AWS is a large, robust offering with a seemingly infinite number of configuration options to tailor your deployment perfectly around your needs. However, the flexibility and sheer number of choices that Amazon provides when setting up your services are both a blessing and a curse. It can be easy to overlook security loopholes, deploy options that aren’t the most cost-effective, and miss beneficial features which are hidden within the AWS API.
That’s where CloudCheckr’s best practice checks come in. We will take a detailed look at your deployment to ensure your infrastructure is configured properly, and highlight areas that may be cause for concern. These checks will focus on four key areas: security, availability, cost and usage.
While Amazon handles security of their datacenter, AWS users are responsible for network, host, and application-level security. CloudCheckr will look and see if you are setting proper permissions, if security groups are being utilized properly, if ACLs are configured correctly, if proper password policies are in place, if resources are accessible by the public internet, and several other items.
When items are launched in AWS, it’s important that they are accessible. However, sometimes things can go wrong such instances becoming unhealthy, or availability zones becoming unreachable. CloudCheckr will look at your deployment to not only verify that everything is up and running, but also ensure that your architecture is properly configured to respond when things do go awry.
When launching and maintaining an infrastructure within AWS it’s easy to lose track of what’s out there, and what’s no longer needed. CloudCheckr can help with this. We will look for items that exists, but aren’t being used, and highlight those for you. Cost checks will also show you potential cost savings by making RI purchases and migrating resources to current generation offering types.
There are many options in AWS which are highly recommended, but that we have found are not consistently or properly deployed. CloudCheckr will review your architecture to see whether you are taking advantage of these features, and whether they are being used in the most advantageous way. We will ensure that Auto Scaling is configured, and configured properly, within EC2. We’ll ensure that the users in IAM are created according to best practices. That backups are taken automatically and retained for an appropriate amount of time. And that resources are being properly utilized.
Using the Report
The top section of the report allows you to filter your checks by category, resource tag and importance. To filter by category, click on the desired tab in the report: Availability, Cost, Security, or Usage. Use the Importance dropdown to filter by: high, medium, low, or informational. The tag dropdown will consist of the resource tags used within your AWS account (For more information on Resource Tags, see the Amazon website). The “Show Ignored” checkbox allows you to view and restore those items that you have flagged to ignore (more on that below).
The items in the report are also categorized with icons and various colors.
- Red (stop sign) = High
- Orange (triangle) = Medium
- Yellow (exclamation point) = Low
- Blue (‘i’) = Informational
- Green (checkmark) = No issues found
The report shows the name of the best practice check, as well as the number of “issues” found (when applicable). If no issues were found with the best practice check, it will display as green.
To view the details, trend graph and “issues” found for a best practice check, simply click on the check name. The check will expand and display its details and relevant information. The details of the check will show you exactly which items within AWS were picked up by CloudCheckr’s best practice check. For further information, each check contain links to the relevant CloudCheckr details report for the issue found. In the example above, you can click on the individual names of the Volumes to be directed to the EC2 EBS Volumes Report, and it will show only that volume. Or, you can click the ‘View Details for All 4 Items’ link at the bottom of the check to be taken to that report where it will show all four volumes.
Once expanded, you’ll see a summary of the check showing exactly what it looked for. If you click the ‘read more’ link you’ll see further details of the check, including:
- Category – the type of best practice check: availability, cost, security, or usage.
- Importance – high, medium, low, or informational.
- Description – a detailed overview of the AWS feature the best practice check was run against, why the check is important, and how it impacts your AWS account.
- Link – the bottom of the description contains a link to the relevant AWS documentation.
Below the details of the check you will find a 30 Day Trend graph. This graph shows how many ‘issues’ were found, for that specific check, each day over the past thirty days. If you see any spikes or anomalies that you want to investigate, you can use the History dropdown at the top of the report, select the day in question, and see those specific details.
To the right of each check you will find three, four, or five icons. Each of these icons give you the ability to take specific action against the check.
These options are:
- Email – Configure check-specific emails. Added emails will receive an this check result detail. You have the option to send always or send when new issues are discovered.
- Tag Filter – Configure the check to only report on resources that have, or do not have, specific resource tags. NOTE: After configuring this option you must run a new report update for this change to take effect.
- Configure – Provides you the ability to determine which parameters will cause the check to find “issues”. For example, you can dictate the CPU Utilization % and Time Period that determines when an EC2 instance will be considered idle.
- Export – Allows you to export the details of the check to CSV.
- Ignore – Hides the check from the report. Allows you to eliminate noise, or checks that are irrelevant to your AWS deployment.
If, for any reason, you do not want to see a best practice check in your report, CloudCheckr gives you ignore capabilities. Clicking the ‘X’ icon to the right of the report will ignore that best practice check. This means that the check will be hidden from the main report, until it is restored.
You can also ignore individual items from your best practice checks using this same method. Locate the item(s) you want ignored, and click the X to the far right. If you ignore an item, as opposed to a check, the check will still show up in your report and email, but the individual item(s) you have ignored will be hidden.
To restore a check, click the “Show Ignored” checkbox at the top of the page, click the Refresh button, then click on the category tab of the check you would like to restore.
Click the Restore (circle) icon, and the check will be restored back to the main best practices report. This functionality is also available on the individual items found within each check. If you expand a check, you can click the X to the right of the details found within the check to ignore that specific item (while leaving the main best practice check active). These are also restored within the ‘Show Ignored’ menu by clicking on their restore icon.
NOTE: In addition to being hidden from the main report, ignored checks will also not be delivered in the best practice emails.
Users who also utilize AWS Trusted Advisor can have their Trusted Advisor results automatically imported into their CloudCheckr Best Practice report.
NOTE: CloudCheckr must be given access to Trusted Advisor to add this information to the Best Practice report. To provide access to Trusted Advisor you must allow “support:*”, permissions on the IAM user used for CloudCheckr. Please contact firstname.lastname@example.org with any questions about this.
The functionality of the Trusted Advisor checks work the same as native CloudCheckr best practice checks.
Click on any item within the Trusted Advisor tab to expand and view further details.
These checks are also categorized into importance categories, with green meaning no issues were reported by Trusted Advisor.