Platform Changes

  • The FROM email address in the Policy Incident emails changed to noreply@flexera.com from noreply-governance@rightscale.com

New Policy Templates

Changes to Existing Policy Templates

  • Schedule Reports - Fixed issue with top 10 cost categories when there is no data yet for current month.
  • Superseded Instances - Corrected duplicate column name
  • AWS Unused Volumes - 1) Fixed issue that may prevent an AWS snapshot to be created before terminating a volume. 2) Improved action error handling and debug logging. 3) Add a parameter to override the Flexera One org ID to use when querying Optima for cases when the project is not in the same org where the AWS bill is registered in Optima
  • AWS Unused IP Addresses - 1) Improved action error handling and debug logging. 2) corrected the cost for total estimated savings
  • AWS Old Snapshots - 1) Improved action error handling and debug logging. 2) Add a parameter to override the Flexera One org ID to use when querying Optima for cases when the project is not in the same org where the AWS bill is registered in Optima
  • Budget Alerts by Cloud Account - 1) Fixed AWS account name lookup bug that lead to an error, 2) Refactored Billing Center index call to return Billing Centers the user has access to, 3) Fixed budget column heading

New Policy Templates

  • Policy Updates Be informed of updated policy templates in the Policy Catalog. This policy template identifies the version of all the policies that are applied in an account and compares them to the version of respective policy template in catalog. It further creates an incident providing details on when the policy was last updated in catalog and the link to README and CHANGELOG files.

Changes to Existing Policy Templates

Changes to Existing Policies

New Policies

Changes to Existing Policies

  • AWS Unused Volumes included Estimated Monthly Savings for each resource in the policy incident and Total Estimated Monthly Savings.
  • Azure Unused Volumes included Estimated Monthly Savings for each resource in the policy incident and Total Estimated Monthly Savings.
  • Azure Rightsize SQL Databases
  • All AWS Policies - fix issue where the policy failed because of AWS Service Control Policy region restrictions.

New Features

  • The Policy Manager has a new feature to allow users to run actions on selected resources within a Policy Incident. The user also can select an action to run automatically when the incident is created. Read more. Review the Readme file of the policy templates that interest you for additional details as it pertains this new feature.

New Policies

New Policies

New Policies

New Policies

New Features

  • The Policy Manager has an improved incident table. The new incident table allows users to sort columns, hide and show columns and filter for text within the table. This feature requires the use of the export block within the policy template.

New Policies

New Features

New Policies

New Features

Changes to Existing Features

  • Improved success and error messages when managing credentials
  • Selected credential information is now available when viewing applied policies
  • Improved experience when editing credentials
  • Simplified credential editing screens for AWS credential types

New Policies

Changes to Existing Policies

  • Budget Alerts was updated to provide a more accurate assessment of current month costs against the specified budget amount.
  • Billing Center Cost Anomalies was updated to help reduce noise by allowing for a minimum spend amount before billing centers are reported on.

New Features

  • Policies now have credential management built-in to the product, making it easier to connect your different clouds for policy governance. Along with the feature release, many policies have been upgraded to use the new credential capability (see below). Check out the docs to learn more. Some of the benefits include:
    • Simplified experience to connect clouds for policy governance
    • Ability to rotate credentials without affecting running policies
    • Support for new credential types including AWS Cross-Account Roles and NTLM
    • Reduced overhead when dealing with multiple cloud accounts
  • Policy designers can now specify a default frequency value in their policies, simplifying the process of applying a policy for their users.

New Policies

Changes to Existing Policies

The following policies have been updated to support the new method of credential management mentioned above:

New Policies

New Policies

  • AWS Long-stopped Instances checks for instances stopped longer than the specified period of time and terminates the instance after user approval.
  • Google Long-Stopped Instances checks for instances stopped longer than the specified period of time and terminates the instance after user approval.

Changes to Existing Policies

New Policies

New Policies

Changes to Existing Policies

New Policies

Changes to Existing Features

  • Azure Subscription Access was modified to account for more than 100 users and to only gather subscription-level role assignments.

Changes to Existing Features

  • Policies can now be configured to run on a monthly interval for use cases that require less frequent checks. Simply choose the monthly option under policy schedule when applying your policy.

New Policies

Changes to Existing Policies

  • Multiple policies were modified to include a manual approval step before taking action so that items can be reviewed before being modified. Manual approval for any policy can be skipped by checking the Skip Action Approvals option when applying a policy.
  • Multiple policies were modified such that they are now limited to only being applied to only one account. This limitation is appropriate in cases where the policy uses an external credential for authentication and running the policy on multiple accounts would lead to the exact same behavior repeated numerous times.

New Features

  • Policies can now be restricted to only being applied in one account by the policy designer for those policies that do cross-account checks and actions. Avoid accidental policy applications across many accounts when each one will behave the exact same by using the tenancy attribute of the policy template language.

Changes to Existing Features

  • The policy Catalog and Dashboard page have been updated to show any category that is defined in the policy template instead of grouping them into an Other category.

New Policies

  • AWS Object Storage Optimization checks for S3 objects that haven't been updated outside of the specified timeframe and moves the object to Glacier or Glacier Deep Archive after user approval.
  • AWS Rightsize RDS Instances provides rightsizing recommendations for RDS instances by gathering AWS CloudWatch data on 30 day intervals and can rightsize the instances after user approval.
  • AWS Unused RDS Instances checks for unused RDS instances by reviewing the CloudWatch DBconnection metric for the last 30 days. If there have been no connections the RDS instance is reported can be automatically terminated after user approval.
  • Azure Blob Storage Optimization checks Azure Blob Storage for objects that haven't been updated outside of the specified timeframe and moves them to the Cool or Archive tier after user approval.
  • Azure Idle Compute Instances checks for idle virtual machines in Azure, as defined by CPU utilization, and optionally terminates the virtual machines after approval.
  • Azure Expiring Reserved Instances reports on active Azure RIs that are expiring within a user-provided window.
  • Azure Rightsize SQL Instances provides rightsizing recommendations for SQL instances based on CPU usage for the last 30 days.
  • Google Expiring Committed Use Discount (CUD) reports on active Google CUDs that are expiring within a user-provided window.
  • Google Object Storage Optimization checks for objects that haven't been updated outside of the specified timeframe and moves the object to nearline or coldline storage after user approval.
  • Google Unused CloudSQL Instances checks for unused CloudSQL instance in Google Compute Engine and terminates them upon approval.

Changes to Existing Policies

New Features

  • Organizational Summaries give users with org-scoped access to policies an improved view of policy information across all accounts in the organization. All operational views of policies, including the Dashboard, provide an Organization Summary option in the account selector that rolls up data from across all accounts in the organization. Applied policies are grouped together and can be managed from a single page. To check it out, go to the Dashboard page in Policy Manager.
  • Policy managers can now skip pre-defined approval steps in the action sequence of a policy incident, allowing for policy remediations to be fully automated. When applying a policy, a new option is available called Skip action approvals in both the UI and the API.

New Policies

New Policies

Changes to Existing Policies

New Policies

Changes to Existing Policies

  • Discover Old Snapshots was updated to filter out snapshots created from images.
  • Low Account Usage was updated to sum up the total potential savings and to remove the APN Fee from the calculation.

Changes to Existing Policies

  • Superseded Instances was updated to show the monthly estimated cost for each instance instead of the run rate.
  • Cheaper Regions was updated to show the resource IDs of affected virtual machines.
  • Old Snaphots was updated to always send an email when new snapshots are detected.

New Policies

  • AWS Unencrypted S3 Buckets checks all S3 buckets in the AWS account and reports on any that do not have default encryption set, allowing the user to set encryption settings for the bucket or delete it after manual approval.

Changes to Existing Policies

  • Low Service Usage has been changed to more closely meet the data provided in Optima Recommendations.

Changes to Existing Policies

New Policies

  • Azure VMs Not Using Managed Disks checks all Azure VMs and reports on any that are not using Managed Disks, which are the latest offering from Azure and are much easier to manage.
  • AWS S3 Buckets without Server Access Logging checks for any S3 buckets that don't have Server Access logging enabled and allows the user to enable logging after approval.
  • Azure Subscription Access checks all users who have Owner or Contributor access to a given Azure subscription and creates an incident whenever that user list changes.

New Features

  • Cloud workflow now supports JWT tokens when making http calls so that any API that uses JWT can be leveraged when remediating policy incidents or automating cloud resource actions.

New Policies

New Policies

  • Superseded Instances checks for instances running on instance types that have been superseded by newer, usually improved, instance types.

Changes to Existing Policies

  • AWS Instance CloudWatch Utilization now supports tags to ignore instances, minimum usage thresholds for reporting, and actions to tag the resources that fail the policy check.

  • Low Account Usage can now be run against specific billing centers, supports a minimum savings threshold to limit the noise, and reports against the monthly run rate instead of the current usage.

  • Low Service Usage can now be run against specific billing centers, supports a minimum savings threshold to limit the noise, and reports against the monthly run rate instead of the current usage.

New Policies

New Policies

Changes to Existing Features

  • Policies now support pagination markers in the body of a request, enabling the use of APIs that leverage this method for pagination, such as some AWS API calls. You can find additional information and examples of the body_field page marker in the Pagination section of the policy language documentation.

New Policies

  • Stranded Servers reports on any servers that are stranded in booting so that they can be repaired or terminated to reduce waste.

Changes to Existing Policies

  • Cheaper Regions policy now reports only on instance data instead of all region costs, helping to simplify the report and help users target relevant spend.
  • Unattached Volumes now provides an option to take a snapshot of the volume before deleting it.

New Policies

New Policies

  • AWS Unused ECS Clusters checks all ECS clusters to determine if any are unused (no registered instances, no running tasks, no pending tasks, no active services) and offers the option to delete the cluster after manual approval.
  • AWS Internet-facing Load Balancers checks all AWS load balancers (both Classic Load Balancers(ELBs) and Application Load Balancers(ALBs)) and reports on any that are Internet-facing. When such a load balancer is detected, the user can choose to delete it after approval.
  • AWS Unencrypted Volumes checks all Elastic Block Store (EBS) volumes in a given account and reports on any that are not encrypted.
  • Low Account Usage reports on accounts with low usage, which may indicate abandoned accounts that could be cancelled or consolidated into larger accounts for ease of management.
  • Low Service Usage reports on services with low usage, which may indicate abandoned services that can be terminated or potentially consolidated into a larger account/region for ease of management.
  • Google Unused IP Address checks Google for Unutilized IP Addresses.

Changes to Existing Policies

Learn about updating policies

Changes to Existing Policies

Learn about updating policies

New Policies

Changes in Behavior

Policy incidents are now archived after 30 days if there is nothing actionable and the incident is terminated or resolved. Archived incidents can still be found in the API if additional information is needed. Read more about incidents on the docs page.

New Features

Policies now give you more control over what conditions cause an incident to be updated, allowing you to specify which fields of data should be used in determining whether or not incident data has changed. This is particularly useful in cases where incident data contains a time element, such as N days ago, allowing you to ignore the days ago field when determining if an incident has been updated. For more on this feature, see the hash_include and hash_exclude attributes of the policy declaration, described in the documentation

New Policies

New Policies

  • GitHub Available Seats alerts you when you are close to your maximum number of seats in a GitHub organization or when the seats you have purchased are under-utilized.

New Policies

Changes to Existing Policies

New Features

The fpt command-line tool has been released which provides policy developers with an improved workflow to build, test, and deploy policies across their organization. More information on the tool and policy development in general can be found in the policies getting started guides.

New Policies

Changes to Existing Policies

New Policies

  • Underutilized Azure Reserved Instances reports on Azure Reserved Instances that are not being utilized to help identify and remediate waste.
  • Budget Alerts allows you to set a budget amount on a per-billing center or organization level and get an alert when your actual or forecasted spend is above the specified budget amount.
  • Azure Hybrid Use Benefit identifies all VMs not leveraging Azure Hybrid Use Benefit (AHUB) and allows for AHUB to be enabled after approval.

Changes to Existing Policies

  • Untagged Resources - fixed issue with creating tag for invalid_tag
  • Downsize Instances - Added cpu and memory datapoint check for instances that are operational, but not sending monitoring data back to the platform

New Policies

  • Azure Superseded Instance Types identifies VMs that are running on older instance types where a newer instance type exists and can automatically resize the VM to the new type after approval.

New Policies

  • Scheduled Reports provides the user with periodic reports of their cloud spend for the selected billing centers.

New Policies

New Features

  • Policies now include the option to approve actions prior to execution. Users have the ability to add an approval action as part of escalation or resolution. The Approval API creates an approval request and blocks further actions from executing until a user approves or denies the action. Parameters can be referenced by subsequent cloud workflows or emails within the same escalation or resolution. Users with policy_approval role can approve or deny an action with the ability to add a comment, the details of which can be seen on the Incident details page as well as the api. policy_approval.png

  • Applied polices API now includes a filtering option on name.

New Features

  • An applied policy can now be run on-demand by leveraging the Run Now option in either the UI in the Actions menu or the AppliedPolicy#evaluate method in the API.
  • Each run of a policy now provides a detailed log that can be accessed by users with the policy_designer role to see a full log of all data and requests made by the policy. Users with the privilege will see this both in the UI in the Actions menu as well as in the AppliedPolicy#log action in the API.

    policy_actions.png

  • The datasource now supports an ignore_status_code field to allow you to specify any status code responses to ignore, instead of throwing an error. Read more about this in the Request details for datasource in the documentation.

  • Applied policies now provide detailed status, including the last time the policy was started and finished as well as the next scheduled time it will run. All of these fields are available in the AppliedPolicy#status action in the API and the last started time is shown in the UI as Last ran on.

New Features

Announcing a completely redesigned multi-cloud policy management capability in RightScale with built-in Cost, Security, Compliance, and Operational policies to help you achieve quick ROI.

Key Capabilities

  • Built-in Policies for Cost, Security, Operational, and Compliance use cases
  • Dry run policies and then configure them to take automatic actions on any API backed cloud, service, and resource
  • Automate policies across your entire cloud landscape (multiple accounts)
  • Maintain policy-as-code using the built-in policy template language to write your own policies
  • Policies can enforce rules on any cloud or any service with an API
  • Automate your policies using the fully-featured Policies API and documentation

Learn more about RightScale Policies.

policy_catalog.png

policy_dashboard_v1.png

policy_applied.png

policy_incidents.png

policy_template.png

New Feature

  • Introducing a new dedicated role (credential_viewer) for view-only permissions on RightScale's Credentials feature. You no longer have to grant admin role to view credentials. The credential_viewer role can be assigned to users at an organization level (all accounts), as well as to individual accounts, like other Governance roles.

    governance_credentials_viewer.png

Changes in Behavior

  • To increase visibility around billing center level permissions, users with enterprise_manager role can use Governance to see the list of billing centers a user has access to with the ability to easily navigate to them.

Changes in Behavior

  • Introducing new frictionless way to manage users, groups, and accounts in bulk. Governance users can now switch the view to update multiple users, roles, accounts, and groups seamlessly.

    Users Page

    Groups Page

    Accounts Page

New Features

  • Governance users can now download a detailed user role report (CSV), broken down by accounts, for better visibility as well as auditing.

    Enterprise Manager's View

    governance-exportcsv.gif

    Admin's View

    governance-exportcsv-accounts.gif

Changes in Behavior

  • Fixed an intermittent bug causing admins to see lack privileges screen on login or navigating from Cloud Management.

Changes in Behavior

  • Reduce confusion for Enterprise Managers by hiding users, with no roles, from the accounts view.
  • Performance improvements by reducing amount of network requests.

New Features

  • Enterprise Managers now have the option to navigate to the Invitations Page directly from the Users page.

    add_user.png

Changes in Behavior

  • New UI loading indicator while the page is loading the data.
  • Improved usability around new user invite flow by reducing the number of clicks it takes to get to the Invite page.

Changes in Behavior

  • To provide more context to the users, who belong to a single organization, Governance will now show the organization name in the UI. Previously, the organization name only appeared for users affiliated with multiple organizations.

New Features

  • Enterprise Managers can now seamlessly remove a user, including all it's roles, from the organization.

    gov_select_user_for_removal

Changes in Behavior

  • Security bug fix to ensure that access token can not be generated by a terminated instance.

New Features

  • You can now create user groups with special characters.
  • Usability improvement to reduce number of clicks and time to value by making Roles as the default tab.

    gov_roles_tab.png

Changes in Behavior

  • Bug fix around user roles were not reflecting all inherited roles.
  • Bug fix where incorrect message was displayed if a user only had roles inherited from the organization level.

New Features

Announcing General Availability of the new Governance application, located within the RightScale product dropdown, to provide enhanced identity access management (IAM). With features like User Groups, Role Inheritance, Full Audit entries etc, users with role enterprise_managers and admins will get greater control over the user's permissions.

governance_release_notes.png

  • Organizations: Organization is new concept we have introduced to help you manage multiple accounts within your company. For existing customers, we have automatically created an Organization based on your master account.

  • Groups: Organize users into Groups based on your organizational needs or other criteria and assign specific roles to the Groups.

  • Role inheritance: Inheritance is a powerful feature for assigning Roles at the top level, say organization, and then cascading it down to the Group/Account/User level. Roles granted at the organization level will automatically appear at the account level.

  • Audit Entries: Gain visibility into which users are making changes to your cloud resources.

  • New Self-Service User types: New granular roles (ss_end_user, ss_designer, ss_observer) for the Self-Service application designed to give you complete flexibility. Learn more Self-Service User types

Changes in Behavior

  • Cloud Management User tab, for managing permissions, is now moved under the new Governance application to allow you to manage user permissions in one place.

  • API support for provisioning Self-Service users: Self-Service roles (ss_end_user, ss_designer, ss_observer) can now be assigned via the API 1.5. Learn more about Inviting Self-Service users.

  • With the new Self-Service user types, you can now grant Cloud Management and Self-Service roles independently of each other giving you more control over the platform.

governance_releasenotes_roles.png