Actions give you the ability to define processes that the Tanzu CloudHealth platform automatically executes based on a set of parameters. This approach helps you automate labor-intensive and error-prone tasks without compromising on authorization and security. Actions reduce the time and effort it takes to manage and operate your cloud, and they are a critical component in policy-based governance. You can create and execute Actions without human intervention after setting up authorizers and approvers for them.
You can automate aspects of cloud management by configuring actions that Tanzu CloudHealth runs through an approval process. An action must pass through at least one of these users:
Automated Actions are intended for advanced users of Tanzu CloudHealth. Automated Actions provide the capability for Authorized roles (as defined in the Action Configuration step) to directly influence the state of AWS infrastructure. Depending on its configuration, an action may or may not require approval or authorization prior to execution.
If you are a Tanzu CloudHealth Administrator, be aware of the Actions that are enabled, the roles that have access to those Actions, and how those Actions will impact your environment when executed. For information on how to restrict roles, see Create a Custom Role.
Create your own actions to build a chain of approvers and authorizers. Click Create Action.
Based on the Resource Type selected, the set of actions that can be taken differ. These actions are divided into two groups: Universal Actions or Resource Type specific actions. Universal Actions only permit workflow rules such as requesting Approval or Authorization, executing Lambda Functions, or waiting for a specified period of time. Resource Specific actions allow you to take an action for the type of resource. For example, if you are working with an Amazon EC2 Instance, you can Delete, Start, Stop, or Reboot the instance.
Custom Actions, like their built-in counterparts, are available for each resource or for multiple resources through bulk actions.
You can add one or more authorizers to built-in actions by clicking Update. For custom actions, click Set Up.
Type the name of the individuals who will serve as authorizers and approvers.
Tanzu CloudHealth shows a warning if no Authorizers are listed for an Action, and if the system does not recognize the correct permission being applied to the Tanzu CloudHealth Policy under AWS. Ensure that the IAM Policy reflects the proper permissions to execute the Action.
You can manually execute an action in the Tanzu CloudHealth platform, provided you have appropriate permissions. For example, in the table of EC2 Instances, each instance has an associated Action dropdown.
Associate an action with a policy so that when a policy condition evaluates to true, the action is executed.
For all asset types, the following Actions are available:
You can stagger Actions based on the Wait function. For example, you can stop an EC2 Instance, run a Lambda function to take a snapshot of that Instance, and then terminate that Instance. You can create a sequence of events that make up the action as follows:
To ensure that the sequence of events runs correctly, click the Test Rule button for the rule.
For more information about associating actions with a policy, see Configure Rules.
Build a policy that monitors your infrastructure for EC2 Instance rightsizing opportunities
Rightsizing is the process of modifying your cloud infrastructure to equate it with actual demand. Rightsizing helps you identify underutilized assets, allowing you to make an informed decision to adjust the assets assigned to the instance or to decommission the instance.
A policy contains one or more blocks, each containing a specific rule that checks for operational conditions that you specify.
The Instance Rightsizing policy is composed of multiple rule groups, each representing a specific instance metric or topic. The following topics are represented.
For each topic, you can specify thresholds that represent underutilization in your organization. Tanzu CloudHealth uses your threshold settings to compute a score for each topic. That score is then represented visually as “battery meters” with the length and color of the bar representing the resource score. For more information, see EC2 Instance Rightsizing Reports
Use the Severely underutilized when and Moderately underutilized when sections to specify the thresholds that reflect your internal business standards for a metric. When the utilization for a metric lies within a specific range, a score value is assigned to the metric.
Score Value | Score Range for Metric |
---|---|
Severely underutilized | 0 to 33 |
Moderately underutilized | 34 to 67 |
Well utilized | 68 to 100 |
In order to make a rightsizing recommendation, Tanzu CloudHealth considers the thresholds for Maximum or Average utilization that you specify in the Severely Underutilized when section.
In this example policy, for both CPU and Memory, the Severely underutilized when thresholds are set to Average. Therefore, Tanzu CloudHealth computes recommendations based on Average CPU and Memory utilization, even though the Moderately utilized when thresholds for both CPU and Memory are set to Maximum.
In this example policy, the thresholds are specified as follows:
Tanzu CloudHealth computes recommendations based on Average CPU and Maximum Memory utilization, even though the Moderately utilized when thresholds for both CPU and Memory are set to Maximum.
Build a policy that monitors your infrastructure for volume rightsizing opportunities
Rightsizing is the process of modifying your cloud infrastructure to equate it with actual demand. Rightsizing helps you identify underutilized assets, allowing you to make an informed decision to adjust the assets assigned to the volume or to decommission the volume.
A policy contains one or more blocks, each containing a specific rule that checks for operational conditions that you specify.
Name your policy and write a brief description of what the policy monitors.
The policy is Enabled by default and contains pre-populated topic thresholds.
The Volume Rightsizing policy is composed of multiple rule groups, each containing these metrics or topics.
For each topic, you can specify thresholds that represent underutilization in your organization. Tanzu CloudHealth uses your threshold settings to compute a score for each topic. That score is then represented visually as “battery meters” with the length and color of the bar representing the resource score. For more information, see EBS Volume Rightsizing Reports
Use the Severely underutilized when and Moderately underutilized when sections to specify the thresholds that reflect your internal business standards for a metric. When the utilization for a metric lies within a specific range, a score value is assigned to the metric.
Score Value | Score Range for Metric |
---|---|
Severely underutilized | 0 to 33 |
Moderately underutilized | 34 to 67 |
Well utilized | 68 to 100 |
In addition, each metric has these default threshold ranges:
Usage
Read Throughput
Write Throughput
Collect AWS Config data for use of AWS Config Rules within the platform
AWS Config Rules can be used as a measure within Standard Policies to perform actions when resources are out of compliance with a specifically defined rule.
Within Policies > Policy Blocks, select EC2 Instance as your resource type:
Select Add Condition, then select Configuration from the Choose a Topic dropdown. You will then be able to select AWS Config Rules from the Choose a Measure dropdown:
Once the measure is set to AWS Config Rules, you will be able to Build a Condition around AWS Config Rules that have been set up in your AWS Account.
The AWS Config Rules section can be found under Governance in the Reports section of the Tanzu CloudHealth main menu. This view will display all currently setup AWS Config Rules, along with their current state Compliant (Blue), Non-Compliant (Red), or Insufficient Data (Black). It also displays the Region, number of Compliant Resources, number of Non-Compliant Resources, and resources with Insufficient Data.
Clicking on the AWS Config Rule hyperlink will link to a more detailed page within your AWS Assets, which shows a line item listing of the AWS Config Rule check against all resources. This can be used to identify specific resources that are out of compliance with your specified AWS Config Rule.
This view will display the Account Name, AWS Config Rule Name, Resource ID, the Resource Type, and the current Compliance Type (Compliant or Non-Compliant).
The need for and advantages of applying a security policy to monitor your infrastructure
Deploying applications in the cloud offers many advantages: agility, consumption-based pricing, global infrastructure, platform services, and so on. However, the fast pace of change and the distributed nature of cloud services can expose your organization to security risks resulting from inadvertent or noncompliant changes to services.
For example, consider a case where you tightly configure a security group to limit access from the internet for web servers. A member of your team can use that Security Group for another workload and open additional ports. Without continuous monitoring, this change could go undetected and subject your organization to security risks.
By using a policy-driven solution for monitoring security operations, Tanzu CloudHealth will continuously monitor your AWS accounts, services, and resources for security violations.
A policy-driven approach is scalable, configurable, and flexible.
You can get started with the default Tanzu CloudHealth security policies, which contains a standard set of rules for monitoring security. These rules can be customized within certain constraints. You can also enable and disable rules within the policy.
Each rule is accompanied with recommendations that help you understand what the particular security issue is and what action you can take to address it. Recommendations also contain links to supporting documentation and a list of resources that violate the policy.
You can choose which resources to exclude from specific policy rules. For example, for the default policy rule IAM User MFA Access, you can exclude a particular IAM user so that this rule is never flagged as a violation for that user.
Implement a policy that can monitor your AWS accounts, services, and resources for security vulnerabilities
Default security policies are Tanzu CloudHealth’s recommended method for ensuring your cloud is secure and meets standards. These policies monitor your AWS accounts, services, and resources. They identify issues and make recommendations for how you can improve your security. Tanzu CloudHealth provides two default security policies:
Tanzu CloudHealth manages the default policies and will update them periodically with more best practices and CIS benchmarks. You can customize the rules for these policies within certain constraints. You can also enable and disable rules within the default policies.
A policy contains one or more policy blocks, each containing a specific rule that checks for compliance against an AWS security best practice or CIS benchmark.
Recommendations from the AWS Best Practice Security and CIS AWS Foundation policies help you understand what the particular security issue is and what action you can take to address it. These recommendations are also visible in the Health Check Pulse Report.
If you want to customize the security policies, you can edit each default policy within certain constraints. Alternatively, you can modify a copy of each default policy. In that case, however, the copy you create will not be updated when Tanzu CloudHealth adds new best practices or benchmarks to the default policy.
When you enable the security policies, they only check for security vulnerabilities in the top-level organization. In order to apply the policies to sub-organizations, duplicate each policy and specify the sub-organization to which it should apply.
Tanzu CloudHealth gathers any Lambda Functions that you have written in your AWS accounts. These functions are available as Actions that Tanzu CloudHealth can take on your behalf in response to a Policy Condition being true in your environment.
AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume, so there is no charge when your code is not running.
Using Lambda, you can run code for any type of application or backend service. When you upload your code, Lambda manages the resources required to run that code and scale it with high availability.
Some examples of how you can use Lambda are as follows:
For more information, see the AWS documentation on Lambda.
Tanzu CloudHealth gathers any Lambda Functions that you have written in your AWS accounts. These functions are available as Actions that Tanzu CloudHealth can take on your behalf in response to a Policy Condition being true in your environment.
Tanzu CloudHealth scans your AWS accounts every 15 min for new Lambda Functions. Upon discovery, these functions are immediately available as possible Actions for a Policy Condition.
You can apply Lambda Functions as Actions for these AWS services, provided that the Data Type for the Policy Condition is set to Per-resource.
Consider a policy that monitors EC2 Instance usage.
When a Lambda Function runs as an action in response to a Policy Condition, Tanzu CloudHealth responds with a payload that identifies the resources affected by the policy condition.
The payload has the following information:
An example of the payload is provided below.
{
"resource_arns": [
"arn:aws:ec2:eu-west-1:8445847XXXXX:reservation/5031XXXX-d915-48ec-a66a-45d3XXXXed83",
"arn:aws:ec2:us-east-1:8445847XXXXX:reservation/6d7bXXXX-b128-4599-802a-1112XXXXe21e",
"arn:aws:ec2:us-east-1:8445847XXXXX:reservation/172bXXXX-4a21-43d1-878d-3882XXXX2dc1",
"arn:aws:ec2:us-east-1:8445847XXXXX:reservation/5bfcXXXX-ecdf-4b5f-a3df-bf0cXXXX4475"
],
"function_name": "e2e-testing-lambda",
"region": "us-east-1",
"account_id": "8933531XXXXX",
"policy_name": "Test EC2 Inst Res",
"policy_block_name": "Block 1",
"violation_report_url": "https://apps.cloudhealthtech.com/policies/3504693314907/violation_report",
"summary": "Reservations for 4 instances will expire within the next 100 days",
"number_affected_resources": 4,
"affected_resources": [
{
"Scope": "Availability Zone",
"Account Name": "CHT-Demo",
"Offering Type": "Partial Upfront",
"Offering Class": "Standard",
"API Name": "t2.small",
"Zone Name": "eu-west-1a",
"Region Name": "eu-west-1",
"VPC": "",
"Count": "1",
"Operating System": "Linux/UNIX",
"Actual Price": "$0.00",
"Time To Expire": "6 days"
},
{
"Scope": "Availability Zone",
"Account Name": "CHT-Demo",
"Offering Type": "All Upfront",
"Offering Class": "Standard",
"API Name": "t2.micro",
"Zone Name": "us-east-1a",
"Region Name": "us-east-1",
"VPC": "",
"Count": "1",
"Operating System": "Linux/UNIX",
"Actual Price": "$74.33",
"Time To Expire": "96 days"
},
{
"Scope": "Availability Zone",
"Account Name": "CHT-Demo",
"Offering Type": "All Upfront",
"Offering Class": "Standard",
"API Name": "t2.micro",
"Zone Name": "us-east-1a",
"Region Name": "us-east-1",
"VPC": "",
"Count": "1",
"Operating System": "Linux/UNIX",
"Actual Price": "$57.34",
"Time To Expire": "96 days"
},
{
"Scope": "Availability Zone",
"Account Name": "CHT-Demo",
"Offering Type": "All Upfront",
"Offering Class": "Standard",
"API Name": "t2.micro",
"Zone Name": "us-east-1d",
"Region Name": "us-east-1",
"VPC": "",
"Count": "1",
"Operating System": "Linux/UNIX",
"Actual Price": "$48.93",
"Time To Expire": "96 days"
}
]
}
Add your own documentation into policies, specifically for use in the Policy Violation report
You can add your own documentation into policies, specifically for use in the Policy Violation report.
Tanzu CloudHealth default security policies (AWS Best Practice Security and CIS AWS Foundations) include standard documentation, which you can edit to meet your organization’s specific needs.
You need to use Markdown syntax to customize the documentation
Markdown is a tool that converts text to HTML. It allows you to author content in an easy-to-read, easy-to-write plain text format, which is then converted into structurally valid HTML.
You can quickly get started with basic formatting content using Markdown syntax. For advanced formatting options, see Markdown Syntax.
Construct headings from h1
through h6
by prepending the heading text with a #
for each level: Example:
## h1 Heading
### h2 Heading
#### h3 Heading
##### h4 Heading
###### h5 Heading
####### h6 Heading
Type paragraphs as normal, plain text.
Example:
Lorem ipsum dolor sit amet, graecis denique ei vel, at duo primis mandamus. Et legere ocurreret pri, animal tacimates complectitur ad cum.
Emphasize textual elements with a heavier font weight by enclosing text within ** (double asterisks). Example:
**This text is bold-faced.**
To italicize text, enclose it within _ (underscores)
. Example:
_This text is italicized._
Enclose comments within <!--
and -->
. Example:
<!-- This comment is not visible in the HTML output. -->
Create thematic breaks in paragraphs by separating text using one of these options:
___
(three underscores)***
(three asterisks)---
(three dashes)Create unordered lists by prepending each list item with one of these symbols:
*
valid bulleted item-
valid bulleted item+
valid bulleted itemCreate ordered lists by explicitly specifying order using numerals.
1.
first bullet2.
second bullet3.
third bullet[Page title](http://google.com)
In the Documentation text box, add sections, paragraphs, and links using Markdown syntax.
### Description
The root account has full administrative privileges and should never be used for programmatic API access to AWS.
***
### Recommended Actions
Delete any configured access keys on your root account and replace it with an IAM user or role configured with the minimum privileges required for its use.
### Additional Resources
- [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
Define your expected cloud spend on a month-by-month basis
Budgets define your expected cloud spend on a month-by-month basis. Budgets allow you to visualize your expected costs for the year in advance and compare with actual spend as the year progresses. You can create as many budgets as needed.
There are two kinds of budgets:
Type | Definition |
---|---|
Overall | How much you plan to spend across your entire organization. |
Categorized by Perspective | How much you plan each perspective group to spend. |
You can view existing budgets by going to Setup > Governance > Budget.
Note - Budgets created via the legacy Budgets feature (no longer available) are indicated with a yellow legacy label. Because legacy budgets are no longer supported in Policies, Tanzu CloudHealth recommends copying these legacy budgets to create supported budgets and then replacing the legacy budgets in relevant policies.
You can compare budgeted costs against actual costs in the Budgets Vs. Actual Cost report.
After you have configured budgets, you can create policies to monitor costs and notify you when your costs are projected to exceed or have exceeded your expected budget for the month. Budget policies allow you to stay on top of your spend and act quickly before costs grow unmanageable.
When a budget expires, the policy block associated with the budget is disabled within the policy.
There is no notification that a policy block will be disabled. Review expiring budgets and ensure that you re-enable any policies you wish to keep active.
If you created a policy that used a legacy budget, that policy no longer works as expected. Replace the legacy budget with a budget created in the supported Budgets feature in order for the policy to work and send notifications.
Total Cost - RI Prepay + Amortization
.Budget values can be populated via two methods:
Option 1: Manual Entry
Option 2: CSV Import
Historical cost data is available for the last 13 months.
If your budget has any group with a total of 0, then the Save button will be disabled, and you will not be able to create the budget.
After you have created a budget, you can take a variety of actions on that budget in Setup > Governance > Budget.
To edit an existing budget, select the View icon for that budget and make changes as needed. You cannot edit an existing budget’s start date, budget type, and categorization.
If your budget has any group with a total of 0, then the Update button will be disabled, and you will not be able to modify the budget.
You can duplicate an existing budget and then modify the copy instead of creating a new budget from scratch. To duplicate a budget, select the Duplicate icon for that budget.
To permanently delete an existing budget, select the Delete icon for that budget.
A dialog box appears warning you about any policies, reports, subscriptions, and alerts that are dependent on this budget and are consequently affected by the budget’s deletion. Click Delete to delete the budget.