RightScale Policy Management allows you to automate governance across your multi-cloud environment to increase agility and efficiency while managing security and risk in your organization. The capability is purpose built to leverage an intelligent policy engine that lets you enforce rules and best practices to help you achieve your business outcomes like saving time, cost reduction, increasing utilization, and rightsizing your cloud environment.
- Built-in Policies for Cost, Security, Operational, and Compliance use cases
- Dry run policies and then configure them to take approved actions on any API backed cloud, service, and resource
- Automate policies across your entire cloud landscape (multiple accounts)
- Maintain policy-as-code using the built-in policy template language to write your own policies
- Policies can enforce rules on any cloud or any service with an API
- Automate your policies using the fully-featured Policies API and documentation
Policy Use Cases
RightScale developed a wide variety of built-in policies that provide high value with minimal effort on Day 1. You can simply select the policy you are interested in, customize it, and apply it to individual accounts or across multiple accounts to achieve your business outcomes. Find the complete list here.
In addition to following examples, the policy engine supports writing custom policies to help customers achieve custom requirements and not be limited by what RightScale provides out of the box.
Increase cost visibility and management in your multi-cloud world and take appropriate actions to run an efficient infrastructure.
- Identify where you are wasting spend and realize immediate savings
- Collaborate to reduce future cloud costs
- Use tagging as a foundation for ongoing cost management
- Automate waste prevention
Gain visibility and control across all your public and/or private cloud environments with our security policies. Improve security across your applications, data, and associated infrastructure by finding security vulnerabilities before your customers do.
- Secure public storage buckets
- Take control of your security groups
- Monitor and secure IAM access
Save valuable human time and investment by automating everyday IT operations. Running an automated and efficient cloud infrastructure frees up expensive resources on high ROI projects like scaling, growth, and deliver value faster than anyone else.
- Reduce waste by putting instances on schedule
- Put automatic key rotation to avoid downtime
Enterprises typically have multiple compliance requirements but struggle to automate them which leads to downtime as well as resource waste. By having a strong compliance strategy but also ability to quickly automate it provides peace of mind and avoids business interruption.
- Ensure comprehensive tagging strategy
- Write custom policies for HIPAA, GDPR, PCI, and more
Policy Engine leverages our multi-cloud orchestration platform written in Cloud Workflow Language that allows managing entire applications running on the cloud. These actions may include adding an approval prior to executing a set of automated actions.
- Start/Stop instances
- Change (downsize) instances
- Add/Remove Tags
- Add/Terminate/Delete resources (e.g.: Unattached volumes, old snapshots)
- Migrate between storage classes
- Slack and Email Notifications
- Running Operational Runlists
- Scaling Server Arrays
- Retrieving and analyzing metrics data
- Sending requests to external applications
Open source Policy definition, written in powerful Policy Template Language, that defines the blueprint of a Policy. It specifies input parameters, conditions, and actions the policy will take when it is triggered. You can use built-in policy templates from RightScale as is or customize the source code to create your own custom policy. Policy Template can be published to the Catalog to make it visible to the entire organization.
A running policy that has been applied from a policy template. It inherits all the properties of the policy template. One policy template can be applied as many times as needed with different input parameters. For example, you could apply a policy that looks for unattached volumes to development accounts and production accounts with different parameters and resolution actions. In development accounts, you could configure the applied policy to automatically delete unattached volumes after 3 days, while in the production accounts, you could simply send an email alert.
When the conditions of the applied policy are met, an incident is created. It contains all the information about why the policy was triggered and the current status. One applied policy can have more than 1 incident. Incidents can be in one of the following states:
active- one or more conditions were found to be true during the policy check (this state is called
triggeredin the API)
resolved- the conditions that created this incident no longer exist, or the
resolve_incidentfunction was called
terminated- the applied policy was terminated while the incident was active
Incidents that are not actionable (they are
resolved with no pending actions) are archived after 30 days and available only via the API.
Key Policy Constructs
There are several key concepts in Policies that will help you better understand both RightScale policies as well as writing your own custom policies.
An event, action or schedule that activates a policy execution to check for the condition (e.g. Every 15 minutes).
Rules that are evaluated when a policy is activated (e.g. ensure instances always have required tags).
Remediation that a policy takes when the conditions are met. Defined as
escalation in the policy templates. These actions could be fully automated or can be set to get an approval prior to executing the automated actions, e.g. approve deleting all the unattached volumes detected by the policy and send email notification.
Defines the actions to be taken when a policy violation is resolved. Defined as
resolution in the policy template. These actions could be fully automated or can be set to get an approval prior to executing the automated actions, e.g. approve closing a JIRA ticket as part of the resolution.
Catalog is the central place for viewing published templates available in your organization that can be applied to individual or multiple accounts. Users with
policy_publisher role can choose to un-publish policy templates that they do not wish to make it available to other users in the organization.
Dashboard provides a summary view of what is happening in the account. It shows important information on Applied Policies and Incidents to give you complete insights to take actions.
This view shows all applied policies running in the account. Using the Account selector drop-down at the top of the page, you can switch between different accounts to see the applied policies in each account. You can choose to view complete details on the policy or take actions like terminating the policy or apply a similar one.
Apply Similar Policy
This action makes it seamless to quickly apply a similar policy in a different account or tweaking the input parameters for a new policy. Just click the actions menu and hit Apply Similar and the system will try to pre-fill input parameters from the original policy.
Similar to the Applied Policies page, this view shows all incidents generated by policies over time. You can see complete details on the Incident along with resources, actions, approvals and/or resolutions.
The view is for policy designers so they can upload Policy Templates for testing before publishing them to the Organization for wider use. To publish a policy template, you will need a special organization level role
Policy Publishing Flow
Below diagram outlines how the policy engine works. Typically a policy developer will develop policy templates and test them by uploading to the Templates page. Once the policy template is ready to be published,
policy_publisher can choose to publish it to the Catalog making it available to everyone in the organization.
RightScale policy management comes with granular access control to provide more flexibility based on the user type. You can grant users these roles using Governance.
|Page||Features||Roles that can use the feature|
|Publish a Policy Template||
|Un-publish a Policy Template||
|Delete custom Policy Template||
|Applied Policies||View Applied Policies||
|Terminate a policy||
|Apply a similar policy||
|Approve or Deny an Action||
|Upload a custom policy||
|Apply a policy||
|Delete a custom policy template||
|Publish a Policy Template||
How to grant policy roles?
Role based access control is centrally managed by our Governance module. You can grant any roles to the desired user from here. You will need
admin roles to access Governance.
enterprise_manager role can access all policy functions. However, users with
admin role will need to grant themselves explicit policy roles.
Additional Role Requirement
Above policy roles only grant users access to the policy management but do not automatically grant the access required to run policies including taking actions (read or write). Based on the policy and action, each policy requires additional role as outlined on the policy list page.
Writing your own Policy
We built the policy engine with a very important goal of keeping it open source so users can either customize RightScale built-in policies or write their own based on the custom requirements.
Policy management has extensive APIs that are publicly available to the customers.