Overview

RightScale Policy Management allows you to automate governance across your multi-cloud environment to increase agility and efficiency while managing security and risk in your organization. The capability is purpose built to leverage an intelligent policy engine that lets you enforce rules and best practices to help you achieve your business outcomes like saving time, cost reduction, increasing utilization, and rightsizing your cloud environment.

Key Capabilities

  • Built-in Policies for Cost, Security, Operational, and Compliance use cases
  • Dry run policies and then configure them to take automatic actions on any API backed cloud, service, and resource
  • Automate policies across your entire cloud landscape (multiple accounts)
  • Maintain policy-as-code using the built-in policy template language to write your own policies
  • Policies can enforce rules on any cloud or any service with an API
  • Automate your policies using the fully-featured Policies API and documentation
Introduction to RightScale Policy Automation

Policy Use Cases

RightScale developed a wide variety of built-in policies that provide high value with minimal effort on Day 1. You can simply select the policy you are interested in, customize it, and apply it to individual accounts or across multiple accounts to achieve your business outcomes. Find the complete list here.

In addition to following examples, the policy engine supports writing custom policies to help customers achieve custom requirements and not be limited by what RightScale provides out of the box.

Cost

Increase cost visibility and management in your multi-cloud world and take appropriate actions to run an efficient infrastructure.

  • Identify where you are wasting spend and realize immediate savings
  • Collaborate to reduce future cloud costs
  • Use tagging as a foundation for ongoing cost management
  • Automate waste prevention

Security

Gain visibility and control across all your public and/or private cloud environments with our security policies. Improve security across your applications, data, and associated infrastructure by finding security vulnerabilities before your customers do.

  • Secure public storage buckets
  • Take control of your security groups
  • Monitor and secure IAM access

Operational

Save valuable human time and investment by automating everyday IT operations. Running an automated and efficient cloud infrastructure frees up expensive resources on high ROI projects like scaling, growth, and deliver value faster than anyone else.

  • Reduce waste by putting instances on schedule
  • Put automatic key rotation to avoid downtime

Compliance

Enterprises typically have multiple compliance requirements but struggle to automate them which leads to downtime as well as resource waste. By having a strong compliance strategy but also ability to quickly automate it provides peace of mind and avoids business interruption.

  • Ensure comprehensive tagging strategy
  • Write custom policies for HIPAA, GDPR, PCI, and more

Policy Actions

Policy Engine leverages our multi-cloud orchestration platform written in Cloud Workflow Language that allows managing entire applications running on the cloud.

Examples

  • Start/Stop instances
  • Change (downsize) instances
  • Add/Remove Tags
  • Add/Terminate/Delete resources (e.g.: Unattached volumes, old snapshots)
  • Migrate between storage classes
  • Slack and Email Notifications
  • Running Operational Runlists
  • Scaling Server Arrays
  • Retrieving and analyzing metrics data
  • Sending requests to external applications

Policy Engine in a nutshell

Basic Concepts

policy_nutshell.png

  • Policy Template: Open source Policy definition, written in powerful Policy Template Language, that defines the blueprint of a Policy. It specifies input parameters, conditions, and actions the policy will take when it is triggered. You can use built-in policy templates from RightScale as is or customize the source code to create your own custom policy. Policy Template can be published to the Catalog to make it visible to the entire organization.

  • Applied Policy: A running policy that has been applied from a policy template. It inherits all the properties of the policy template. One policy template can be applied as many times as needed with different input parameters. For example, you could apply a policy that looks for unattached volumes to development accounts and production accounts with different parameters and resolution actions. In development accounts, you could configure the applied policy to automatically delete unattached volumes after 3 days, while in the production accounts, you could simply send an email alert.

  • Incident: When the conditions of the applied policy are met, an incident is created. It contains all the information about why the policy was triggered and the current status. One applied policy can have more than 1 incident

Key Policy Constructs

There are several key concepts in Policies that will help you better understand both RightScale policies as well as writing your own custom policies.

policy_concepts.png

  • Trigger: An event, action or schedule that activates a policy execution to check for the condition (e.g. Every 15 minutes).
  • Conditions: Rules that are evaluated when a policy is activated (e.g. ensure instances always have required tags).
  • Action: Remediation that a policy takes when the conditions are met (e.g. terminate instance and send email notification). Defined as escalation in the policy templates.
  • Resolution: Defines the actions to be taken when a policy violation is resolved (e.g. close a JIRA ticket). Defined as resolution in the policy template.

Feature Overview

Catalog

Catalog is the central place for viewing published templates available in your organization that can be applied to individual or multiple accounts. Users with policy_publisher role can choose to un-publish policy templates that they do not wish to make it available to other users in the organization.

policy_catalog.png

Dashboard

Dashboard provides a summary view of what is happening in the account. It shows important information on Applied Policies and Incidents to give you complete insights to take actions.

policy_dashboard_v1.png

Applied Policies

This view shows all applied policies running in the account. Using the Account selector drop-down at the top of the page, you can switch between different accounts to see the applied policies in each account. You can choose to view complete details on the policy or take actions like terminating the policy or apply a similar one.

policy_applied.png

Apply Similar Policy

This action makes it seamless to quickly apply a similar policy in a different account or tweaking the input parameters for a new policy. Just click the actions menu and hit Apply Similar and the system will try to pre-fill input parameters from the original policy.

policy_apply_similar.png

Incidents

Similar to the Applied Policies page, this view shows all incidents generated by policies over time. You can see complete details on the Incident along with resources, actions, and/or resolutions.

policy_incidents.png

Templates

The view is for policy designers so they can upload Policy Templates for testing before publishing them to the Organization for wider use. To publish a policy template, you will need a special organization level role policy_publisher.

policy_template.png

Policy Publishing Flow

Below diagram outlines how the policy engine works. Typically a policy developer will develop policy templates and test them by uploading to the Templates page. Once the policy template is ready to be published, policy_publisher can choose to publish it to the Catalog making it available to everyone in the organization.

policy_interaction.png

policy_publish_step1.png.png

policy_publish_success.png

Access control

RightScale policy management comes with granular access control to provide more flexibility based on the user type. You can grant users these roles using Governance.

Page Features Roles that can use the feature
Catalog View Catalog policy_publisher, policy_designer, policy_manager
Publish a Policy Template policy_publisher
Un-publish a Policy Template policy_publisher
Delete custom Policy Template policy_publisher
Dashboard View Dashboard policy_designer, policy_manager, policy_viewer
Applied Policies View Applied Policies policy_designer, policy_manager, policy_viewer
Terminate a policy policy_designer, policy_manager
Apply a similar policy policy_designer, policy_manager
Incidents View Incidents policy_designer, policy_manager, policy_viewer
Templates View Templates policy_publisher, policy_designer
Upload a custom policy policy_designer
Apply a policy policy_designer
Delete a custom policy template policy_designer
Publish a Policy Template policy_publisher

How to grant policy roles?

Role based access control is centrally managed by our Governance module. You can grant any roles to the desired user from here. You will need enterprise_manager or admin roles to access Governance.

governance_policy_roles.png

Additional Role Requirement

Above policy roles only grant users access to the policy management but do not automatically grant the access required to run policies including taking actions (read or write). Based on the policy and action, each policy requires additional role as outlined on the policy list page.

Writing your own Policy

We built the policy engine with a very important goal of keeping it open source so users can either customize RightScale built-in policies or write their own based on the custom requirements.

Get started with writing your custom policies using the Policy Template Language.

API Documentation

Policy management has extensive APIs that are publicly available to the customers.

Policy API Doc