Managing AWS Accounts
AWS Account API Status Report
Check the status of your various AWS accounts within the VMware Tanzu CloudHealth platform.
Using the AWS Account API status report, you can check the health of your AWS accounts within the Tanzu CloudHealth platform. This report provides enhanced visibility into the status of every API call in every region and for every service.
AWS Account API Status Report provides the following insights:
- The AWS Account API status
- List of the errors associated with API failures
- Recommendations on how to remediate the issues
How to generate the AWS Account API Status Report
- In the Tanzu CloudHealth platform, from the left menu, navigate to Setup > AWS Account API Status.
- In the Account section, select the account name for which you want to see the API status. Selecting the Show only API failures option will display details of only failed APIs for all the accounts.
-
In the API Status section, you can choose to view API actions of different Services or Regions. All column headings in the report are sortable. You can click a column name to sort the data in ascending or descending order. The
Has Accessstatus indicates a successful API call, and theNo Accessstatus indicates API failure.If you are not allowed access to a certain service, check the IAM Recommendation column to know whether you need to update your IAM policy or enter valid IAM user or role credentials.
Periodic Updates to AWS Account Policy
As Tanzu CloudHealth adds support for new and existing AWS services, you may need to regenerate the account policy for each AWS account that you have configured in the Tanzu CloudHealth platform to allocate those services.
The Need for Updating Your Account Policy
When configuring an AWS account in the Tanzu CloudHealth Platform, you need to create an IAM Role and assign a Tanzu CloudHealth-generated policy to that role.
The Tanzu CloudHealth-generated policy contains API calls that the Platform uses for these purposes:
- Collecting inventory metadata about underlying assets and their tags.
- Presenting the metadata so that both you and the Tanzu CloudHealth Platform can analyze your environment.
- Using asset metadata to enable you to create policies and take actions using the Tanzu CloudHealth Platform.
As Tanzu CloudHealth adds support for new and existing AWS services, you might be required to regenerate the account policy for each AWS account that you have configured in the Tanzu CloudHealth platform. By regenerating the account policy, you can allocate that service to various parts of the Tanzu CloudHealth platform, such as reports, perspectives, and policies.
When to Update Account Policy
- In the Tanzu CloudHealth platform, select Setup > Accounts > AWS.
- From the list of accounts, locate any accounts whose Status indicates Warning.
-
Click Warning.
When an account policy update is required, a message similar to this one appears.
How to Update Account Policy
- In the Tanzu CloudHealth platform, select Setup > Accounts > AWS.
- Edit the AWS account that is indicating a warning status.
- Click Generate Policy. Tanzu CloudHealth generates an updated policy that contains one or more updated lines to include the new service that Tanzu CloudHealth supports.
- In the IAM Access Policy dialog box, click Select All and copy the contents to the clipboard.
- Login to the AWS Console as an administrator. Navigate to Services > IAM and from the left menu, select Policies.
- Locate the Tanzu CloudHealth policy you are using to manage IAM. Paste the updated policy in the Policy Document field. Then click Apply Policy.
List of IAM Role Policies in Tanzu CloudHealth Platform
The following asset-specific calls in the Tanzu CloudHealth-generated policy allow the Platform to collect asset inventory metadata and asset tags. Each call is linked to its corresponding AWS documentation. Follow the links to learn what the request and response payloads for each call look like.
This list is periodically revised.
Accounts
Fetch the tags associated with Accounts.
AppStream
Fetch the resources, tags, and images associated with AppStream
Auto Scaling Groups
Fetch the resources associated with AutoScaling Groups. For each group, fetch launch configurations, lifecycle hooks, policies, and scheduled actions that have not run.
autoscaling:DescribeAutoScalingGroupsautoscaling:DescribeLaunchConfigurationsautoscaling:DescribeLifecycleHooksautoscaling:DescribePoliciesautoscaling:DescribeScheduledActionsautoscaling:Describe
CloudFormation
Fetch the resources and tags associated with CloudFormation stacks.
cloudformation:DescribeStackscloudformation:ListStackscloudformation:ListStackResourcescloudformation:DescribeStackEventscloudformation:DescribeStackResourcescloudformation:GetTemplate
Fetch stacks that have status of CREATE_IN_PROGRESS.
CloudFront
Fetch the resources and tags associated with CloudFront distributions and list RMTP streaming distributions.
cloudfront:ListDistributionscloudfront:ListStreamingDistributionscloudfront:ListTagsForResourcecloudfront:Getcloudfront:List
CloudTrail
Fetch the resources and tags associated with CloudTrail trails.
CloudWatch
Fetch CloudWatch dashboards and fetch statistics for specific metrics and metrics filters.
cloudwatch:GetDashboardcloudwatch:GetMetricStatisticscloudwatch:DescribeAlarmscloudwatch:DescribeAlarmsForMetriclogs:DescribeLogGroupslogs:ListTagsLogGrouplogs:DescribeMetricFilterslogs:Describecloudwatch:Describecloudwatch:Getcloudwatch:List
AWS Config
Fetch information about Config rules, configuration recorders and their status, specific delivery channels, and number of Config rules that are compliant and not compliant.
config:DescribeConfigRulesconfig:DescribeConfigurationRecordersconfig:DescribeConfigurationRecorderStatusconfig:DescribeDeliveryChannelsconfig:GetComplianceDetailsByConfigRuleconfig:Getconfig:Describeconfig:Deliverconfig:List
Cost and Usage Report
cur:DescribeReportDefinitions: Describes your AWS Cost and Usage reports to ensure that the CUR is properly configured and to instruct AWS to generate detailed billing information.cur:Describe
Database Migration Service
Fetch information on replication instances for your AWS Account in the current region and fetch all tags for an AWS DMS resource.
dms:DescribeReplicationInstancesdms:ListTagsForResourcedms:Describedms:List
DynamoDB
Fetch information on DynamoDB tables, including the current table status, when it was created, the primary key schema, and any indexes on the table. Fetch array of table names associated with the current account and endpoint. Fetch all tags on a DynamoDB resource.
Elastic Compute Cloud (EC2)
Fetch information on EC2 Instances; attributes of your AWS Account; status of each EC2 Instance; available AMI, AKI, and ARI Images; Dedicated Hosts; Elastic IP Addresses; network ACLs; route tables; Reserved Instance purchases; Reserved Instance listing in the Reserved Instance Marketplace; modifications made to your Reserved Instances; security groups; EBS snapshots; Spot Instance requests; Subnets; Volumes; VPC; and NAT Gateways.
ec2:DescribeInstancesec2:DescribeAccountAttributesec2:DescribeInstanceStatusec2:DescribeImagesec2:DescribeHostsec2:DescribeAddressesec2:DescribeNetworkAclsec2:DescribeRouteTablesec2:DescribeRegionsec2:DescribeReservedInstancesec2:DescribeReservedInstancesListingsec2:DescribeReservedInstancesModificationsec2:DescribeSecurityGroupsec2:DescribeSnapshotsec2:DescribeSpotInstanceRequestsec2:DescribeSubnetsec2:DescribeVolumesec2:DescribeVpcsec2:DescribeNatGatewaysec2:GetReservedInstancesExchangeQuoteec2:Describe
Elastic Container Service (ECS)
ecs:Listecs:Describe
Elastic Kubernetes Service (EKS)
eks:Describeeks:List
ElastiCache
Fetch information about all provisioned clusters, reserved cached nodes, and cost allocation tags for the resource.
elasticache:DescribeCacheClusterselasticache:DescribeReservedCacheNodeselasticache:ListTagsForResourceelasticache:Describe
Elasticbeanstalk
Fetch the specified type of information of the deployed environment.
elasticbeanstalk:RequestEnvironmentInfoelasticbeanstalk:RetrieveEnvironmentInfoelasticbeanstalk:Checkelasticbeanstalk:Describeelasticbeanstalk:List
Elastic Filesystem
Fetch information about all Filesystems and cost allocation tags for the resource.
elasticfilesystem:DescribeFileSystemselasticfilesystem:DescribeTagselasticfilesystem:Describe
Elastic MapReduce
Fetch information about all MapReduce Clusters, including status, hardware, and software configuration. Fetch status of all clusters visible in your AWS Account. Fetch information on all instance groups in your clusters, all active EC2 Instances, and all EC2 Instances terminated within the last 30 days.
elasticmapreduce:DescribeClusterelasticmapreduce:ListClusterselasticmapreduce:ListInstanceGroupselasticmapreduce:ListInstanceselasticmapreduce:Describeelasticmapreduce:List
Elasticsearch Service
Fetch Elasticsearch domain configuration information, including the domain ID, domain endpoint, and domain ARN; names of all domains owned by the AWS Account; and tags for each domain.
es:DescribeElasticsearchDomainses:ListDomainNameses:ListTagses:DescribeReservedElasticsearchInstanceses:Listes:Describe
Elastic Load Balancing
Fetch information about all load balancers and cost allocation tags for the resources.
elasticloadbalancing:DescribeLoadBalancerselasticloadbalancing:DescribeTagselasticloadbalancing:Describe
FSX
fsx:Describe
IAM
Fetch IAM-related information so that Tanzu CloudHealth has read-only user- or role-based access to your AWS Account. Tanzu CloudHealth uses this read-only access to gather information on AWS resources and tags associated with your account.
iam:GetUseriam:GenerateCredentialReportiam:GetCredentialReportiam:ListGroupsiam:GetGroupiam:ListUsersiam:ListPoliciesiam:GetPolicyiam:GetRoleiam:ListRolesiam:GetAccountPasswordPolicyiam:ListServerCertiticatesiam:ListVirtualMFADevicesiam:ListMFADevicesiam:ListAccessKeysiam:GetAccountSummaryiam:ListEntitiesForPolicyiam:GetPolicyVersioniam:Listiam:Get
Key Management Service (KMS)
Kinesis
Fetch information about all Kinesis streams and cost allocation tags for the resources.
kinesis:DescribeStreamkinesis:ListStreamskinesis:ListTagsForStreamkinesis:Describekinesis:List
Kinesis Firehose
Fetch information about all Kinesis Firehose delivery streams.
Lambda
Fetch information about all Lambda functions streams and cost allocation tags for the resources.
lambda:ListFunctionslambda:ListTagslambda:List
Redshift
Fetch information about all RedShift Clusters and cost allocation tags for the resources.
redshift:DescribeClustersredshift:DescribeReservedNodesredshift:DescribeClusterSnapshotsredshift:Describe
Route 53
Fetch information about all Route53 Hosted Zones Clusters and cost allocation tags for the resources.
route53:ListHostedZonesroute53:ListTagsForResourcesroute53:GetHostedZoneroute53:Getroute53:List
RDS
Fetch information about provisioned RDS Instances, reserved DB instances, security groups, snapshots, subnet groups, and tags for RDS resources.
rds:ListTagsForResourcerds:DescribeDBInstancesrds:DescribeReservedDBInstancesrds:DescribeDBSecurityGroupsrds:DescribeDBSnapshotsrds:DescribeDBSubnetGroupsrds:Describe
Savings Plans
Fetch information about AWS Savings Plans.
Simple Storage Service (S3)
Fetch information about all S3 buckets, tags, and bucket locations.
s3:ListBucketss3:GetBucketTaggings3:GetBucketLocations3:GetBucketAcls3:GetBucketPolicys3:GetBucketPolicyStatuss3:GetBucketLoggings3:GetBucketPublicAccessBlocks3:GetAccountPublicAccessBlocks3:GetBucketVersionings3:GetBucketWebsites3:List
SageMaker
Fetch information about all SageMaker Endpoints.
sagemaker:DescribeEndpointsagemaker:DescribeEndpointConfigsagemaker:DescribeModelsagemaker:DescribeNotebookInstancesagemaker:DescribeTrainingJobsagemaker:ListEndpointConfigssagemaker:ListEndpointssagemaker:ListModelssagemaker:ListNotebookInstancessagemaker:ListTagssagemaker:ListTrainingJobssagemaker:Describesagemaker:List
SDB
sdb:GetAttributessdb:List
SES
ses:Getses:List
Simple Notification Service
Fetch list of Simple Notification Service subscriptions and their attributes.
sns:ListSubscriptionssns:ListSubscriptionsByTopicsns:ListTopicssns:GetSubscriptionAttributessns:GetTopicAttributessns:Getsns:List
SQS
Fetch attributes for the specified queue.
Storage Gateway
storagegateway:Liststoragegateway:Describe
WorkSpaces
Fetch information about all WorkSpaces, their connection status, and tags associated with these resources, as well as WorkSpace bundles.
workspaces:DescribeTagsworkspaces:DescribeWorkspacesworkspaces:DescribeWorkspacesConnectionStatusworkspaces:DescribeWorkspaceBundlesworkspaces:Describe
Tanzu CloudHealth Collection Frequency for AWS
Indicates the rates at which Tanzu CloudHealth adds API service queries to a queue. These queries help Tanzu CloudHealth identify changes in your AWS infrastructure.
The frequencies specified below indicate the rates at which Tanzu CloudHealth adds API service queries to a queue. These queries help Tanzu CloudHealth identify changes in your AWS infrastructure. These frequencies are not the intervals at which the Tanzu CloudHealth platform refreshes with changes in your AWS infrastructure.
Tanzu CloudHealth makes the best effort to queue up query requests at these frequencies. However, factors such as network latency, the number of queued items to be processed, the number of AWS services that you utilize, and AWS service-level rate limits determine how quickly the query responses are returned to the Tanzu CloudHealth platform.
Every 15 min
- Account Tags
- CloudFormation Stacks
- Cost and Usage Report
- Detailed Billing Record
- DynamoDB Tables
- EC2 Instances
- EC2 Security Groups
- EC2 Subnets
- EC2 Volumes
- EC2 VPCs
- ElastiCache Clusters
- ElastiCache Reserved Nodes
- Elastic IPs
- Elastic Load Balancers
- Elasticsearch Instances
- Elasticsearch Volumes
- RDS Instances
Every 1 h
- Auto Scaling Groups
- AWS Config Rules
- Appstream Application
- Appstream Images
- DMS Replication Instances
- EC2 Reservations
- IAM Credential Report
- Kinesis Streams
- RedShift Clusters
- RedShift Reserved Nodes
- WorkSpaces
- CloudFront Distributions
- CloudTrail Trails
- Lambda Functions
- RDS Reservations
- RDS Security Groups
- RDS Subnet Groups
- Elasticsearch Domain
- Elastic File Systems
- Route 53 Hosted Zones
- EC2 Dedicated Hosts
- EC2 Images
- EC2 Spot
- Elasticsearch Reserved Instances
- EC2 Instance Status
Every 4 h
- Auto Scaling Groups Lifecycle Hooks
- AWS Config Settings
- AWS Statements
- Appstream Application Tags
- Appstream Image Tags
- CloudFront Distribution Tags
- CloudTrail Tags
- DynamoDB Tables Tags
- EC2 Snapshots
- Elastic Load Balancer Tags
- EMR Clusters
- IAM MFA
- Kinesis Firehoses
- NAT Gateways
- RDS Instance Tags
- RDS Reservation Tags
- RDS Snapshots
- RDS Subnet Group Tags
- RedShift Snapshots
- Route 53 Hosted Zones Tags
- SageMaker Endpoints
- SageMaker Notebook Instances
- SageMaker Endpoints Tags
- Test Access
- WorkSpace Status
- WorkSpace Tags
- KMS Tags
- S3 Buckets
- EMR Cluster Details
- EMR Cluster Instances
- EMR Cluster Instance Groups
- CloudWatch Logs Tags
- FSx Tags
- IAM Server Certificate
- IAM Credential Report
- IAM Groups
- IAM Password Policy
- IAM Roles
- IAM Users
- EKS Cluster
- EKS Node Groups
- Lambda tags
- Kinesis Firehose Tags
- Application Load Balancer Tags
- Network Load Balancer Tags
- ElastiCache Tags
- Route 53 Tags
- AWS Config Rules (Classic)
Every 24 h
- CloudFormation Resources
- CloudFormation Stacks Tags
- CloudTrail Event Selectors
- CloudWatch Alarms
- CloudWatch Log Groups
- CloudWatch Metrics
- CloudWatch Metric Filters
- DMS Replication Instance Tags
- EC2 Account Region Attributes
- EC2 Enabled Regions
- ElastiCache Clusters Tags
- Elasticsearch Domain Tags
- IAM Policies
- IAM Access Keys
- KMS Customer Master Keys
- Lambda Functions Tags
- RDS Security Group Tags
- RDS Snapshot Tags
- SNS Topics
- Region Service Support
Spend-Based Asset Collection
The Tanzu CloudHealth platform uses AWS APIs to gather the asset information essential to all kinds of reports in the platform. If the number of Tanzu CloudHealth API requests exceeds the defined AWS API request limit, AWS denies the API requests. This process is called throttling. In the case of throttling, Tanzu CloudHealth negotiates with AWS for an increase in the API throttling limit. But for some services like AWS config, Tanzu CloudHealth is already operating at the maximum capacity.
The spend-based asset collection feature ensures the Tanzu CloudHealth API requests do not return with an empty response from AWS. The platform now makes API requests only when it detects a service charged with $0 or more in the cloud usage bill, reducing unnecessary API calls. Once the service is charged, Tanzu CloudHealth will start sending API queries for the service. This spend-monitoring approach efficiently reduces the wastage of your API quota as well as your API cost.
The spend-based asset collection feature considerably changes the initial asset collection time for a newly added account and service. Once a new asset or service is billed, it could take a minimum of 24 hours to appear in the Tanzu CloudHealth reports. After the initial delay, the platform continues to update the asset or service details as per the standard collection frequency.
Example: If you have recently started using WorkSpaces, the service won’t appear in your Tanzu CloudHealth reports until a bill shows WorkSpaces charges in it. Once the service charge first appears in a bill, only the initial asset collection could take about 24 hours. Later, the asset collection for the WorkSpaces will start with the standard 1-hour collection frequency.
Spend-based asset collection is enabled for the following AWS services:
- Application Load Balancers
- Classic Load Balancers
- CloudFront Distributions
- CloudTrail Event Selectors
- CloudTrail Trails
- CloudWatch Alarms
- DMS Replication Instances
- DynamoDB Tables
- EC2 Dedicated Hosts
- EC2 Instances
- EC2 Spot Instances
- EFS
- ElastiCache Clusters
- Elasticsearch Domains
- Elasticsearch RIs
- Kinesis Firehose
- Lambda Functions
- RDS DB Instances
- RDS RIs
- Redshift Clusters
- Redshift Reserved Nodes
- Savings Plans
- Workspaces
Leverage Tanzu CloudHealth to Align with the AWS Well-Architected Framework
Documents a set of foundational questions that allow you to understand if a specific architecture aligns well with cloud best practices.
What is the AWS Well-Architected Framework
The AWS Well-Architected Framework documents a set of foundational questions that allow you to understand if a specific architecture aligns well with cloud best practices. The framework provides a consistent approach to evaluating systems against the qualities you expect from modern cloud-based systems, and the remediation that would be required to achieve those qualities.
Definition from AWS Whitepaper, November 2017
Five Pillars of the AWS Well-Architected Framework
| Pillar | Description |
|---|---|
| Operational Excellence | The ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures. |
| Security | The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies. |
| Reliability | The ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues. |
| Performance Efficiency | The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve. |
| Cost Optimization | The ability to avoid or eliminate unneeded cost or suboptimal resources. |
Each pillar is qualified by a set of foundational questions that allow you to understand if a specific architecture aligns well with cloud best practices.
How to Leverage Tanzu CloudHealth to Assess Your Application against the AWS Well-Architected Framework
The Tanzu CloudHealth Platform can help you answer several of the questions that qualify each pillar in the AWS Well-Architected Framework.
Operational Excellence
| Question | Tanzu CloudHealth Support | Tanzu CloudHealth Platform Solution |
|---|---|---|
| What best practices for cloud operations are you using? | Good | Achieve centralized governance by building best practice policies. |
| How are you doing configuration management for your workload? | Not currently supported | |
| How are you evolving your workload while minimizing the impact of change? | Not currently supported | |
| How do you monitor your workload to ensure it is operating as expected? | Moderate | Track nonfunctional operations using Cost Reports (e.g., Cost History Report and Performance Reports (e.g., EC2 Instance Performance Report. Reporting on functional aspects such as application responsiveness is not currently supported. |
| How is escalation managed when responding to unplanned operational events? | Not currently supported |
Security
| Question | Tanzu CloudHealth Support | Tanzu CloudHealth Platform Solution |
|---|---|---|
| How are you protecting access to and use of the AWS root account credentials? | Good | Build a security policy that checks for root account credentials that are not protected by MFA tokens. See Implement Tanzu CloudHealth Default Security Policy. Subscribe to the Health Check Pulse report, which contains a section that tracks Security vulnerabilities. |
| How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API? | Moderate | Identify security vulnerabilities using the AWS Best Practices Security policy. Through this policy, Tanzu CloudHealth can track and report on absent MFA tokens, credentials that have not been rotated for a significant period of time, and weak password policies on your AWS account(s). In order to audit permission changes, use the security policy to get alerted whether a user’s IAM permissions change. Subscribe to the Health Check Pulse report, which contains a section that tracks Security vulnerabilities. |
| How are you limiting automated access to AWS resources? | Not currently supported | |
| How are you capturing and analyzing logs? | Moderate | Customize the AWS Best Practice Security policy to identify accounts that do not have logging faculties such as CloudTrail set up correctly. By proactively enabling this policy, you can ensure that logs are available for analysis on the day that an event occurs. |
| How are you enforcing network- and host-level boundary protection? | Good | Customize the AWS Best Practice Security policy to audit EC2 security groups and determine if they allow ingress from an abnormally large number of services or from the outside world. |
| How are you leveraging AWS service-level security features? | Not currently supported | |
| How are you protecting the integrity of the operating systems on your Amazon EC2 instances? | Moderate | The Tanzu CloudHealth Platform integrates with system management frameworks such as Chef. Through this integration, Tanzu CloudHealth can determine information such as OS vendor version, time since last reboot, and whether or not a tool such as Chef has run recently on an instance. |
| How are you classifying your data? | Good | Gather your AWS resources into meaningful groups using Tanzu CloudHealth Perspectives. This process assigns ownership of portions of your AWS infrastructure to specific business groups and systems. For example, using Perspectives, you can quickly visualize which part(s) of your infrastructure need to be PCI compliant or which parts can be treated in a less stringent manner. |
| How are you encrypting and protecting your data at rest? | Not currently supported | |
| How are you managing keys? | Not currently supported | |
| How are you encrypting and protecting your data in transit? | Moderate | Customize the AWS Best Practice Security policy to get alerts on expiring SSL certificates. |
| How do you ensure that you have the appropriate incident response? | Not currently supported |
Reliability
| Question | Tanzu CloudHealth Support | Tanzu CloudHealth Platform Solution |
|---|---|---|
| How do you manage AWS service limits for your account(s)? | Not currently supported | |
| How are you planning your network topology on AWS? | Not currently supported | |
| How does your system adapt to changes in demand? | Good | Employ Tanzu CloudHealth Rightsizing capabilities to ensure that your cloud assets are being well utilized for the workloads that you deploy on them. Build an instance or volume rightsizing policy that constantly monitors your infrastructure for rightsizing opportunities. Subscribe to the Health Check Pulse report, which contains a section that tracks underutilized instances and volumes. |
| How are you monitoring AWS resources? | Good | Gather your AWS resources into meaningful groups using Tanzu CloudHealth Perspectives. Review Tanzu CloudHealth Metrics Reports e.g., EC2 Instance Metrics Report to track utilization metrics by these groups. |
| How are you executing change? | Not currently supported | |
| How are you backing up your data? | Not currently supported | |
| How does your system withstand component failures? | Not currently supported | |
| How are you testing for resiliency? | Not currently supported | |
| How are you planning for disaster recovery? | Not currently supported |
Performance Efficiency
| Question | Tanzu CloudHealth Support | Tanzu CloudHealth Platform Solution |
|---|---|---|
| How do you select the best performing architecture? | Good | Gather your AWS resources into meaningful groups using Tanzu CloudHealth Perspectives. Review Performance Reports (e.g., EC2 Instance Performance Report) by Perspective to identify bottlenecks in your infrastructure. |
| How do you select your compute solution? | Moderate | Employ Tanzu CloudHealth Rightsizing capabilities to ensure that your EC2 Instances are being well utilized for the workloads that you deploy on them. EC2 rightsizing across families is currently unavailable. |
| How do you select your storage solution? | Not currently supported | |
| How do you select your database solution? | Not currently supported | |
| How do you select your network solution? | Not currently supported | |
| How do you ensure that you continue to have the most appropriate resource type as new resource types and features are introduced? | Moderate | Because Tanzu CloudHealth Metrics can be rolled up to a per-service level rather than per-instance level, you can quickly visualize the results of controlled experiments with newer infrastructure. EC2 rightsizing across generations and families is currently unavailable. |
| How do you use tradeoffs to improve performance? | Good | The Tanzu CloudHealth EC2 Instance Rightsizing Report helps you tie instance performance back to costs and savings. This insight helps you make tradeoffs to improve performance. |
Cost Optimization
| Question | Tanzu CloudHealth Support | Tanzu CloudHealth Platform Solution |
|---|---|---|
| Are you considering cost when you select AWS services for your solution? | Good | Utilize the wide array of cost optimization approaches in the Tanzu CloudHealth Platform. From Cost Reports, Financial and Cost optimization policies, Rightsizing capabilities, and Reservation Management solutions. |
| Have you sized resources to meet your cost targets? | Good | The Tanzu CloudHealth EC2 Instance Rightsizing Report helps you tie instance performance back to costs and savings. |
| Have you selected the appropriate pricing model to meet your cost targets? | Good | Tanzu CloudHealth Reservation Management solutions allow you to model, optimize, and analyze reserved instance usage and purchases in your environment. The Cost Savings Report visualizes cost saving opportunities. |
| How do you make sure your capacity matches but does not substantially exceed what you need? | Good | Employ Tanzu CloudHealth Rightsizing capabilities to ensure that your EC2 Instances are being well utilized for the workloads that you deploy on them. |
| Did you consider data transfer charges when designing your architecture? | Good | Gather your AWS resources into meaningful groups using Tanzu CloudHealth Perspectives. Review the Data Transfer Cost Report to view these costs by business group and system in your infrastructure. |
| How are you monitoring usage and spend? | Good | Build Financial and Cost optimization policies to continuously monitor your infrastructure for spend and savings opportunities. Get alerts that help you manage usage and costs. |
| Do you decommission resources that you no longer need or stop resources that are temporarily not needed? | Good | Employ Tanzu CloudHealth Rightsizing capabilities to ensure that your EC2 Instances are being well utilized for the workloads that you deploy on them. |
| What access controls and procedures do you have in place to govern AWS usage? | Moderate | Identify security vulnerabilities using the AWS Best Practices Security policy. Through this policy, Tanzu CloudHealth can track and report on security issues and offer remedial recommendations. |
| How do you manage and/or consider the adoption of new services? | Good | Review and analyze Tanzu CloudHealth Cost Reports e.g., Cost History Report to see what new services cost or are forecasted to cost. |
Import Multiple AWS Accounts
Expedite the import of multiple accounts into Tanzu CloudHealth using a CSV file
You can expedite the import of multiple accounts into Tanzu CloudHealth using a CSV file. Managing and importing from a centralized spreadsheet simplifies the rotation of credentials and the addition of new accounts.
To download a template for the CSV file with pre-filled columns, click Import Accounts template
While both approaches are supported in the Tanzu CloudHealth platform, using a read-only IAM Role during account creation is recommended over using a read-only IAM User.
- In the Tanzu CloudHealth platform, from the menu, select Setup > Accounts > AWS, and click Import Accounts.
- Upload a CSV file that contains key account information organized under the following headings:
- Account Name
- Owner ID
- IAM Console
- Access Key (Leave blank if the account uses an IAM Role)
- Secret Key (Leave blank if the account uses an IAM Role)
- Role ARN (Leave blank if the account uses an IAM User)
- Role External ID (Leave blank if the account uses an IAM User)
- Detailed Billing Bucket
- Cost and Usage Report Bucket
- Cost and Usage Report Path
- Select an aggregator from the Choose Aggregator dropdown, and click the Import Account(s) button.
- The import process cannot delete accounts from the Tanzu CloudHealth platform. You can only remove accounts manually.
- You can import tags for each account by adding additional tag columns. All the tag columns should be prefixed with “cht_tag:”. For example, to add a tag with the key “Environment”, you should include “cht_tag:Environment” in the header.
Troubleshooting Tips
- If your CSV file includes headers, the header names must match those listed above; otherwise, the import process fails.
- The import process adds new accounts or updates existing accounts based on the information in the CSV file.
- Tanzu CloudHealth uses the Owner ID field to uniquely identify an account. Ensure that this ID is accurate in the CSV file.
AWS Customer Health Program
Enables an AWS representative to access the Tanzu CloudHealth platform.
Benefits of Inviting AWS to Tanzu CloudHealth
The AWS Invite functionality offers multiple benefits for the end user:
- Provides an Amazon representative with access to Tanzu CloudHealth’s powerful rightsizing, optimization and RI optimization functionality
- Utilizes customer-defined perspectives to communicate an environment’s unique characteristics to the AWS representative
- Detailed recommendations on how to best optimize, expand, or adjust a customer’s AWS infrastructure, based on both in-depth product knowledge from the AWS representative and a customer’s exact definition of the existing AWS infrastructure
Inviting Amazon Representatives to Tanzu CloudHealth
To enable Amazon account representative access to the Tanzu CloudHealth environment, a Tanzu CloudHealth account administrator first needs to invite the Amazon representative to the account.
To invite users, navigate to the Setup menu, click Admin, and Users. In the Users section, select Invite User in the top-right of the screen.
If the user’s organization is using SSO, the Invite User invitation button will default to inviting an AWS representative.
If the organization is not using SSO, two tabs will be available to the user: Invite User or Invite Amazon. If a non-SSO user is adding an AWS rep via the Invite Amazon tab, the invitation can only be sent to individuals with @amazon.com email domains.
After filling out the AWS representative name, email address and role, the Invite User option will become available in the dialog. Tanzu CloudHealth recommends providing AWS Representatives with Standard User access roles. The Standard User role will allow the AWS representative to see the saved reports, assets, and perspectives within the environment, while limiting access to account configuration tools and other administrative functionality.
AWS Representative Account Access
After receiving access to a Tanzu CloudHealth customer environment, the AWS representative will log in to the platform by providing his/her Tanzu CloudHealth @amazon.com email login and password. Upon logging in, the AWS representative will see a drop-down menu that provides access to all customers who have provided the representative with an invitation to their Tanzu CloudHealth environment.
By selecting a Customer the representative will be able to enter and view that particular account’s environment. This provides access Tanzu CloudHealth’s consolidated view of AWS assets, infrastructure perspectives, performance and usage data, reserved instance purchases, governance policies, and more. The AWS representative can now more easily collaborate with their customers to review Tanzu CloudHealth recommendations by taking into account the unique characteristics of the customer’s environment.
To log out of a customer’s Tanzu CloudHealth console, or switch the customer environment, select a new customer from the bottom left corner of the Platform.
