Check the status of your various AWS accounts within the VMware Tanzu CloudHealth platform.
Using the AWS Account API status report, you can check the health of your AWS accounts within the Tanzu CloudHealth platform. This report provides enhanced visibility into the status of every API call in every region and for every service.
AWS Account API Status Report provides the following insights:
In the API Status section, you can choose to view API actions of different Services or Regions. All column headings in the report are sortable. You can click a column name to sort the data in ascending or descending order. The Has Access
status indicates a successful API call, and the No Access
status indicates API failure.
If you are not allowed access to a certain service, check the IAM Recommendation column to know whether you need to update your IAM policy or enter valid IAM user or role credentials.
As Tanzu CloudHealth adds support for new and existing AWS services, you may need to regenerate the account policy for each AWS account that you have configured in the Tanzu CloudHealth platform to allocate those services.
When configuring an AWS account in the Tanzu CloudHealth Platform, you need to create an IAM Role and assign a Tanzu CloudHealth-generated policy to that role.
The Tanzu CloudHealth-generated policy contains API calls that the Platform uses for these purposes:
As Tanzu CloudHealth adds support for new and existing AWS services, you might be required to regenerate the account policy for each AWS account that you have configured in the Tanzu CloudHealth platform. By regenerating the account policy, you can allocate that service to various parts of the Tanzu CloudHealth platform, such as reports, perspectives, and policies.
Click Warning.
When an account policy update is required, a message similar to this one appears.
The following asset-specific calls in the Tanzu CloudHealth-generated policy allow the Platform to collect asset inventory metadata and asset tags. Each call is linked to its corresponding AWS documentation. Follow the links to learn what the request and response payloads for each call look like.
This list is periodically revised.
Fetch the tags associated with Accounts.
Fetch the resources, tags, and images associated with AppStream
Fetch the resources associated with AutoScaling Groups. For each group, fetch launch configurations, lifecycle hooks, policies, and scheduled actions that have not run.
autoscaling:DescribeAutoScalingGroups
autoscaling:DescribeLaunchConfigurations
autoscaling:DescribeLifecycleHooks
autoscaling:DescribePolicies
autoscaling:DescribeScheduledActions
autoscaling:Describe
Fetch the resources and tags associated with CloudFormation stacks.
cloudformation:DescribeStacks
cloudformation:ListStacks
cloudformation:ListStackResources
cloudformation:DescribeStackEvents
cloudformation:DescribeStackResources
cloudformation:GetTemplate
Fetch stacks that have status of CREATE_IN_PROGRESS
.
Fetch the resources and tags associated with CloudFront distributions and list RMTP streaming distributions.
cloudfront:ListDistributions
cloudfront:ListStreamingDistributions
cloudfront:ListTagsForResource
cloudfront:Get
cloudfront:List
Fetch the resources and tags associated with CloudTrail trails.
Fetch CloudWatch dashboards and fetch statistics for specific metrics and metrics filters.
cloudwatch:GetDashboard
cloudwatch:GetMetricStatistics
cloudwatch:DescribeAlarms
cloudwatch:DescribeAlarmsForMetric
logs:DescribeLogGroups
logs:ListTagsLogGroup
logs:DescribeMetricFilters
logs:Describe
cloudwatch:Describe
cloudwatch:Get
cloudwatch:List
Fetch information about Config rules, configuration recorders and their status, specific delivery channels, and number of Config rules that are compliant and not compliant.
config:DescribeConfigRules
config:DescribeConfigurationRecorders
config:DescribeConfigurationRecorderStatus
config:DescribeDeliveryChannels
config:GetComplianceDetailsByConfigRule
config:Get
config:Describe
config:Deliver
config:List
cur:DescribeReportDefinitions
: Describes your AWS Cost and Usage reports to ensure that the CUR is properly configured and to instruct AWS to generate detailed billing information.cur:Describe
Fetch information on replication instances for your AWS Account in the current region and fetch all tags for an AWS DMS resource.
dms:DescribeReplicationInstances
dms:ListTagsForResource
dms:Describe
dms:List
Fetch information on DynamoDB tables, including the current table status, when it was created, the primary key schema, and any indexes on the table. Fetch array of table names associated with the current account and endpoint. Fetch all tags on a DynamoDB resource.
Fetch information on EC2 Instances; attributes of your AWS Account; status of each EC2 Instance; available AMI, AKI, and ARI Images; Dedicated Hosts; Elastic IP Addresses; network ACLs; route tables; Reserved Instance purchases; Reserved Instance listing in the Reserved Instance Marketplace; modifications made to your Reserved Instances; security groups; EBS snapshots; Spot Instance requests; Subnets; Volumes; VPC; and NAT Gateways.
ec2:DescribeInstances
ec2:DescribeAccountAttributes
ec2:DescribeInstanceStatus
ec2:DescribeImages
ec2:DescribeHosts
ec2:DescribeAddresses
ec2:DescribeNetworkAcls
ec2:DescribeRouteTables
ec2:DescribeRegions
ec2:DescribeReservedInstances
ec2:DescribeReservedInstancesListings
ec2:DescribeReservedInstancesModifications
ec2:DescribeSecurityGroups
ec2:DescribeSnapshots
ec2:DescribeSpotInstanceRequests
ec2:DescribeSubnets
ec2:DescribeVolumes
ec2:DescribeVpcs
ec2:DescribeNatGateways
ec2:GetReservedInstancesExchangeQuote
ec2:Describe
ecs:List
ecs:Describe
eks:Describe
eks:List
Fetch information about all provisioned clusters, reserved cached nodes, and cost allocation tags for the resource.
elasticache:DescribeCacheClusters
elasticache:DescribeReservedCacheNodes
elasticache:ListTagsForResource
elasticache:Describe
Fetch the specified type of information of the deployed environment.
elasticbeanstalk:RequestEnvironmentInfo
elasticbeanstalk:RetrieveEnvironmentInfo
elasticbeanstalk:Check
elasticbeanstalk:Describe
elasticbeanstalk:List
Fetch information about all Filesystems and cost allocation tags for the resource.
elasticfilesystem:DescribeFileSystems
elasticfilesystem:DescribeTags
elasticfilesystem:Describe
Fetch information about all MapReduce Clusters, including status, hardware, and software configuration. Fetch status of all clusters visible in your AWS Account. Fetch information on all instance groups in your clusters, all active EC2 Instances, and all EC2 Instances terminated within the last 30 days.
elasticmapreduce:DescribeCluster
elasticmapreduce:ListClusters
elasticmapreduce:ListInstanceGroups
elasticmapreduce:ListInstances
elasticmapreduce:Describe
elasticmapreduce:List
Fetch Elasticsearch domain configuration information, including the domain ID, domain endpoint, and domain ARN; names of all domains owned by the AWS Account; and tags for each domain.
es:DescribeElasticsearchDomains
es:ListDomainNames
es:ListTags
es:DescribeReservedElasticsearchInstances
es:List
es:Describe
Fetch information about all load balancers and cost allocation tags for the resources.
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeTags
elasticloadbalancing:Describe
fsx:Describe
Fetch IAM-related information so that Tanzu CloudHealth has read-only user- or role-based access to your AWS Account. Tanzu CloudHealth uses this read-only access to gather information on AWS resources and tags associated with your account.
iam:GetUser
iam:GenerateCredentialReport
iam:GetCredentialReport
iam:ListGroups
iam:GetGroup
iam:ListUsers
iam:ListPolicies
iam:GetPolicy
iam:GetRole
iam:ListRoles
iam:GetAccountPasswordPolicy
iam:ListServerCertiticates
iam:ListVirtualMFADevices
iam:ListMFADevices
iam:ListAccessKeys
iam:GetAccountSummary
iam:ListEntitiesForPolicy
iam:GetPolicyVersion
iam:List
iam:Get
Fetch information about all Kinesis streams and cost allocation tags for the resources.
kinesis:DescribeStream
kinesis:ListStreams
kinesis:ListTagsForStream
kinesis:Describe
kinesis:List
Fetch information about all Kinesis Firehose delivery streams.
Fetch information about all Lambda functions streams and cost allocation tags for the resources.
lambda:ListFunctions
lambda:ListTags
lambda:List
Fetch information about all RedShift Clusters and cost allocation tags for the resources.
redshift:DescribeClusters
redshift:DescribeReservedNodes
redshift:DescribeClusterSnapshots
redshift:Describe
Fetch information about all Route53 Hosted Zones Clusters and cost allocation tags for the resources.
route53:ListHostedZones
route53:ListTagsForResources
route53:GetHostedZone
route53:Get
route53:List
Fetch information about provisioned RDS Instances, reserved DB instances, security groups, snapshots, subnet groups, and tags for RDS resources.
rds:ListTagsForResource
rds:DescribeDBInstances
rds:DescribeReservedDBInstances
rds:DescribeDBSecurityGroups
rds:DescribeDBSnapshots
rds:DescribeDBSubnetGroups
rds:Describe
Fetch information about AWS Savings Plans.
Fetch information about all S3 buckets, tags, and bucket locations.
s3:ListBuckets
s3:GetBucketTagging
s3:GetBucketLocation
s3:GetBucketAcl
s3:GetBucketPolicy
s3:GetBucketPolicyStatus
s3:GetBucketLogging
s3:GetBucketPublicAccessBlock
s3:GetAccountPublicAccessBlock
s3:GetBucketVersioning
s3:GetBucketWebsite
s3:List
Fetch information about all SageMaker Endpoints.
sagemaker:DescribeEndpoint
sagemaker:DescribeEndpointConfig
sagemaker:DescribeModel
sagemaker:DescribeNotebookInstance
sagemaker:DescribeTrainingJob
sagemaker:ListEndpointConfigs
sagemaker:ListEndpoints
sagemaker:ListModels
sagemaker:ListNotebookInstances
sagemaker:ListTags
sagemaker:ListTrainingJobs
sagemaker:Describe
sagemaker:List
sdb:GetAttributes
sdb:List
ses:Get
ses:List
Fetch list of Simple Notification Service subscriptions and their attributes.
sns:ListSubscriptions
sns:ListSubscriptionsByTopic
sns:ListTopics
sns:GetSubscriptionAttributes
sns:GetTopicAttributes
sns:Get
sns:List
Fetch attributes for the specified queue.
storagegateway:List
storagegateway:Describe
Fetch information about all WorkSpaces, their connection status, and tags associated with these resources, as well as WorkSpace bundles.
workspaces:DescribeTags
workspaces:DescribeWorkspaces
workspaces:DescribeWorkspacesConnectionStatus
workspaces:DescribeWorkspaceBundles
workspaces:Describe
Indicates the rates at which Tanzu CloudHealth adds API service queries to a queue. These queries help Tanzu CloudHealth identify changes in your AWS infrastructure.
The frequencies specified below indicate the rates at which Tanzu CloudHealth adds API service queries to a queue. These queries help Tanzu CloudHealth identify changes in your AWS infrastructure. These frequencies are not the intervals at which the Tanzu CloudHealth platform refreshes with changes in your AWS infrastructure.
Tanzu CloudHealth makes the best effort to queue up query requests at these frequencies. However, factors such as network latency, the number of queued items to be processed, the number of AWS services that you utilize, and AWS service-level rate limits determine how quickly the query responses are returned to the Tanzu CloudHealth platform.
The Tanzu CloudHealth platform uses AWS APIs to gather the asset information essential to all kinds of reports in the platform. If the number of Tanzu CloudHealth API requests exceeds the defined AWS API request limit, AWS denies the API requests. This process is called throttling. In the case of throttling, Tanzu CloudHealth negotiates with AWS for an increase in the API throttling limit. But for some services like AWS config, Tanzu CloudHealth is already operating at the maximum capacity.
The spend-based asset collection feature ensures the Tanzu CloudHealth API requests do not return with an empty response from AWS. The platform now makes API requests only when it detects a service charged with $0 or more in the cloud usage bill, reducing unnecessary API calls. Once the service is charged, Tanzu CloudHealth will start sending API queries for the service. This spend-monitoring approach efficiently reduces the wastage of your API quota as well as your API cost.
The spend-based asset collection feature considerably changes the initial asset collection time for a newly added account and service. Once a new asset or service is billed, it could take a minimum of 24 hours to appear in the Tanzu CloudHealth reports. After the initial delay, the platform continues to update the asset or service details as per the standard collection frequency.
Example: If you have recently started using WorkSpaces, the service won’t appear in your Tanzu CloudHealth reports until a bill shows WorkSpaces charges in it. Once the service charge first appears in a bill, only the initial asset collection could take about 24 hours. Later, the asset collection for the WorkSpaces will start with the standard 1-hour collection frequency.
Spend-based asset collection is enabled for the following AWS services:
Documents a set of foundational questions that allow you to understand if a specific architecture aligns well with cloud best practices.
The AWS Well-Architected Framework documents a set of foundational questions that allow you to understand if a specific architecture aligns well with cloud best practices. The framework provides a consistent approach to evaluating systems against the qualities you expect from modern cloud-based systems, and the remediation that would be required to achieve those qualities.
Definition from AWS Whitepaper, November 2017
Pillar | Description |
---|---|
Operational Excellence | The ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures. |
Security | The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies. |
Reliability | The ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues. |
Performance Efficiency | The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve. |
Cost Optimization | The ability to avoid or eliminate unneeded cost or suboptimal resources. |
Each pillar is qualified by a set of foundational questions that allow you to understand if a specific architecture aligns well with cloud best practices.
The Tanzu CloudHealth Platform can help you answer several of the questions that qualify each pillar in the AWS Well-Architected Framework.
Question | Tanzu CloudHealth Support | Tanzu CloudHealth Platform Solution |
---|---|---|
What best practices for cloud operations are you using? | Good | Achieve centralized governance by building best practice policies. |
How are you doing configuration management for your workload? | Not currently supported | |
How are you evolving your workload while minimizing the impact of change? | Not currently supported | |
How do you monitor your workload to ensure it is operating as expected? | Moderate | Track nonfunctional operations using Cost Reports (e.g., Cost History Report and Performance Reports (e.g., EC2 Instance Performance Report. Reporting on functional aspects such as application responsiveness is not currently supported. |
How is escalation managed when responding to unplanned operational events? | Not currently supported |
Question | Tanzu CloudHealth Support | Tanzu CloudHealth Platform Solution |
---|---|---|
How are you protecting access to and use of the AWS root account credentials? | Good | Build a security policy that checks for root account credentials that are not protected by MFA tokens. See Implement Tanzu CloudHealth Default Security Policy. Subscribe to the Health Check Pulse report, which contains a section that tracks Security vulnerabilities. |
How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API? | Moderate | Identify security vulnerabilities using the AWS Best Practices Security policy. Through this policy, Tanzu CloudHealth can track and report on absent MFA tokens, credentials that have not been rotated for a significant period of time, and weak password policies on your AWS account(s). In order to audit permission changes, use the security policy to get alerted whether a user’s IAM permissions change. Subscribe to the Health Check Pulse report, which contains a section that tracks Security vulnerabilities. |
How are you limiting automated access to AWS resources? | Not currently supported | |
How are you capturing and analyzing logs? | Moderate | Customize the AWS Best Practice Security policy to identify accounts that do not have logging faculties such as CloudTrail set up correctly. By proactively enabling this policy, you can ensure that logs are available for analysis on the day that an event occurs. |
How are you enforcing network- and host-level boundary protection? | Good | Customize the AWS Best Practice Security policy to audit EC2 security groups and determine if they allow ingress from an abnormally large number of services or from the outside world. |
How are you leveraging AWS service-level security features? | Not currently supported | |
How are you protecting the integrity of the operating systems on your Amazon EC2 instances? | Moderate | The Tanzu CloudHealth Platform integrates with system management frameworks such as Chef. Through this integration, Tanzu CloudHealth can determine information such as OS vendor version, time since last reboot, and whether or not a tool such as Chef has run recently on an instance. |
How are you classifying your data? | Good | Gather your AWS resources into meaningful groups using Tanzu CloudHealth Perspectives. This process assigns ownership of portions of your AWS infrastructure to specific business groups and systems. For example, using Perspectives, you can quickly visualize which part(s) of your infrastructure need to be PCI compliant or which parts can be treated in a less stringent manner. |
How are you encrypting and protecting your data at rest? | Not currently supported | |
How are you managing keys? | Not currently supported | |
How are you encrypting and protecting your data in transit? | Moderate | Customize the AWS Best Practice Security policy to get alerts on expiring SSL certificates. |
How do you ensure that you have the appropriate incident response? | Not currently supported |
Question | Tanzu CloudHealth Support | Tanzu CloudHealth Platform Solution |
---|---|---|
How do you manage AWS service limits for your account(s)? | Not currently supported | |
How are you planning your network topology on AWS? | Not currently supported | |
How does your system adapt to changes in demand? | Good | Employ Tanzu CloudHealth Rightsizing capabilities to ensure that your cloud assets are being well utilized for the workloads that you deploy on them. Build an instance or volume rightsizing policy that constantly monitors your infrastructure for rightsizing opportunities. Subscribe to the Health Check Pulse report, which contains a section that tracks underutilized instances and volumes. |
How are you monitoring AWS resources? | Good | Gather your AWS resources into meaningful groups using Tanzu CloudHealth Perspectives. Review Tanzu CloudHealth Metrics Reports e.g., EC2 Instance Metrics Report to track utilization metrics by these groups. |
How are you executing change? | Not currently supported | |
How are you backing up your data? | Not currently supported | |
How does your system withstand component failures? | Not currently supported | |
How are you testing for resiliency? | Not currently supported | |
How are you planning for disaster recovery? | Not currently supported |
Question | Tanzu CloudHealth Support | Tanzu CloudHealth Platform Solution |
---|---|---|
How do you select the best performing architecture? | Good | Gather your AWS resources into meaningful groups using Tanzu CloudHealth Perspectives. Review Performance Reports (e.g., EC2 Instance Performance Report) by Perspective to identify bottlenecks in your infrastructure. |
How do you select your compute solution? | Moderate | Employ Tanzu CloudHealth Rightsizing capabilities to ensure that your EC2 Instances are being well utilized for the workloads that you deploy on them. EC2 rightsizing across families is currently unavailable. |
How do you select your storage solution? | Not currently supported | |
How do you select your database solution? | Not currently supported | |
How do you select your network solution? | Not currently supported | |
How do you ensure that you continue to have the most appropriate resource type as new resource types and features are introduced? | Moderate | Because Tanzu CloudHealth Metrics can be rolled up to a per-service level rather than per-instance level, you can quickly visualize the results of controlled experiments with newer infrastructure. EC2 rightsizing across generations and families is currently unavailable. |
How do you use tradeoffs to improve performance? | Good | The Tanzu CloudHealth EC2 Instance Rightsizing Report helps you tie instance performance back to costs and savings. This insight helps you make tradeoffs to improve performance. |
Question | Tanzu CloudHealth Support | Tanzu CloudHealth Platform Solution |
---|---|---|
Are you considering cost when you select AWS services for your solution? | Good | Utilize the wide array of cost optimization approaches in the Tanzu CloudHealth Platform. From Cost Reports, Financial and Cost optimization policies, Rightsizing capabilities, and Reservation Management solutions. |
Have you sized resources to meet your cost targets? | Good | The Tanzu CloudHealth EC2 Instance Rightsizing Report helps you tie instance performance back to costs and savings. |
Have you selected the appropriate pricing model to meet your cost targets? | Good | Tanzu CloudHealth Reservation Management solutions allow you to model, optimize, and analyze reserved instance usage and purchases in your environment. The Cost Savings Report visualizes cost saving opportunities. |
How do you make sure your capacity matches but does not substantially exceed what you need? | Good | Employ Tanzu CloudHealth Rightsizing capabilities to ensure that your EC2 Instances are being well utilized for the workloads that you deploy on them. |
Did you consider data transfer charges when designing your architecture? | Good | Gather your AWS resources into meaningful groups using Tanzu CloudHealth Perspectives. Review the Data Transfer Cost Report to view these costs by business group and system in your infrastructure. |
How are you monitoring usage and spend? | Good | Build Financial and Cost optimization policies to continuously monitor your infrastructure for spend and savings opportunities. Get alerts that help you manage usage and costs. |
Do you decommission resources that you no longer need or stop resources that are temporarily not needed? | Good | Employ Tanzu CloudHealth Rightsizing capabilities to ensure that your EC2 Instances are being well utilized for the workloads that you deploy on them. |
What access controls and procedures do you have in place to govern AWS usage? | Moderate | Identify security vulnerabilities using the AWS Best Practices Security policy. Through this policy, Tanzu CloudHealth can track and report on security issues and offer remedial recommendations. |
How do you manage and/or consider the adoption of new services? | Good | Review and analyze Tanzu CloudHealth Cost Reports e.g., Cost History Report to see what new services cost or are forecasted to cost. |
Expedite the import of multiple accounts into Tanzu CloudHealth using a CSV file
You can expedite the import of multiple accounts into Tanzu CloudHealth using a CSV file. Managing and importing from a centralized spreadsheet simplifies the rotation of credentials and the addition of new accounts.
To download a template for the CSV file with pre-filled columns, click Import Accounts template
While both approaches are supported in the Tanzu CloudHealth platform, using a read-only IAM Role during account creation is recommended over using a read-only IAM User.
Enables an AWS representative to access the Tanzu CloudHealth platform.
The AWS Invite functionality offers multiple benefits for the end user:
To enable Amazon account representative access to the Tanzu CloudHealth environment, a Tanzu CloudHealth account administrator first needs to invite the Amazon representative to the account.
To invite users, navigate to the Setup menu, click Admin, and Users. In the Users section, select Invite User in the top-right of the screen.
If the user’s organization is using SSO, the Invite User invitation button will default to inviting an AWS representative.
If the organization is not using SSO, two tabs will be available to the user: Invite User or Invite Amazon. If a non-SSO user is adding an AWS rep via the Invite Amazon tab, the invitation can only be sent to individuals with @amazon.com
email domains.
After filling out the AWS representative name, email address and role, the Invite User option will become available in the dialog. Tanzu CloudHealth recommends providing AWS Representatives with Standard User access roles. The Standard User role will allow the AWS representative to see the saved reports, assets, and perspectives within the environment, while limiting access to account configuration tools and other administrative functionality.
After receiving access to a Tanzu CloudHealth customer environment, the AWS representative will log in to the platform by providing his/her Tanzu CloudHealth @amazon.com
email login and password. Upon logging in, the AWS representative will see a drop-down menu that provides access to all customers who have provided the representative with an invitation to their Tanzu CloudHealth environment.
By selecting a Customer the representative will be able to enter and view that particular account’s environment. This provides access Tanzu CloudHealth’s consolidated view of AWS assets, infrastructure perspectives, performance and usage data, reserved instance purchases, governance policies, and more. The AWS representative can now more easily collaborate with their customers to review Tanzu CloudHealth recommendations by taking into account the unique characteristics of the customer’s environment.
To log out of a customer’s Tanzu CloudHealth console, or switch the customer environment, select a new customer from the bottom left corner of the Platform.