What’s New/CloudCheckr Updates for Self-Hosted

April 2018

CloudCheckr has published an update to it’s self-hosted offering. This update contains several new features and reports to the application.

You can obtain this update by downloading the newest version from the marketplace where you purchased CloudCheckr originally, or by contacting your CloudCheckr account manager.

Please note that, upon installation of the updates, all new features and reports may not appear in your account until CloudCheckr performs report updates against these changes.

Note: For information on how to get started with the self-hosted offering, click here.


Details of the Update:

GENERAL UPDATES

Re-implemented two Admin functions on List of Accounts page:

  • CSV Account Upload – allows you to upload a CSV for bulk account creation.
  • Save List of Accounts to CSV – allows you to export a list of your accounts to a CSV file.

Updated Forgot Password screens and workflow
In addition to an improved look and feel, when using the forgot password function, CloudCheckr will email you a link to the rest password page, and a key you must enter into a form on that page.

Showing/hiding columns on the list of accounts page
The list of accounts page now gives you the option to choose which columns to show or hide.

API Updates

7 New Azure Calls:

  • account/add_azure_csp_account
  • account/add_azure_ea_account
  • account/add_azure_inventory_account
  • account/edit_azure_csp_credential
  • account/edit_azure_ea_credential
  • account/edit_azure_inventory_credential
  • inventory/get_resources_virtual_machine_details

1 New Admin Call:

  • account/get_accounts_v4

2 Calls Updated:

  • best_practice/get_best_practices_v2 API call now supports Azure
    billing/get_detailed_billing_with_grouping_v2 call now supports multi-account views

AWS UPDATES

GENERAL AWS UPDATES

CloudFormation Template will now read as ‘CC’ instead of ‘CloudCheckr’
When using the CloudFormation (instead of Manual) option when configuring accounts, the template URL will read ‘CC’ instead of ‘CloudCheckr’.
Partner Tools being logged in Audit Log
Any changes being made against the following features within the Cost > AWS Partner Tools menu will be captured by the Admin Audit log.

  • Custom Billing Charges
  • Configure Custom Cost
  • Payee Support Charges
  • Custom Usage Rates
AWS COST UPDATES

Custom Charges display by description in invoices
A new checkbox has been added to the Cost > AWS Partner Tools > Report > Generate Invoices screen, labeled, ‘Show custom charge descriptions’. When this checkbox is enabled, when you export an invoice any custom charges added to CloudCheckr will display as their description (instead of displaying as coming from the ‘Custom’ service). This will be true for any invoice other than Summary by Region, or invoices based on Saved Filters (those will adhere to the saved filter formatting). This will make it clear to the invoice recipient what the charges are for.

Added rounding notification to Monthly Billing Summary report
The Cost > AWS Billing > Summary Reports > Monthly report now includes help text at the top explaining how rounding large decimals can impact the costs displayed within CloudCheckr.

Added the ability to include credits in Advance Grouping report
The Advanced Grouping report will now include credits by default. There is a checkbox added to the report that allows you to hide these credits if you would like a cost-only report. Note that historic months will need to be reloaded to see credits in this report.

Performance Improvements to Advanced Grouping saved filter generation
The back-end process to build that data for saved filters for the Advanced Grouping report has been improved, allowing for much faster build times.

Added the ability to include account families in advance grouping report
When filtering by accounts within the Advanced Grouping report you now can choose to filter by AWS account, or by Account Family.

Enable custom charges by a group of accounts
When adding custom charge tiers you now have the option to either sum all accounts and pass those through the custom tiers, or to pass each individual account through the tiers. This provides greater control and flexibility when establishing custom charges.

Tag Mapping now supports Tag AND Property mapping in same rule
When setting up tag mappings previously they could only be setup to map a tag or a property. Not both. Now, you can map both a tag and a property in the same mapping. These are configured within the Cost > Tags > Tag Mapping report.

Added PDF Export to RI Purchase Recommendation Reports

  • EC2 by Instance
  • EC2 by Frequency
  • RDS
AWS INVENTORY UPDATES

Re-implemented Find AWS Resource functionality to list of accounts page
The main list of accounts page offers the ‘Find AWS Resource’ button and functionality once again. This button allows you to find which account owns specific AWS resources.

Updated RDS List of Instances CSV export
The CSV export from the Inventory > RDS > List of DB Instances has been updated to more closely match the format from the List of EC2 Instances export.

Can now add List of S3 buckets directly to custom reports
You can now save your List of S3 Buckets reports directly to custom reports from the Inventory > S3 > List of Buckets report. Previously you had to use the Create Custom Report functionality to save S3 reports.

Lambda added to the Untagged Resources report
The Inventory > Tagged and Inventory > Untagged Resources reports will now both report against Lambda.

Added inventory tag support for:

  • Glacier
  • DynamoDB
  • Elasticache
  • Lambda
  • KMS
  • EFS

Added List of Elastic File Systems Inventory reports
A Summary and List of Elastic File Systems report has been added to the Inventory > EFS menu.

CSV export added to Certificate Manager

AWS ALERTING UPDATES

Ability to filter Network Usage alerts by Account
When creating Network Usage alerts within the Cost > Alerts > Manager menu, you now have the ability to filter these alerts by AWS account.

More information added to SNS Alert Notifications
Alerts delivered via SNS will now include details for the alert that was triggered. Previously, the SNS message only stated that an alert was triggered with no other information. Please note that the next update will expand upon the amount of detail being delivered within the SNS alert.

AWS BEST PRACTICE UPDATES

Stale IAM Users check now shows user and password creation date
The data displayed within the Stale IAM Users best practice check has been updated to include the user and password creation date.

Added the ability to configure the IP list in the Blocklisted IP Address Making API Calls check
You now have the ability to configure the IP lists for the Blocklisted IP Address Making API Calls best practice check. To update the check configuration click on the gear icon to the right of that check, which can be found on the Security tab.
NOTE: The IP lists can be created and managed within the Admin Functions list on the main list of accounts page.

10 new best practice checks:

  • IAM Role Policies with full admin privileges
  • Default Security Groups Allowing Traffic
  • IAM Users with Console Access Should Not Have Access Keys That Were Created at Initial User Setup
  • Default Security Groups Should Not Allow Any Traffic
  • Lambda functions with Admin privileges
  • CloudTrail Logs Not Encrypted at Rest Using KMS CMK
  • No support role has been created to manage incidents with AWS Support
  • Rotation not enabled for customer created CMKs for KMS encryption
  • Cloudtrail Bucket(s) Without Access Logging Enabled
  • EC2-Classic Security Groups Inbound Rules With Potentially Dangerous Port 22 Exposed
AWS SECURITY UPDATES

Added KMS Key Id to List of Trails report
The Security > Activity Monitoring > AWS API (CloudTrail) > List of Trails report will now display the KMS key Id, if applicable.

Added ability to view more than 20 connections in VPC Flow Logs
Pagination capabilities have been added to the VPC Flow Logs report, allowing users to view more than the top 20 connections.

11 New CIS Benchmarks

  • 1.18 Enable Ensure IAM Master and IAM Manager Roles are Active
  • 1.19 – Maintain current contact details
  • 1.2 – Ensure CloudTrail log file validation is enabled
  • 1.23 – Do not setup access keys during initial user setup for all IAM users that have a console password
  • 2.6 – Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • 2.8 – Ensure rotation for customer created CMKs is enabled
  • 3.15 – Ensure appropriate subscribers to each SNS topic
  • 4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
  • 4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 338
  • 4.3 – Ensure VPC flow logging is enabled in all VPCs
  • 4.4 – Ensure The Default Security Group of Every VPC Restricts All Traffic
AWS AUTOMATION UPDATES

Workflows broken into tabs
The Automation > Workflows page has been reorganized into multiple tabs. Non-workflow admin users will see tabs for their open and closed workflows. Workflow admins will see their open and closed workflows, as well as all open and closed admin workflows.

Automation Workflows screen reorganized to display newest items first
Workflows now default to showing the newest items first, making it easier to identify the most recently executed tasks.

Fix-Now Capabilities added to 3 best practice checks:

  • IAM Password Policy Not Enabled
  • CloudTrail Unauthorized Access Attempts
  • EBS Volumes without Recent Snapshot

Fix Now capabilities will now only display on most recent Best Practice Report
When viewing the Best Practice report you will only be able to utilize the ‘Fix Now’ capabilities in the most recent version of the report. Looking at historical reports will disable this functionality.

Usability improvements to Inbound Rules Fix Now capability
The interface and workflow for configuring the Fix Now options for the inbound rules best practice checks has been improved.

AWS UTILIZATION UPDATES

Added instance name and average metrics to Heatmap exports
When exporting Heatmaps to PDF from the Utilization menu, you will now see a second page showing the instance name and instance-specific metrics.


AZURE UPDATES

GENERAL AZURE UPDATES

Added support for South Africa’s North and West locations

AZURE COST UPDATES

Added EA Usage Summary Report
The EA Usage Summary report, available within the Cost > Summary Reports menu, will show details including Balance, Commitment, and Overages, for the agreement.

Custom Charges now support an end date
When creating and editing custom charged within the Cost > Azure Partner Tools > Custom Charges screen, you can now apply an end date to the custom charges.

Performance improvement to the Billing Dashboard
The Cost > Azure Billing > Dashboard report has been revamped, making it load and retrieve data much faster.

Improvements to the following CSV exports:

  • Historical Month Billing Summary
  • Single Day Billing Summary
  • Single Month Billing Summary

Added Profit Analysis report
The Profit Analysis report has been added to the Partner Tools menu.

Can now specify currency and region for billing collection
You can now specify the currency and region for an Azure Inventory account that has billing data collection enabled. This is managed within the Billing Settings menu.

AZURE INVENTORY UPDATES

Added Service Requests Inventory reports for CSP
CSP accounts will now have an Inventory > Service Request menu where details about services requests can be reviewed.

Added List of Application Gateways Inventory report
There is new List of Application Gateways report. This report can be accessed within the Inventory > Networking menu.

Added Subscription to List of VMs report in Multi-Account Views
When viewing the List of Virtual Machines report within multi-account views, the Subscription where the VM resides will now display.

Added Azure Container Service Inventory Reports
A new Summary and Detailed report has been added to the Inventory > Container Services menu.

Added an Improperly Tagged Resources daily email
You can now have the output of the Improperly Tagged Resources report emailed on a daily basis. This email can be enabled and configured within the Account Settings > Email Settings menu. NOTE: you must first create tag rules within the Cost > Tagging > Tagging Rules menu.

Improved the format of the Improperly Tagged Resources CSV export

Additional data displayed for Redis Cache inventory

Added charts to VM Scale Set Summary
The VM Scale Set Summary report within the Inventory menu now has additional pie charts.

Added Untagged Resources Report
An Untagged Resources report has been added to the Inventory module. This report allows you to see which resources are missing tags, or are missing specific tags.

Added Snapshots to Managed Disk inventory reports
A new report for Snapshots has been added to the Managed Disk inventory.

AZURE SECURITY UPDATES

Added three services to change monitoring:

  • App Service Plans
  • Load Balancers
  • Application Gateways

Redis Cache added to Change Monitoring
The Security > Activity Monitoring > Change Monitor report now reports against changes made to Redis Cache.

AZURE BEST PRACTICE UPDATES

Reorganized Azure Network Security Group check into ‘with’ and ‘without’ resources
The Network Security Group best practice checks have been redone. Now there ware two checks for each: one for those groups WITH resources, and one for those WITHOUT.
These are the checks that have been updated:

  • Network Security Groups Outbound Rules Set To All Ports
  • Network Security Groups Inbound Rules with Potentially Dangerous Ports Exposed
  • Network Security Groups Inbound Rules with Specific Ports Exposed
  • Network Security Groups Outbound Rules with Dangerous Ports Exposed
  • Network Security Groups Outbound Rules with Potentially Dangerous Ports Exposed
  • Network Security Groups Inbound Rules Set to All IPs and All Ports
  • Network Security Groups Outbound Rules Set to All IPs and All Ports

Added cost to the details of the App Service Plans with No Apps check
The App Service Plans with No Apps best practice check has been updated to show the cost of the App Service Plan(s) being flagged by the check.

Added 15 New Best Practice Checks

  • Managed Disk without Backup Protection
  • Application Gateway with Web Application Firewall (WAF) Disabled
  • App Services with Unknown resource health
  • App Service Plan without AutoHeal Enabled
  • App Service Plan with under utilized memory
  • App Service Plan with over utilized memory
  • Managed Disk without delete lock
  • Network Security Groups Outbound Rules With Potentially Dangerous Ports Exposed
  • App Service Plan is Unavailable
  • App Service Plan Has Exceeded Usage Quota
  • App Service Plan CPU Under / Over Utilized
  • App Service without Backup Scheduling Enabled
  • App Service with SSL Disabled
  • App Service with Critical Recommendations
  • Idle SQL Server Database Instance

Added SQL DB Advisor recommendations to Best Practice Report
The Azure Advisor tab in the Best Practice report will now also include SQL DB Advisor recommendations.

Added configuration options to Idle SQL Database Instances check
You can now configure the parameters of the Idle SQL Database Instances best practice check, dictating the idle percentage as well as the number of days to check against.

AZURE UTILIZATION UPDATES

Added a Right-Sizing report for Azure SQL
The Utilization menu now includes a Right-Sizing report for Azure SQL.

Added App Service Plan Right Sizing report
A new right sizing report, specific to App Service Plan, has been added to the Utilization menu.

VM Right Sizing updated with information on enabling memory metrics for your VMs
If no memory metrics are available for your virtual machines, the right sizing report will notify you and offer information on how to populate that data.

Collecting SQL DTU metrics
SQL DTU (database transaction units) are now being collected for the SQL databases.