Locale selector icon
Dec201806

CIS AWS Foundations Security Policy — General Availability

We are pleased to announce the general availability of the CloudHealth CIS AWS Foundations Security Policy. You can see your security risk exposure and violations in the Security Violation Report, as well as the policy engine.

The following CIS policies have recently been added:

  • Avoid the use of the "root" account

  • Ensure MFA is enabled for the "root" account

  • Ensure hardware MFA is enabled for the "root" account

  • Ensure IAM policies are attached only to groups or roles

  • Ensure a support role has been created to manage incidents with AWS Support

  • Do not setup access keys during initial user setup for all IAM users that have a console Password

  • Ensure IAM policies that allow full "*:*" administrative privileges are not created

  • Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

  • Ensure AWS Config is enabled in all regions

  • Ensure rotation for customer created CMKs is enabled 

  • Ensure VPC flow logging is enabled in all VPCs

  • Ensure a log metric filter and alarm exist for unauthorized API calls

  • Ensure a log metric filter and alarm exist for Management Console sign-in without MFA 

  • Ensure a log metric filter and alarm exist for usage of "root" account

  • Ensure a log metric filter and alarm exist for IAM policy changes

  • Ensure a log metric filter and alarm exist for CloudTrail configuration changes 

  • Ensure a log metric filter and alarm exist for AWS Management Console authentication failures 

  • Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs 

  • Ensure a log metric filter and alarm exist for S3 bucket policy changes 

  • Ensure a log metric filter and alarm exist for AWS Config configuration changes 

  • Ensure a log metric filter and alarm exist for security group changes 

  • Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 

  • Ensure a log metric filter and alarm exist for changes to network gateways 

  • Ensure a log metric filter and alarm exist for route table changes 

  • Ensure a log metric filter and alarm exist for VPC changes 

  • Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 

  • Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 

  • Ensure the default security group of every VPC restricts all traffic

These policies are enabled by default for all customers. Learn more about the CloudHealth CIS AWS Foundations Security Policy in this Help Center article.

CIS Azure Security Policy -- Asset Collection for Azure AD Users

A few weeks ago, we announced the new asset metadata collection that began in an effort to support the CloudHealth CIS Azure Foundations Security Policy. We are continuing to add support for additional Azure services and are excited to announce that we are now collecting Azure Active Directory Users.

In order to successfully collect the required metadata in CloudHealth, we will need you to add the reader role to your Service Principal for Azure Active Directory. To do so, please follow the steps outlined in this Help Center article.

Billing Account Support for Google Cloud Platform -- Coming Soon

In the near future, we will be adding support for Billing Accounts. Moving forward, you will not be able to configure projects within CloudHealth. You will need to configure your Billing Accounts in CloudHealth and all projects will then be derived. For existing customers, no action is required. CloudHealth will be creating a Billing Account automatically for each Master Project configured. During this transition, the Billing Statements Report may be temporarily blank for up to 12 hours as we regenerate billing statements for each Billing Account.

BigQuery Billing Export for Google Cloud Platform -- Coming Soon

Google Cloud Platform provides two ways to export your billing data. Currently, CloudHealth supports billing data via CSV exports only. Over the coming months we plan to add support for BigQuery billing exports as well. You will get a richer data set and your billing history will start from the day BigQuery is turned on. BigQuery provides more granular details and is refreshed every 4 hours. We plan to use these details to get more accurate and detailed costs. Please note, adding BigQuery exports will only increase your spend by a few cents every month. For example, a BigQuery Table with 10GB of storage, 1GB of streaming inserts and 1TB of queries will cost $0.25 per month ($3 per year).  

To learn how to enable billing export to BigQuery, view this Google Cloud article

Cost Allocation Support for Additional AWS Services

As previously announced, we have developed a more comprehensive approach for extracting asset attributes from bills to allocate costs for AWS services using AWS and CloudHealth tags. 

We have updated costs for the following services:

  • Amazon Gamelift

  • Amazon Kinesis Analytics

  • Amazon Lex

  • Amazon MQ

  • Amazon Pinpoint

  • Amazon Route53 Traffic Policies

  • Amazon Simple Email Service

  • AWS Elemental MediaLive

  • AWS Elemental MediaStore

  • AWS Greengrass

  • AWS OpsWorks

  • AWS Shield

  • AWS Snowball

  • AWS Web Application Firewall

Previously, the costs for these services were included as indirect costs. Going forward, costs associated with the services mentioned above will be distributed into the following direct charges:

  • Elemental MediaLive - Input

  • Elemental MediaLive - Output

  • Elemental MediaLive - Data Transfer

  • Elemental MediaStore - API Request

  • Elemental MediaStore - Data Transfer

  • Elemental MediaStore - Storage

  • GameLift - Data Transfer

  • Greengrass - Active Device

  • Kinesis Analytics - KPU Hour

  • Lex - Request

  • MQ - Broker Instance

  • OpsWorks - Node Hour

  • Pinpoint - Messages Sent

  • Route 53 - Traffic Flow

  • Shield - Subscription

  • Shield - Load Balancing

  • Shield - Elastic IP

  • Shield - CloudFront

  • Simple Email Service - Dedicated IP

  • Snowball - Data Transfer

  • Snowball - Extra Day Charge

  • Snowball - Service Fee

  • WAF - WebACL

  • WAF - Rule

  • WAF - Request

And the following indirect charges:

  • Elemental MediaLive - Input

  • Elemental MediaLive - Output

  • Elemental MediaLive - Other

  • Elemental MediaStore - Other

  • GameLift - Instance

  • GameLift - Other

  • Greengrass - Other

  • Kinesis Analytics - Other

  • Lex - Other

  • MQ - Other

  • OpsWorks - Other

  • Pinpoint - Events Collected

  • Pinpoint - Other

  • Shield - Other

  • Simple Email Service - Dedicated IP

  • Simple Email Service - Data Transfer

  • Simple Email Service - Email Message

  • Simple Email Service - Incoming Mail Chunks

  • Simple Email Service - Other

  • Snowball - Extra Day Charge

  • Snowball - Import/Export

  • Snowball - Other

  • WAF - WebACL

  • WAF - Rule

  • WAF - Request

  • WAF - Other

For the services mentioned above, we will be using CloudHealth tags and Resource IDs for cost and asset allocation because these services cannot have AWS tags. This allocation will be applicable to the past 13 months. We recommend that you update your reallocation rules for any ‘<Service> - Other’ indirect charges.

Support for Amazon EC2 A1 & C5n Instances

AWS recently announced the latest additions to the EC2 Instance family tree: A1 & C5n instance types. These instance types are now supported across the platform including cost and usage reports, RI recommendations, amortization, Perspectives, rightsizing, and policies.

Unattached Disk Policy for Google Cloud Platform

You can now create a policy to identify unattached Compute Disks within your Google Cloud environment.