The Hidden Blocker

Edition #9: The Hidden Blocker

"Access denied - organization policy. Contact your administrator for details."

Always frustrating to be blocked from progressing forward with an action or deployment in your cloud environment. It's appropriate there are guardrails in place to protect against risky actions, but it kills momentum and often you're left confused - it's unclear what exact policy is blocking you, why it's set, or how to proceed.

No announcement went out about new restrictions. No documentation readily available on what preventive controls are applied to your environment. The cloud or security team rolled out the governance control weeks earlier, but app teams only discover it when something breaks.

This is The Hidden Blocker - when teams learn about governance by encountering errors instead of proactive communication.

These are avoidable through better communication upfront. Teams that adopt the Rollout Practice from the 5 Practices of Cloud Governance keep their app teams informed and productive:

→ Communicate before enforcement - announce new organizational policies before they affect users
→ Provide policy visibility - give teams ways to see what controls apply to their environment and why
→ Create reference documentation - maintain clear guidance on what's restricted, what's allowed, and the reasoning
→ Offer training and support - help teams understand the governance model before they encounter preventive controls
→ Build context into processes - when policies block actions, ensure teams know where to find support, ask for exceptions, and access tools to help them progress

When governance is visible, explained, and documented, teams can work confidently within constraints instead of discovering them by accident.

- Keep on Herding, Bob

What's Happening in Cloud Governance 📡

How to Herd Clouds and Influence People - Now Available on Amazon: Many of you have already read the free web version I published in the governance library back in July. I'm excited to announce physical and Kindle versions are now available on Amazon, another way to share with your teams or keep on your desk as a reference. The book also features early feedback and endorsements from practitioners who've recognized their own experiences in Gary's story: a cloud architect navigating the human side of governance, building trust across silos, influencing without authority, and keeping momentum when priorities shift. Available in paperback and Kindle.

Your Essential Guide to Cloud Governance at AWS re:Invent 2025: Heading to re:Invent this year? Here are 15 Cloud Governance sessions across four themes: Generative AI & Intelligent Governance (using AI to automate compliance validation), Operational Efficiency & Cost Optimization (building governance that enables agility), Secure Operations & Automation (policy-as-code and proactive controls), and Multicloud & Sovereign Cloud Requirements (navigating data sovereignty). Sessions showcase the shift from reactive compliance to AI-driven governance that accelerates business outcomes. FYI -- I will be there as well this year -- let's connect.

AWS US-EAST-1 Outage: When Dependencies Become Single Points of Failure: On October 19-20, AWS experienced a cascading failure that began with a DNS race condition in DynamoDB's automation system. The primary DynamoDB disruption lasted about 3 hours (11:48 PM - 2:40 AM PDT), but cascading effects on EC2 instance launches, Lambda, and other services extended recovery to 14+ hours as internal systems struggled to restart under load. The governance lesson isn't "go multi-region immediately", that architecture is expensive to build and operate. Instead, ask: what's 3-14 hours of downtime worth to your organization? For most workloads, the risk-adjusted cost of that rare disruption is far less than running duplicate infrastructure 24/7 across regions. Good governance means making this trade-off explicitly: understanding your actual risk tolerance, calculating the true cost of downtime for your specific workloads, and choosing resilience investments that match your business reality rather than chasing theoretical perfection.

Datadog's 2025 State of Cloud Security Report: Analysis of thousands of organizations reveals that secure-by-default mechanisms work. When AWS enabled S3 Public Access Block by default in 2023, adoption jumped to 83%. Azure followed suit and reached 58%. IMDSv2 tells a similar story: newer instances enforce it at 55%, while older instances languish at 14%. The real gap isn't technical capability, it's governance execution: only 40% of organizations use Service Control Policies despite 86% having AWS Organizations available. The governance lesson: shift left with preventive controls like organization policies and secure-by-default settings to eliminate entire classes of risk. Relying on detection and remediation workflows to fix problems after deployment is not scaling for organizations.

Get Involved 👋

Join the conversation on LinkedIn about this newsletter edition.