterales en beneficio de nuestros.
etiquetas: canada, impulsa, relaciones, china, no depender, estados unidos
» noticia original (es.euronews.com)
El Gobierno de Ayuso ya no publica las actas de sus reuniones con Quirón y Ribera Salud ni las auditorias a sus hospitales
La Consejería de Sanidad tampoco publica los datos de pacientes derivados por libre elección a estos centros el último año aunque aseguran que se hará "cuando proceda" y que esas comisiones "no tienen competencias ejecutivas" No es lo único que ha dejado de publicar, al menos hasta el momento, la Consejería de Sanidad. Tampoco aparecen desde 2023 las actas de las últimas reuniones de la llamada "Comisión mixta" entre la Comunidad y las empresas que gestionan estos hospitales, Quirón y Ribera Salud.
etiquetas: transparencia, fondos, millones de euros, dinero público, distracción
» noticia original (cadenaser.com)
El 100% de las trabajadoras agrícolas extranjeras fueron agredidas sexualmente, dice experto (Israel)
El informe, compilado por el experto en inmigración Dr. Yahel Kurlander y el Dr. Shahar Shoham, detalló que de los 654 trabajadores tailandeses cuestionados, todos dijeron haber sido expuestos a agresión sexual. "El Estado de Israel ha abandonado a estas mujeres", dijo Kurlander. "Una mujer que quiere presentar una queja no tiene un curso de acción claro". "Si a una trabajadora extranjera se le exige renunciar a su trabajo debido a una queja que presentó, en realidad también está perdiendo su lugar de residencia", señaló Shiri Lev-Ran, la com
etiquetas: 100%, trabajadoras agrícolas, extranjeras, agredidas sexualmente, israel
» noticia original (www.jpost.com)
Las Panteras Negras regresan a las calles de Estados Unidos
Las Panteras Negras otra vez en las calles: su mensaje político contra ICE y Trump. Mira el video que circula en redes. Volvieron a mostrarse en las calles. Las Panteras Negras reaparecieron en el centro de Filadelfia durante una protesta que quedó registrada en video. Integrantes del histórico movimiento afroamericano en EEUU aparecieron con armas visibles y confrontaron a agentes del ICE. El grupo aseguró actuar bajo la ley y explicó que su presencia responde a la violencia estatal y a las políticas del gobierno de Donald Trump.
etiquetas: las panteras negras, ice, trump, eeuu
» noticia original (www.mdzol.com)
Mercosur permitirá el consumo de alimentos con pesticidas vetados en la UE
Se cierran décadas de negociación que, no obstante, no han servido para acabar con los puntos más polémicos del pacto, como los problemas para controlar la entrada en la UE de alimentos tratados con productos químicos que la UE prohíbe por sus riesgos para la salud humana. Los negociadores latinoamericanos han reconocido problemas con la "trazabilidad" del uso que sus agricultores y ganaderos hacen de fungicidas, insecticidas, antibióticos y hormonas vetados en Europa
etiquetas: mercosur, pesticidas, antibioticos, hormonas, vetados, ue
» noticia original (www.eleconomista.es)
BYD pone precio al hartazgo del PureTech en Italia con descuentos de hasta 10.000 €… ¿llegará a España?
La nueva 'Operazione PUREFICATION' de la filial italiana del gigante chino ofrece descuentos en casi toda su gama a cambio de coches de gasolina con correa de distribución primaria bañada en aceite, es decir, la promoción se dirige principalmente a los poseedores de un motor Puretech que tan mala fama han traído al grupo Stellantis
etiquetas: puretech, byd, peugeot, stellantis
» noticia original (www.motor.es)
Increíble video, una primicia mundial, muestra a una tribu amazónica no contactada emergiendo de la selva
El conservacionista estadounidense Paul Rosalie capturó imágenes poco comunes de una tribu remota del Amazonas emergiendo de la selva en la orilla de un río, rodeada de mariposas, en lo que él describe como un video "primero en el mundo".
etiquetas: amazonas, tribus
» noticia original (www.dailystar.co.uk)
Woody Guthrie, el ídolo de Bob Dylan, le dedicó ya en los años 50 está canción al racista y padre de Donald Trump, Fred Trump, quien fuera detenido en una manifestación del Ku Klux Klan
Letra: "Supongo que el Viejo Trump sabe cuánto odio racial despertó en ese crisol de corazones humanos cuando trazó esa línea racial aquí, en su proyecto familiar de Beach Haven. ¡Beach Haven no es mi hogar! ¡No, simplemente no puedo pagar este alquiler! Mi dinero se fue al desagüe, ¡Y mi alma está muy maltrecha! Beach Haven es la Torre de Trump, donde ningún negro viene a vagar. ¡No, no, Viejo Trump! ¡El Viejo Beach Haven no es mi hogar!"
etiquetas: woody guthrie, bob dylan, donald trump, fred trump, racismo
» noticia original (n0sce.com)
Jimmy Kimmel ofrece sus premios a Trump a cambio de retirar agentes del ICE de Mineápolis
Jimmy Kimmel ofreció sus premios al presidente de Estados Unidos, Donald Trump, si este retira a los agentes del Servicio de Inmigración y Control de Aduanas (ICE) de Mineápolis, después de que la líder opositora venezolana María Corina Machado le entregara la medalla del Premio Nobel de la Paz como gesto de “gratitud” por sus acciones en favor de la “libertad” de Venezuela. “Tengo una oferta que creo que te va a resultar difícil de rechazar, pero solo si aceptas sacar al ICE de Mineápolis y devolverlos a los cuarteles que les corresponden."
etiquetas: jimmy kimmel, trump, mineápolis
» noticia original (www.metro.pr)
Un niño de 11 años mata a tiros a su padre después de que le quitara la Nintendo Switch
Ocurrió en Pensilvania, Estados Unidos. El menor está acusado de homicidio criminal y no se le ha concedido libertad bajo fianza. ...
etiquetas: nintendo, padres, eeuu, asesinato
» noticia original (www.catalunyapress.es)
El #EfectoGamonal [Ger]
Burgos no es precisamente una ciudad pequeña con 180.000 habitantes, pero tampoco una que se difunda ampliamente en relación con las protestas en España. Pero de repente, Gamonal, un barrio de Burgos, pareció convertirse, durante una semana, en un partido capaz de encender toda España. Gamonal se convirtió de repente en el tema central entre los usuarios de Twitter españoles. ¿Qué había pasado?
etiquetas: gamonal, protestas, bulevar, efecto
» noticia original (bodenfrost.wordpress.com)
La primera pintura de Miguel Ángel, creada cuando tenía solo 12 o 13 años [Eng]
A finales de la década de 1480, cuando ese imponente artista renacentista todavía era lo que ahora llamaríamos un "preadolescente", pintó El tormento de San Antonio, una representación de la figura religiosa titular acosada por demonios en el desierto. Aunque se basa en un grabado ampliamente conocido, muestra evidencia de un rápido avance en la técnica, la inspiración e incluso la creatividad, especialmente cuando se coloca bajo el escáner infrarrojo. Como se explica en el vídeo de Inspiraggio cuando la pintura se vendió en Sotheby's en 2008,
etiquetas: miguel ángel, pintura, el tormento de san antonio
» noticia original (www.openculture.com)
En la Comunitat Valenciana ya hay 410.000 personas viviendo en chabolas, viviendas sin suministros o hacinadas
Alrededor de 1,2 millones de valencianos tienen dificultades en el ámbito de la vivienda, entre los que destacan el millón de hogares que no puede afrontar gastos imprevistos.
etiquetas: vivienda, crisis
» noticia original (www.levante-emv.com)
