Best Practices
Cloud Infrastructure
Governance
The People You Need on Your Cloud Governance Team
Your cloud bill just jumped by 40% last month. Three different teams deployed the same database service in different regions because nobody knew the others had already done it. An auditor found unencrypted S3 buckets containing PII. The security team discovered shadow IT accounts that nobody's managing.
Sound familiar?
Cloud governance isn't just about buying the right tools or writing detailed policy documents. Those help, but they won't save you if you don't have the right people with the right skills in the right places. Most organizations approach cloud governance backward - they focus on frameworks and tooling before they figure out who should actually be doing the work.
We're going to walk through the six core roles you need on a cloud governance team, what each person actually does day-to-day, and how they work together. Whether you're building a team from scratch or trying to figure out why your current governance efforts aren't delivering the results you need, this guide will show you which skills matter and where to focus your hiring.
The Cloud Architect: Your Technical Foundation #
The cloud architect sets the technical direction for your entire cloud environment. They decide how you structure your AWS accounts, which services teams can use, and what your infrastructure should look like.
They design landing zone patterns and multi-account strategies. If you're running AWS, the architect defines how AWS Control Tower structures your organization, which accounts go where, and how they connect. They create reference architectures that show developers the approved way to build common patterns.
Cloud architects set infrastructure-as-code standards across the organization. They're the ones who decide whether you use Terraform, CloudFormation, or Pulumi, and define the modules teams should follow. When a team wants to build something new, the architect reviews the design to ensure it fits your overall strategy.
The tricky part is balancing innovation with stability. A good architect knows when to say "yes" to experimental services and when to push back because the risk isn't worth it.
When deciding who to put in this role, consider whether they have AWS Solutions Architect Professional, Azure Solutions Architect Expert[https://learn.microsoft.com/en-us/credentials/certifications/azure-solutions-architect/], or Google Professional Cloud Architect certifications. More importantly, find someone with experience in infrastructure-as-code and multi-cloud environments. You need someone who can work with the engineering teams implementing their designs, not someone who designs perfect solutions in isolation.
The Cloud Security Engineer: Your Risk Manager #
Cloud security engineers implement the controls that keep your environment secure. They review CloudTrail logs, GuardDuty findings, and Security Hub alerts. They configure IAM policies following least privilege principles and set up encryption standards for data protection.
When a development team needs cross-account access for a deployment pipeline, the security engineer configures the AWS
AssumeRole policies correctly. They write the trust relationship, define permission boundaries, and ensure temporary credentials expire appropriately. They're writing policy-as-code that gets reviewed and version-controlled.Before new applications go to production, security engineers review the architecture for common issues: overly permissive security groups, databases without encryption, public S3 buckets, or missing logging configurations. According to the Cloud Security Alliance, misconfiguration remains one of the top threats to cloud security.
They also respond to security incidents - investigating when someone accidentally makes a bucket public or when unusual API calls appear in logs.
Look for people with CISSP, CCSP (Certified Cloud Security Professional), or cloud provider security certifications. They need hands-on experience with cloud-native security tools. The best security engineers can write Terraform to deploy security controls just as easily as they can respond to an incident.
The FinOps Analyst: Your Cost Controller #
Organizations without dedicated FinOps functions see significantly higher cloud waste. The FinOps analyst tracks cloud spending, identifies inefficiencies, and makes sure you're not paying for resources you don't need.
They monitor spending across accounts and business units, checking for anomalies daily. Did spend jump in a particular region? Did someone spin up expensive GPU instances and forget to shut them down? They track RDS instances running 24/7 when they only need to run during business hours, unattached EBS volumes still accruing charges, and idle Elastic IPs.
FinOps analysts model costs for new projects and create chargeback or showback reports that allocate cloud spending back to teams. This turns cloud costs from a mysterious IT expense into something each team understands and can control.
The FinOps analyst uses tools like CloudQuery to analyze cost and resource data across multiple accounts and cloud providers. They write SQL queries to find patterns: which teams have the most unused resources, which services drive the highest costs, or how spending correlates with business metrics.
When choosing your FinOps analyst, look for people with financial analysis backgrounds who've learned cloud platforms. They need SQL skills, experience with cloud provider cost management tools, and the ability to communicate financial concepts to technical teams. The FinOps Foundation offers certifications for FinOps Practitioners.
The Compliance Specialist: Your Regulatory Navigator #
The compliance specialist translates regulatory requirements into cloud-specific policies and proves compliance to auditors.
They interpret regulations like GDPR, PCI DSS, HIPAA, and SOC 2, then map those requirements to cloud controls. GDPR requires data encryption? They work with security to define encryption standards. PCI DSS restricts where you can process payment data? They define which AWS regions are approved and set up guardrails to prevent violations.
Compliance specialists maintain evidence for audits. They ensure CloudTrail logs all API calls, that logs are stored immutably, and that access controls are documented. They coordinate with external auditors, providing the evidence auditors need.
Data residency matters in compliance. If you operate in Europe, GDPR might require that EU citizen data stays in EU regions. The compliance specialist tracks where data lives and documents data flows.
When hiring, look for experience with compliance frameworks relevant to your industry. They don't need to be cloud experts initially - you can train cloud knowledge. What's harder to teach is understanding regulatory intent and risk management.
The Cloud Platform Engineer: Your Builder #
Platform engineers build the infrastructure and automation that makes governance practical. While architects design patterns, platform engineers implement them.
They maintain infrastructure-as-code repositories with reusable modules. When the architect designs a standard VPC layout, the platform engineer builds the Terraform module that creates it. When security defines IAM standards, the platform engineer writes the code that enforces them consistently across accounts.
Platform engineers create self-service capabilities. Instead of requiring teams to submit tickets for basic infrastructure, they build internal platforms where teams can provision pre-approved resources themselves.
They build automation for governance checks. Using tools like Terraform Sentinel or OPA, they write policies that prevent teams from deploying non-compliant configurations. If someone tries to create an unencrypted RDS instance, the automation blocks it before it deploys.
The key insight about platform engineering is that they make the right thing the easy thing. Platform engineers build golden paths where following standards is actually the path of least resistance.
When hiring, look for DevOps backgrounds with strong automation skills. They need deep knowledge of infrastructure-as-code tools, experience with CI/CD systems, and the ability to design internal platforms.
The Governance Program Manager: Your Orchestrator #
Technical experts need someone who can coordinate their work and translate it for business stakeholders. That's the governance program manager.
They run governance reviews where the team evaluates new projects, makes decisions about exceptions, and prioritizes initiatives. They track policy compliance, handle exceptions systematically, and maintain a registry of who's approved to do what and why.
Program managers coordinate training and onboarding. When new engineers join, they ensure everyone understands cloud governance policies. They run training sessions on secure coding practices, cost optimization, and compliance requirements.
The program manager reports governance metrics to leadership. Executives need to know: are we compliant? Are costs under control? What are the top risks? The program manager synthesizes technical work into business language.
When hiring, look for program management skills combined with enough technical fluency to understand what engineers are saying. They need excellent stakeholder management skills and the ability to drive consensus across groups with different priorities.
The common mistake is making this role too administrative. The program manager drives strategy, identifies gaps, and ensures governance initiatives actually get implemented.
How These Roles Work Together #
When a development team wants to build a new customer-facing application, they submit a project proposal to the governance team.
The cloud architect reviews the technical design for approved services and reference patterns. The security engineer conducts a security review, checking authentication, encryption, and logging. The FinOps analyst models projected costs and recommends optimizations. The compliance specialist verifies regulatory requirements. The platform engineer provisions infrastructure using approved modules. The governance program manager coordinates the entire review process and reports progress to leadership.
Teams typically have weekly syncs for ongoing issues, monthly governance reviews for larger decisions, and quarterly strategy sessions. Cross-training matters - security engineers should understand cost concepts, FinOps analysts should recognize security implications, and everyone should understand the basics of each domain.
CloudQuery supports this collaboration by providing a unified data layer. All governance roles query the same dataset - cloud resource configurations, IAM policies, cost data, and compliance posture. Everyone works from the same source of truth.
Comparison: Governance Team Roles #
What About Smaller Teams? #
Not every organization can hire six specialists right away. You can combine roles initially and split them as you scale.
Role combinations that work:
Architect + Platform Engineer: In smaller organizations, one person can both design patterns and implement them. This actually works well because the architect understands implementation constraints firsthand. As you scale past 100 cloud accounts or when you're managing multiple clouds, split these roles.
Security + Compliance: One person can handle both security implementation and compliance tracking initially. When you're pursuing specific certifications like SOC 2 or dealing with complex regulations like HIPAA, you'll need dedicated compliance expertise.
FinOps part-time: Start with someone from your finance team spending 25% of their time on cloud costs. As cloud spending grows past $500k annually, you'll need dedicated FinOps resources. Below that threshold, part-time attention with good tooling works.
The minimum viable governance team is three people covering:
- Architecture and platform engineering
- Security and compliance
- Cost management and program coordination
This gives you the core capabilities: someone designing and building infrastructure, someone managing risk, and someone controlling costs and coordinating the team.
When should you think about splitting roles? Watch for these signals:
- Cloud spending exceeds $500k-1M annually - split FinOps
- Managing more than 50 cloud accounts - split architect and platform engineer
- Pursuing compliance certifications - split security and compliance
- Governance becomes a bottleneck - add dedicated program management
You also don't have to hire everyone. Some organizations bring in consultants to bootstrap governance while building internal capability. Others hire one senior person who can span multiple roles and then build the team around them.
Key Takeaways #
Clear Role Definitions
Each role addresses a specific governance challenge. Architects handle technical design, security engineers manage risk, FinOps analysts control costs, compliance specialists navigate regulations, platform engineers build infrastructure, and program managers coordinate everything. When these responsibilities are unclear or overlap too much, important work falls through the cracks.
Collaboration Over Silos
These roles must work together daily. The architect who designs without security input creates vulnerabilities. The FinOps analyst who optimizes costs without talking to engineers breaks applications. The compliance specialist who works in isolation creates policies nobody follows. Effective governance teams have regular touchpoints, shared goals, and mutual respect across disciplines.
Scale Appropriately
Start with combined roles and split them as complexity grows. A team managing 10 cloud accounts has different needs than one managing 500 accounts across multiple clouds. Don't over-hire early, but don't wait until governance problems become crises before adding capacity.
Invest in Skills
Cloud governance requires specialized knowledge that most organizations don't have internally. You'll need to both hire people with cloud expertise and train your existing team. Budget for certifications, training, and time for people to develop deep knowledge in their domains.
The Next Steps #
Start by assessing your current situation. Who on your team already handles architecture decisions? Who manages security? Who watches cloud costs? You probably have people doing pieces of these roles already.
Identify your biggest gaps. Most organizations have architects and security engineers already. The gaps tend to be in dedicated FinOps resources, formal compliance expertise, or program management coordination. Prioritize based on your risks: if you're in a regulated industry, compliance expertise comes first. If your cloud bill is growing out of control, prioritize FinOps.
Consider starting with a senior generalist who can span multiple roles, then building specialists around them. One experienced cloud architect who also understands security can bootstrap your governance program while you identify where you need dedicated expertise.
Cloud governance isn't something you implement once, it's an ongoing practice that requires dedicated people with the right mix of skills.
Frequently Asked Questions #
What is the minimum team size for cloud governance? #
For organizations with moderate cloud usage (under 100 accounts and under $1M annual spend), a minimum team of 3-4 people can cover all core functions by combining roles. One person handles architecture and platform engineering, another covers security and compliance, and a third manages cost optimization and program coordination. As cloud adoption scales past 100 accounts, these roles should split into specialized positions to prevent burnout and maintain effectiveness.
What's the difference between a Cloud Architect and a Platform Engineer? #
Cloud architects focus on designing patterns, standards, and reference architectures - the "what" and "why" of your cloud infrastructure. They make architectural decisions like multi-account strategies, service selections, and security models. Platform engineers focus on implementation - the "how." They build and maintain the actual infrastructure-as-code modules, CI/CD pipelines, and internal platforms that enforce architectural decisions. The architect designs the blueprint for how Kubernetes clusters should be configured; the platform engineer writes the Terraform code that creates compliant clusters.
Do I need a separate FinOps role if I have a Cloud Architect? #
Yes, especially if your organization has significant cloud spending. While cloud architects understand cloud services and can make cost-aware decisions, FinOps is dedicated financial analyst function that requires cost modeling, and business stakeholder management skills that most architects don't have. Cloud architects focus on technical optimization - choosing the right instance types for workload requirements. FinOps analysts focus on financial optimization - understanding whether you need those instances running 24/7 or if you can shut them down nights and weekends. Organizations spending less than $500k annually on cloud can often have someone handle FinOps part-time.
How do cloud governance roles map to a Cloud Center of Excellence structure? #
In a Cloud Center of Excellence (CCoE), these six roles typically align with different practice areas. Cloud architects and platform engineers usually sit under an Engineering or Architecture practice lead. Cloud security engineers and compliance specialists report to a Security and Compliance practice lead. FinOps analysts work under a Cost Management or FinOps practice lead. The governance program manager often coordinates across all practice areas, reporting to the CCoE director or cloud business office. For more details on CCoE organizational structures, see our Cloud Centers of Excellence series.
Should cloud governance roles be centralized or distributed? #
The best approach depends on your organization size and structure. Smaller organizations (under 500 employees, single cloud, under 100 accounts) benefit from a centralized governance team that sets standards and supports all cloud users. Larger organizations (1000+ employees, multiple clouds, hundreds of accounts) often use a hybrid hub-and-spoke model: a small central governance team sets enterprise-wide standards and coordinates strategy, while embedded governance specialists work within major business units or product teams. Microsoft's Cloud Adoption Framework recommends starting centralized and federating as you scale.
How does CloudQuery support cloud governance teams? #
CloudQuery provides a unified data layer that supports all governance roles through a single source of truth. Cloud architects query infrastructure patterns across accounts using SQL to verify compliance with reference architectures. Security engineers monitor IAM policies, analyze security group configurations, and track encryption status across all cloud resources. FinOps analysts analyze spending trends, identify unused resources, and correlate costs with resource utilization. Compliance specialists can use CloudQuery to generate audit reports, track control implementation, and verify regulatory compliance posture.
By syncing cloud metadata to a central database, CloudQuery eliminates the problem of different teams getting different answers from different tools and creates the single pane of glass that allows a cloud governance team to work together effectively. Learn more at CloudQuery Hub.
