AWS Governance using Policies

Automate Actions Using Authorizers and Approvers

Actions give you the ability to define processes that the Tanzu CloudHealth platform automatically executes based on a set of parameters. This approach helps you automate labor-intensive and error-prone tasks without compromising on authorization and security. Actions reduce the time and effort it takes to manage and operate your cloud, and they are a critical component in policy-based governance. You can create and execute Actions without human intervention after setting up authorizers and approvers for them.

Approvers and Authorizers

You can automate aspects of cloud management by configuring actions that Tanzu CloudHealth runs through an approval process. An action must pass through at least one of these users:

• Approvers: Responsible for validating that a requested action is acceptable. When an action is triggered, they receive an email notification through which they must approve the action. Upon approval, the action passes to the next Approver in the sequence.
• Authorizer: After all Approvers have signed off on the action, the request is sent to an Authorizer to provision a temporary least privilege token that allows the token bearer to make a request using the AWS Security Token Service. Tanzu CloudHealth uses this token to perform an action on behalf of the user.

Configure and Enable Automated Actions

Automated Actions are intended for advanced users of Tanzu CloudHealth. Automated Actions provide the capability for Authorized roles (as defined in the Action Configuration step) to directly influence the state of AWS infrastructure. Depending on its configuration, an action may or may not require approval or authorization prior to execution.

If you are a Tanzu CloudHealth Administrator, be aware of the Actions that are enabled, the roles that have access to those Actions, and how those Actions will impact your environment when executed. For information on how to restrict roles, see Create a Custom Role.

1. As Tanzu CloudHealth Administrator, enable the appropriate permissions and controls in the Tanzu CloudHealth platform.
2. Click Setup > Accounts > AWS to start configuring actions.
3. Edit an existing account or create a new account.
4. From the account configuration screen, expand the Automation dropdown to enable Automated Actions for that account.
5. Click Save Account.

Configure and Enable Custom Actions

Create your own actions to build a chain of approvers and authorizers. Click Create Action.

Based on the Resource Type selected, the set of actions that can be taken differ. These actions are divided into two groups: Universal Actions or Resource Type specific actions. Universal Actions only permit workflow rules such as requesting Approval or Authorization, executing Lambda Functions, or waiting for a specified period of time. Resource Specific actions allow you to take an action for the type of resource. For example, if you are working with an Amazon EC2 Instance, you can Delete, Start, Stop, or Reboot the instance.

Custom Actions, like their built-in counterparts, are available for each resource or for multiple resources through bulk actions.

Add Authorizers and Approvers

You can add one or more authorizers to built-in actions by clicking Update. For custom actions, click Set Up.

Type the name of the individuals who will serve as authorizers and approvers.

Tanzu CloudHealth shows a warning if no Authorizers are listed for an Action, and if the system does not recognize the correct permission being applied to the Tanzu CloudHealth Policy under AWS. Ensure that the IAM Policy reflects the proper permissions to execute the Action.

Execute Actions Manually

You can manually execute an action in the Tanzu CloudHealth platform, provided you have appropriate permissions. For example, in the table of EC2 Instances, each instance has an associated Action dropdown.

Enable Policy-Based Actions

Associate an action with a policy so that when a policy condition evaluates to true, the action is executed.

For all asset types, the following Actions are available:

• Run Lambda Function: Run a custom Lambda script if a policy condition evaluates to true.
• Wait: Delay the start of the next Action in the execution chain.

You can stagger Actions based on the Wait function. For example, you can stop an EC2 Instance, run a Lambda function to take a snapshot of that Instance, and then terminate that Instance. You can create a sequence of events that make up the action as follows:

1. Stop EC2 Instance.
2. Wait 15 minutes,
3. Run Lambda Function that takes a snapshot of the instance.
4. Wait 1 hour.
5. Terminate EC2 Instance.

To ensure that the sequence of events runs correctly, click the Test Rule button for the rule.

For more information about associating actions with a policy, see Configure Rules.

Build an Instance Rightsizing Policy

Build a policy that monitors your infrastructure for EC2 Instance rightsizing opportunities

What Is Rightsizing

Rightsizing is the process of modifying your cloud infrastructure to equate it with actual demand. Rightsizing helps you identify underutilized assets, allowing you to make an informed decision to adjust the assets assigned to the instance or to decommission the instance.

Create Policy

A policy contains one or more blocks, each containing a specific rule that checks for operational conditions that you specify.

1. In Setup > Governance > Policies, select New Policy > Instance Rightsizing Policy.
2. Name your policy and write a brief description of what the policy monitors. The policy is Enabled by default and contains pre-populated topic thresholds.

Specify Topic Score Thresholds

The Instance Rightsizing policy is composed of multiple rule groups, each representing a specific instance metric or topic. The following topics are represented.

• CPU
• Memory
• Disk
• Disk IO
• Network In
• Network Out

For each topic, you can specify thresholds that represent underutilization in your organization. Tanzu CloudHealth uses your threshold settings to compute a score for each topic. That score is then represented visually as “battery meters” with the length and color of the bar representing the resource score. For more information, see EC2 Instance Rightsizing Reports

Use the Severely underutilized when and Moderately underutilized when sections to specify the thresholds that reflect your internal business standards for a metric. When the utilization for a metric lies within a specific range, a score value is assigned to the metric.

Score Value	Score Range for Metric
Severely underutilized	0 to 33
Moderately underutilized	34 to 67
Well utilized	68 to 100

Effect of Severe Underutilization Threshold on Recommendations

In order to make a rightsizing recommendation, Tanzu CloudHealth considers the thresholds for Maximum or Average utilization that you specify in the Severely Underutilized when section.

• If you set the Severely underutilized when thresholds to Maximum for CPU, Memory, Network or Disk, Tanzu CloudHealth computes rightsized recommendations based on maximum metrics.
• If you set the Severely underutilized when thresholds to Average, Tanzu CloudHealth computes rightsized recommendations based on average metrics.

Example 1: Severely Underutilized Threshold Set to Average for CPU and Memory

In this example policy, for both CPU and Memory, the Severely underutilized when thresholds are set to Average. Therefore, Tanzu CloudHealth computes recommendations based on Average CPU and Memory utilization, even though the Moderately utilized when thresholds for both CPU and Memory are set to Maximum.

Example 2: Severely Underutilized Threshold Set to Average for CPU and Maximum for Memory

In this example policy, the thresholds are specified as follows:

• For CPU, the Severely underutilized when threshold is set to Average.
• For CPU, the Moderately underutilized when threshold is set to Maximum.
• For Memory, the Severely underutilized when threshold is set to Maximum.
• For Memory, the Moderately underutilized when threshold is set to Maximum.

Tanzu CloudHealth computes recommendations based on Average CPU and Maximum Memory utilization, even though the Moderately utilized when thresholds for both CPU and Memory are set to Maximum.

Build a Volume Rightsizing Policy

Build a policy that monitors your infrastructure for volume rightsizing opportunities

What Is Rightsizing

Rightsizing is the process of modifying your cloud infrastructure to equate it with actual demand. Rightsizing helps you identify underutilized assets, allowing you to make an informed decision to adjust the assets assigned to the volume or to decommission the volume.

Create Policy

A policy contains one or more blocks, each containing a specific rule that checks for operational conditions that you specify.

1. In Setup > Governance > Policies, select New Policy > Volume Rightsizing Policy.

2. Name your policy and write a brief description of what the policy monitors.

   The policy is Enabled by default and contains pre-populated topic thresholds.

Specify Topic Score Thresholds

The Volume Rightsizing policy is composed of multiple rule groups, each containing these metrics or topics.

• Usage
• Read Throughput
• Write Throughput

For each topic, you can specify thresholds that represent underutilization in your organization. Tanzu CloudHealth uses your threshold settings to compute a score for each topic. That score is then represented visually as “battery meters” with the length and color of the bar representing the resource score. For more information, see EBS Volume Rightsizing Reports

Use the Severely underutilized when and Moderately underutilized when sections to specify the thresholds that reflect your internal business standards for a metric. When the utilization for a metric lies within a specific range, a score value is assigned to the metric.

Score Value	Score Range for Metric
Severely underutilized	0 to 33
Moderately underutilized	34 to 67
Well utilized	68 to 100

In addition, each metric has these default threshold ranges:

• Usage

  • Severely Underutilized = Avg Used < 35%
  • Moderately Underutilized = Avg Used >= 35% and Avg Used < 50%

• Read Throughput

  • Severely Underutilized: Avg Read Ops < 20%
  • Moderately Underutilized: Avg Read Ops >= 20% and Avg Read Ops < 50%

• Write Throughput

  • Severely Underutilized: Avg Write Ops < 20%
  • Moderately Underutilized: Avg Write Ops >= 20% and Avg Write Ops < 50%

Using AWS Config Rules

Collect AWS Config data for use of AWS Config Rules within the platform

AWS Config Rules Within Policies

AWS Config Rules can be used as a measure within Standard Policies to perform actions when resources are out of compliance with a specifically defined rule.

Within Policies > Policy Blocks, select EC2 Instance as your resource type:

Select Add Condition, then select Configuration from the Choose a Topic dropdown. You will then be able to select AWS Config Rules from the Choose a Measure dropdown:

Once the measure is set to AWS Config Rules, you will be able to Build a Condition around AWS Config Rules that have been set up in your AWS Account.

AWS Config Rules Within Reports

The AWS Config Rules section can be found under Governance in the Reports section of the Tanzu CloudHealth main menu. This view will display all currently setup AWS Config Rules, along with their current state Compliant (Blue), Non-Compliant (Red), or Insufficient Data (Black). It also displays the Region, number of Compliant Resources, number of Non-Compliant Resources, and resources with Insufficient Data.

Clicking on the AWS Config Rule hyperlink will link to a more detailed page within your AWS Assets, which shows a line item listing of the AWS Config Rule check against all resources. This can be used to identify specific resources that are out of compliance with your specified AWS Config Rule.

This view will display the Account Name, AWS Config Rule Name, Resource ID, the Resource Type, and the current Compliance Type (Compliant or Non-Compliant).

Actively Manage Security Policies

The need for and advantages of applying a security policy to monitor your infrastructure

Deploying applications in the cloud offers many advantages: agility, consumption-based pricing, global infrastructure, platform services, and so on. However, the fast pace of change and the distributed nature of cloud services can expose your organization to security risks resulting from inadvertent or noncompliant changes to services.

For example, consider a case where you tightly configure a security group to limit access from the internet for web servers. A member of your team can use that Security Group for another workload and open additional ports. Without continuous monitoring, this change could go undetected and subject your organization to security risks.

By using a policy-driven solution for monitoring security operations, Tanzu CloudHealth will continuously monitor your AWS accounts, services, and resources for security violations.

Why Use Policies to Monitor Security

A policy-driven approach is scalable, configurable, and flexible.

You can get started with the default Tanzu CloudHealth security policies, which contains a standard set of rules for monitoring security. These rules can be customized within certain constraints. You can also enable and disable rules within the policy.

Each rule is accompanied with recommendations that help you understand what the particular security issue is and what action you can take to address it. Recommendations also contain links to supporting documentation and a list of resources that violate the policy.

You can choose which resources to exclude from specific policy rules. For example, for the default policy rule IAM User MFA Access, you can exclude a particular IAM user so that this rule is never flagged as a violation for that user.

Tanzu CloudHealth Default Security Policies

• AWS Best Practice Security: Policies for AWS provide an out-of-the-box best practice security policy that can monitor your AWS accounts, services, and resources; identify issues; and make recommendations for how you can improve your security.
• CIS AWS Foundation: The Center for Internet Security (CIS) is a non-profit dedicated to enhancing cybersecurity readiness across the public and private sectors. The organization publishes a popular best practice guide called CIS Amazon Web Services Foundations for securing Amazon Web Services. The guide is useful benchmark for assessing the health of your AWS security.
• CIS Azure Foundation: CIS publishes a popular best practice guide called CIS Microsoft Azure Foundations for securing Microsoft Azure. The guide is useful benchmark for assessing the health of your Azure security.

Implement Tanzu CloudHealth Default Security Policy

Implement a policy that can monitor your AWS accounts, services, and resources for security vulnerabilities

What are Default Security Policies

Default security policies are Tanzu CloudHealth’s recommended method for ensuring your cloud is secure and meets standards. These policies monitor your AWS accounts, services, and resources. They identify issues and make recommendations for how you can improve your security. Tanzu CloudHealth provides two default security policies:

• AWS Best Practice Security Policy: Performs checks for AWS security best practices.
• CIS AWS Foundation: Performs checks for CIS Amazon Web Services Foundations v1.2.0 benchmark recommendations.

Tanzu CloudHealth manages the default policies and will update them periodically with more best practices and CIS benchmarks. You can customize the rules for these policies within certain constraints. You can also enable and disable rules within the default policies.

Enable Default Policy

A policy contains one or more policy blocks, each containing a specific rule that checks for compliance against an AWS security best practice or CIS benchmark.

1. In Setup > Governance > Policies, edit the policy AWS Best Practice Security or CIS AWS Foundation.
2. Switch the Status to Enabled and click Save Policy. When you enable a default policy, all rules within it are enabled and assigned a default severity. Recommendations from monitoring based on the default policy are available within an hour. Recommendations appear daily.

Review Default Policy Recommendations

Recommendations from the AWS Best Practice Security and CIS AWS Foundation policies help you understand what the particular security issue is and what action you can take to address it. These recommendations are also visible in the Health Check Pulse Report.

1. In Setup > Governance > Policies, view the policy AWS Best Practice Security or CIS AWS Foundation. For each rule, the table shows the severity of the violation and the number of resources that violate that rule.
2. Click a row in the table for more information on the rule.
   • Rule documentation is divided into the following sections: Description, Recommendation, and Additional Help. You can customize the content in these sections.
   • The Affected Resources table lists all resources that are violating the policy.
   • If you know why a resource is violating a policy rule and want to exclude it from future checks, click View All above the table, locate the resource in the dialog box that appears, and click Exclude.

Customize Default Policy

If you want to customize the security policies, you can edit each default policy within certain constraints. Alternatively, you can modify a copy of each default policy. In that case, however, the copy you create will not be updated when Tanzu CloudHealth adds new best practices or benchmarks to the default policy.

1. In Setup > Governance > Policies, edit the policy AWS Best Practice Security or CIS AWS Foundation.
2. Change one or more of these characteristics.
   • Enable or disable the policy. The policy is turned off by default.
   • Enable or disable a rule.
   • Change the severity of a rule.
   • Edit rule conditions. You can configure a policy rule so that it better reflects your requirements. For example, the default policy contains a rule that ensures that all IAM Server Certificates are not expiring within the next 30 days. You can edit this rule to modify that duration.
   • Trigger an action that is performed on resources that violate the conditions of a rule.

Apply Security Policy to Sub-Organizations

When you enable the security policies, they only check for security vulnerabilities in the top-level organization. In order to apply the policies to sub-organizations, duplicate each policy and specify the sub-organization to which it should apply.

1. In Setup > Governance > Policies, duplicate the policy AWS Best Practice Security or CIS AWS Foundation.
2. In the dialog box that appears, name the duplicate policy and select the sub-organization to which it should apply. Actions that you added to the original policy are not copied into the sub-organization.

How AWS Lambda Functions Work in Tanzu CloudHealth Policies

Tanzu CloudHealth gathers any Lambda Functions that you have written in your AWS accounts. These functions are available as Actions that Tanzu CloudHealth can take on your behalf in response to a Policy Condition being true in your environment.

What Is AWS Lambda

AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume, so there is no charge when your code is not running.

Using Lambda, you can run code for any type of application or backend service. When you upload your code, Lambda manages the resources required to run that code and scale it with high availability.

Some examples of how you can use Lambda are as follows:

• Build data processing triggers for AWS services like Amazon S3 and Amazon DynamoDB.
• Process streaming data stored in Amazon Kinesis.
• Create your own back end that operates at AWS scale, performance, and security.
• Build serverless applications composed of functions that are triggered by events and automatically deploy them using AWS CodePipeline and AWS CodeBuild.

For more information, see the AWS documentation on Lambda.

Lambda Function Support in the Tanzu CloudHealth Platform

Tanzu CloudHealth gathers any Lambda Functions that you have written in your AWS accounts. These functions are available as Actions that Tanzu CloudHealth can take on your behalf in response to a Policy Condition being true in your environment.

Tanzu CloudHealth scans your AWS accounts every 15 min for new Lambda Functions. Upon discovery, these functions are immediately available as possible Actions for a Policy Condition.

You can apply Lambda Functions as Actions for these AWS services, provided that the Data Type for the Policy Condition is set to Per-resource.

• EC2 Instances
• EC2 Images
• EC2 Reservations (not Modifications)
• EC2 Snapshots
• EBS Volumes
• RDS Instances
• Load Balancers
• AWS Workspaces
• DynamoDB Tables
• Elastic IPs

Assign Lambda Function as Policy Action

Consider a policy that monitors EC2 Instance usage.

1. Click Add Condition and select the condition criteria. In the Data Type dropdown, select Per-resource. Click Save Condition.
2. Click Add Action. From the dropdown, select Run Lambda Function.
3. Select the Lambda Function that you want Tanzu CloudHealth to run when the policy condition is met. You can scope the action to a specific Perspective Group. Assign Authorizers and click Save Action.
4. Click Save Policy. The policy appears on the Setup > Governance > Policies page.

Payload That Tanzu CloudHealth Passes to Lambda Function

When a Lambda Function runs as an action in response to a Policy Condition, Tanzu CloudHealth responds with a payload that identifies the resources affected by the policy condition.

The payload has the following information:

• Resource ARNs: Any available ARNs of the affected resources
• Lambda Function Name
• AWS Account ID
• Policy Name
• Name of Policy Block that fired the Action
• URL of Policy Violation Report in the Tanzu CloudHealth platform
• Summary of Policy Condition
• Number of Affected resources
• For each affected resource, fields that correspond to those that appear in the Policy Violation Report.

An example of the payload is provided below.

{
  "resource_arns": [
      "arn:aws:ec2:eu-west-1:8445847XXXXX:reservation/5031XXXX-d915-48ec-a66a-45d3XXXXed83",
      "arn:aws:ec2:us-east-1:8445847XXXXX:reservation/6d7bXXXX-b128-4599-802a-1112XXXXe21e",
      "arn:aws:ec2:us-east-1:8445847XXXXX:reservation/172bXXXX-4a21-43d1-878d-3882XXXX2dc1",
      "arn:aws:ec2:us-east-1:8445847XXXXX:reservation/5bfcXXXX-ecdf-4b5f-a3df-bf0cXXXX4475"
  ],
  "function_name": "e2e-testing-lambda",
  "region": "us-east-1",
  "account_id": "8933531XXXXX",
  "policy_name": "Test EC2 Inst Res",
  "policy_block_name": "Block 1",
  "violation_report_url": "https://apps.cloudhealthtech.com/policies/3504693314907/violation_report",
  "summary": "Reservations for 4 instances will expire within the next 100 days",
  "number_affected_resources": 4,
  "affected_resources": [
      {
          "Scope": "Availability Zone",
          "Account Name": "CHT-Demo",
          "Offering Type": "Partial Upfront",
          "Offering Class": "Standard",
          "API Name": "t2.small",
          "Zone Name": "eu-west-1a",
          "Region Name": "eu-west-1",
          "VPC": "",
          "Count": "1",
          "Operating System": "Linux/UNIX",
          "Actual Price": "$0.00",
          "Time To Expire": "6 days"
      },
      {
          "Scope": "Availability Zone",
          "Account Name": "CHT-Demo",
          "Offering Type": "All Upfront",
          "Offering Class": "Standard",
          "API Name": "t2.micro",
          "Zone Name": "us-east-1a",
          "Region Name": "us-east-1",
          "VPC": "",
          "Count": "1",
          "Operating System": "Linux/UNIX",
          "Actual Price": "$74.33",
          "Time To Expire": "96 days"
      },
      {
          "Scope": "Availability Zone",
          "Account Name": "CHT-Demo",
          "Offering Type": "All Upfront",
          "Offering Class": "Standard",
          "API Name": "t2.micro",
          "Zone Name": "us-east-1a",
          "Region Name": "us-east-1",
          "VPC": "",
          "Count": "1",
          "Operating System": "Linux/UNIX",
          "Actual Price": "$57.34",
          "Time To Expire": "96 days"
      },
      {
          "Scope": "Availability Zone",
          "Account Name": "CHT-Demo",
          "Offering Type": "All Upfront",
          "Offering Class": "Standard",
          "API Name": "t2.micro",
          "Zone Name": "us-east-1d",
          "Region Name": "us-east-1",
          "VPC": "",
          "Count": "1",
          "Operating System": "Linux/UNIX",
          "Actual Price": "$48.93",
          "Time To Expire": "96 days"
      }
    ]
}

Customize Policy Runbook Documentation

Add your own documentation into policies, specifically for use in the Policy Violation report

You can add your own documentation into policies, specifically for use in the Policy Violation report.

Tanzu CloudHealth default security policies (AWS Best Practice Security and CIS AWS Foundations) include standard documentation, which you can edit to meet your organization’s specific needs.

You need to use Markdown syntax to customize the documentation

What is Markdown

Markdown is a tool that converts text to HTML. It allows you to author content in an easy-to-read, easy-to-write plain text format, which is then converted into structurally valid HTML.

Syntax for Basic Formatting of Content

You can quickly get started with basic formatting content using Markdown syntax. For advanced formatting options, see Markdown Syntax.

Headings

Construct headings from h1 through h6 by prepending the heading text with a # for each level: Example:

## h1 Heading
### h2 Heading
#### h3 Heading
##### h4 Heading
###### h5 Heading
####### h6 Heading

Paragraphs

Type paragraphs as normal, plain text.

Example:

Lorem ipsum dolor sit amet, graecis denique ei vel, at duo primis mandamus. Et legere ocurreret pri, animal tacimates complectitur ad cum.

Bold text

Emphasize textual elements with a heavier font weight by enclosing text within ** (double asterisks). Example:

**This text is bold-faced.**

Italics

To italicize text, enclose it within _ (underscores). Example:

_This text is italicized._

Comments

Enclose comments within <!-- and -->. Example:

<!-- This comment is not visible in the HTML output. -->

Horizontal Rule

Create thematic breaks in paragraphs by separating text using one of these options:

• ___ (three underscores)
• *** (three asterisks)
• --- (three dashes)

Lists

Create unordered lists by prepending each list item with one of these symbols:

• * valid bulleted item
• - valid bulleted item
• + valid bulleted item

Create ordered lists by explicitly specifying order using numerals.

• 1. first bullet
• 2. second bullet
• 3. third bullet

Basic link

[Page title](http://google.com)

Customize Rule Documentation

1. In a policy block, select a Resource Type.
2. Expand the Advanced Options section to add or edit documentation. You can also add links to internal resources that only members of your organization can view.

3. In the Documentation text box, add sections, paragraphs, and links using Markdown syntax.

   ### Description
   The root account has full administrative privileges and should never be used for programmatic API access to AWS.
   ***
   ### Recommended Actions
   Delete any configured access keys on your root account and replace it with an IAM user or role configured with the minimum privileges required for its use.
   ### Additional Resources
   - [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
   

Configure Budgets in Tanzu CloudHealth

Define your expected cloud spend on a month-by-month basis

What Are Tanzu CloudHealth Budgets

Budgets define your expected cloud spend on a month-by-month basis. Budgets allow you to visualize your expected costs for the year in advance and compare with actual spend as the year progresses. You can create as many budgets as needed.

There are two kinds of budgets:

Type	Definition
Overall	How much you plan to spend across your entire organization.
Categorized by Perspective	How much you plan each perspective group to spend.

You can view existing budgets by going to Setup > Governance > Budget.

Note - Budgets created via the legacy Budgets feature (no longer available) are indicated with a yellow legacy label. Because legacy budgets are no longer supported in Policies, Tanzu CloudHealth recommends copying these legacy budgets to create supported budgets and then replacing the legacy budgets in relevant policies.

You can compare budgeted costs against actual costs in the Budgets Vs. Actual Cost report.

After you have configured budgets, you can create policies to monitor costs and notify you when your costs are projected to exceed or have exceeded your expected budget for the month. Budget policies allow you to stay on top of your spend and act quickly before costs grow unmanageable.

When a budget expires, the policy block associated with the budget is disabled within the policy.

There is no notification that a policy block will be disabled. Review expiring budgets and ensure that you re-enable any policies you wish to keep active.

If you created a policy that used a legacy budget, that policy no longer works as expected. Replace the legacy budget with a budget created in the supported Budgets feature in order for the policy to work and send notifications.

Create a Budget

Step 1: Enter Budget Details

1. In the Tanzu CloudHealth platform, go to Setup > Governance > Budget and select New Budget.
2. Enter the name of the budget in the Budget Name field.
3. Select a start month and year for the budget from the dropdown menus. All budgets are for a 12 month period.
4. In the Categorization field, select whether the budget is overall or categorized by a perspective.
5. Select the Budget includes amortization checkbox to factor amortization into the budget. If the budget includes amortization, the Budgets vs. Actual report uses amortized cost as its cost measure. Amortized cost is calculated as Total Cost - RI Prepay + Amortization.
6. Select the Budget includes rollover month to month checkbox to carry over any remaining budget balance from one month to the next. Costs that exceed the budget are not carried over.

Step 2: Enter Budget Values

Budget values can be populated via two methods:

• Manual Entry: Enter your budget values manually for each month of the budget cycle.
• CSV Import: Download a CSV template, populate the budget values in the CSV, and then import the CSV file to the Tanzu CloudHealth Platform.

Option 1: Manual Entry

1. Go to the Budget Values pane. If the budget is categorized by perspective, select Add Group(s). Select which perspective groups you want to configure a budget for and then click Ok.
2. Optionally, select the Show historical cost on hover checkbox to view your actual cost for that month last year when you hover the mouse over a month in the table.
3. Enter the monthly budget values manually in the table.
4. Click Save.

Option 2: CSV Import

1. Go to the Budget Values pane. If the budget is categorized by perspective, select Add Group(s). Select which perspective groups you want to configure a budget for and then click Ok.
2. Select Download/Import CSV.
3. Optionally, in the Import/Export CSV dialog box, select the Include Historical Cost checkbox to view your last year’s monthly actual cost in the CSV file.

   Historical cost data is available for the last 13 months.

4. Select Download CSV to download a CSV template. If the budget is categorized by perspective, select from the dropdown whether you want the template to include only the perspective groups you added in Step 1 or all the groups in the perspective the budget is categorized by.
5. The CSV template downloads to your computer. Open the file and enter your monthly budget values. Save the populated budget with a unique name.
6. In the Tanzu CloudHealth Platform, return to the Download/Import CSV dialog box. Select Choose File and select the saved CSV file.
7. Select Import CSV to import the saved CSV file to the Platform.
8. Review the imported budget and then click Save.

If your budget has any group with a total of 0, then the Save button will be disabled, and you will not be able to create the budget.

Modify Budgets

After you have created a budget, you can take a variety of actions on that budget in Setup > Governance > Budget.

Edit an Existing Budget

To edit an existing budget, select the View icon for that budget and make changes as needed. You cannot edit an existing budget’s start date, budget type, and categorization.

If your budget has any group with a total of 0, then the Update button will be disabled, and you will not be able to modify the budget.

Duplicate a Budget

You can duplicate an existing budget and then modify the copy instead of creating a new budget from scratch. To duplicate a budget, select the Duplicate icon for that budget.

Delete a Budget

To permanently delete an existing budget, select the Delete icon for that budget.

A dialog box appears warning you about any policies, reports, subscriptions, and alerts that are dependent on this budget and are consequently affected by the budget’s deletion. Click Delete to delete the budget.