August 2019 CMP and Policy Release Summary

roleary · ‎Sep 09, 2019

We’ve been receiving some great feedback from you over the past few months about what kinds of policies would best help you manage your technology environment, and it’s been overwhelming listening to the wide variety of use cases where policies can help effect a positive business outcome. Last month, we published an assortment of policies covering many different use cases based on direct customer feedback. As you read through these and browse through all of our current policy content, I’m sure you’ll have new ideas for us, so please keep those ideas coming. You can reply directly to this blog post, contact your account manager, or hit me up directly.

Ensuring efficient use of cloud resources

Azure Long Stopped Instances checks for Azure VMs that have been stopped for a user-specified amount of time and optionally terminates the instances after approval.
AWS Burstable Instance CloudWatch Utilization recommends instance-type changes based on CloudWatch utilization data for burstable instance types.
Azure AHUB Utilization with Manual Entry ensures that you are taking full advantage of the Azure Hybrid Use Benefit in your cloud environments.

Keeping cloud environments secure

Azure Publicly Accessible SQL Managed Instances checks for publicly accessibly managed SQL instances in Azure and provides the option to disable the public endpoint or delete the instance.
AWS Unencrypted S3 Buckets checks all S3 buckets in the AWS account and reports on any that do not have default encryption set, allowing the user to set encryption settings for the bucket or delete it after manual approval.

Managing user access

Okta Inactive Users identifies users who have not logged in within the specified number of days and optionally deactivates the users after approval.

New policy features coming soon

Keep your eyes out on the CMP Release Blog in the next couple of weeks for some exciting enhancements that will help you manage your policies across accounts and give you more control over automating remediation actions. Thanks to those of you that took time to meet with us to provide your feedback on these features.

averharen · ‎Nov 04, 2019

Here's an idea for future policy development -- include a policy ownership framework:

1. Administrators having the ability to destroy or access resources may not fit everyone's security model. (Ask the NSA, "re: PRIVAC and Ed S.").

2. Current policies do not take the end-user or owner into consideration.

3. Current policies do not leverage roles (only at the level of access management)

-- A lot of parts to the policy implementation now exist, but I think what's needed also is policy ownership framework. I'm thinking that each account in Cloud Management should have some settings defined, such as;

Per Account
- Per type of policy (cost/security/etc)
  - policy-owner-role
  - policy-type-delegation-method (policy-owner-role, resource-owner, both)

Then, every policy will always inform the person with the correct role, regardless of how it is setup in governance, as well as - if necessary, the individual resource owner.

In one case, we worked with Professional Services to build a policy that will identify owners as setup in rightscale tags and email them directly. That seems a great method to involve the owners of resources.

We should move away from selecting individual email addresses for policy notification.

roleary · ‎Nov 05, 2019

Great ideas Alex! We're making some changes to the way that policies and associated credentials are organized that might help this use case. Once we flesh out the details, I'll reach out and we can talk about how the changes might help address this request. Thanks for the feedback!