We have been constantly hearing feedback from Botmetric users and actively working on implementing them to make their lives easier in managing AWS cloud infrastructure. We are pleased to say that we have some significant updates on Botmetric’s Cloud Insights this June. Botmetric checks for best practices violations on your AWS infrastructure and provides recommendations under the following four categories:
- Cost Audit
- DR & Backup Audit
- Performance Audit
- Security Audit
We have strengthened Cloud Insights with additional sub audits. Also added ability to notify insufficient permissions for performing various audits.
Here’s the complete list of new sub-audits added to Botmetric.
We have added 9 new sub-audits to Security audit
- ELB Security Group
- This audit checks if the inbound rules of an Amazon VPC security group associated with a load balancer allows access to the ports that are not defined in the load balancer’s listener configuration.
- ELB Listener Security Audit
- This audit provides a list of ELBs that has not got any listener and uses a secure protocol (HTTPS or SSL).
- Unused IAM Access Keys
- This audit provides a list of IAM access keys which are unused for last 30 days or unused since creation. We recommend you to remove them for improved security and avoid key compromises.
- RDS Security Audit (for VPC SG and for list of ports)
- This audit checks security group configurations for Amazon Relational Database Service (Amazon RDS) and warns if a security group rule grants overly permissive access to your database.
- Account Access Key
- This audit checks whether root account have access key associated with it. It is not recommended to have an access key associated with your root account.
- IAM Admin Roles Audit
- This audit provides a list of users having full admin access and we advice to remove them or reduce the access.
- IAM Password Policy
- This audit provides a list of IAM users whose password policy is not enabled.
- IAM MFA Audit
- This audit provides a list of IAM users for whom multi factor authentication has not been enabled. This is a security threat as the username and password could be compromised. So enabling MFA is recommended for all the IAM users.
- IAM Policy ( for Managed Policies)
- This audit provides a list of IAM users having complete IAM admin access. This is a potential security threat as the user can take any action on any resource so we recommend periodic review of all admin users. Now, this sub-audit also checks for the user access rights via new AWS Managed Policies as well.
We have added 3 new sub-audits to Performance audit
- High CPU Utilization EC2 Instances
- This audit provides a list of EC2 instances that has more than 90% daily average CPU utilization in at least 4 of the previous 14 days.
- Over Attached Security Rules Instance
- This audit provides a list of EC2 Instances that are having large number of Security Rules attached. We recommend you to have less than 50 security rules per instance to avoid network performance degradation.
- Over Attached Security Rules Security Group
- Similarly, for security groups having large number of security rules attached is not recommended. Botmetric provides a list of such security groups which needs your attention.
We have added 8 new sub-audits to DR audit
- ELB Optimisation
- This audit provides a list of ELBs having instances attached from one availability zone or instances that are unevenly distributed among different availability zones. For better Fault Tolerance, EC2 instances must be evenly distributed among different availability zones.
- RDS Multi AZ
- Checks for DB instances deployed in a single Availability Zone.
- ELB Connection Draining
- This audit provides a list of load balancers(ELBs) that doesn’t have connection draining configured. We recommend you to enable connection draining to ensure in-flight requests are handled gracefully during auto-scaling termination or unhealthy instance removal events.
- ELB Cross Zone
- This audit provides a list of load balancers(ELBs) that should be configured to use cross-zone load balancing option. This ensures that the requests are evenly distributed across all backend instances irrespective of availability zones.
- EC2 Availability Zone
- This audit provides a list of regions which has instances in the same availability zone, or in multiple zones, but the distribution of instances is uneven.
- Auto Scaling Group
- Examines the health check configuration for Auto Scaling groups.
- AutoScaling Group resource Audit
- This audit checks if any of the Auto Scaling groups are associated with a deleted load balancer or a launch configuration is associated with a deleted Amazon Machine Image (AMI).
- Route53 High TTL RR Set
- This audit checks if the resource record set has a TTL greater than 60 seconds and have an associated health check or its routing policy is Failover.
We have added 5 new sub-audits to Cost audit
- ELB Under Utilisation
- This audit checks if your Elastic Load Balancing configuration for load balancers are not used actively.
- Low CPU Utilization EC2 Instances
- This audit provides a list of EC2 instances having less than 10% daily average CPU utilization in at least 4 of the previous 14 days.
- Under Utilized EBS Volumes
- This audit provides a list of EBS Volumes that are unmounted or attached to a stopped machine. If it has less than 1 IOPS per day for the past 7 days, we recommend volume removal after taking a snapshot.
- Unused RDS
- This audit provides a list of DB(RDS) instances that has no connection for a prolonged period of time, we recommend you to shutdown these instances to reduce the cost.
- EC2 Stopped Instance
- This audit provides a list of EC2 Instances which have been stopped at least 7 days back or more. We recommend you to create an AMI of these instances and terminate them to reduce the cost.
In addition to the above mentioned Cloud Insights sub-audits, following are some of the other major product updates:
- Users can now use click-to-fix to remove the security groups listed under Unused Security Groups Audit. This feature was requested by one of our customers.
- Now, while executing Cloud Insights Audit, users will be notified for audit-items for which sufficient permissions have not been provided to Botmetric. Users can then add those permissions and get results for those sub-audits as well in future audits.
- User will also be notified with instance name while doing click-to-fix for volume snapshot. This was also a customer request.
- Cloud Automation jobs can now be modified, also custom cron expression provided during cron job creation.
It has been an action packed month for Botmetric, especially for Cloud Insights. You can expect more additions in the Cloud Automation jobs list and a lot of improvement in Cost Analytics this month. If you already have an account with Botmetric, you can track the product updates here. You can also follow Botmetric on twitter for latest product updates.
Don’t have Botmetric as part of your team yet? Don’t wait!
Latest posts by Rajeev Kumar (see all)
- AWS Per Second Billing for EC2 and EBS Explained - September 20, 2017
- Five ways to reduce EBS costs from AWS Monthly Bills - September 7, 2017
- 5 steps to good Microsoft Azure Cloud Governance - August 14, 2017