What's New (Self-Hosted)

September 2018

CloudCheckr has published an update to its self-hosted offering. This update contains several new features and reports to the application.

You can obtain this update by downloading the newest version from the marketplace where you purchased CloudCheckr originally, or by contacting your CloudCheckr account manager.

Please note that, upon installation of the updates, all new features and reports may not appear in your account until CloudCheckr performs report updates against these changes.

For information on how to get started with the self-hosted offering, click here.

Details of the Update:

GENERAL UPDATES

Performance Improvements

Page load time improvements
Improvements were made to the load times for reports across the application.

Performance of the list of accounts page has been improved
When navigating to the main list of accounts page (the landing page upon logging in) the page will now load faster.

Improved experience for users utilizing IE11
Bug fixes and usability enhancements to allow for a better user experience with Internet Explorer 11.

 

UI Updates

The report navigation and user interface has been revamped
The new design takes a lot of cues from the mobile app world and frees up more of the screen’s real estate for CloudCheckr’s extensive reports. Previously, the side menu had a long list of text-based menu options. Now, the app shows icons for categories like Cost, Best Practice Checks, Security, Utilization, and Automation. Once an icon is selected, the familiar text menu displays. Select a task and the menu goes away. The header also takes up less vertical space by using icons and a “hamburger” (three horizontal lines, like a slice of meat between a bun) menu, similar to a mobile app.


Check out this walkthrough of the new user interface:

Added Report/Settings search to the application
When logged into any account you will now find a search bar at the top of the application. You can type into the search and CloudCheckr will display a list of reports that match that term. You can then click on the name of the report you would like and you will automatically be taken to that report. That allows you to bypass the left-hand report navigation and more easily and quickly find the reports you’d like to view.

Redesigned report action icons
The action icons in the reports (CSV and PDF exports, show/hide filters, and bookmarks) have been redesigned, make it easier to identify the icons and understand what each does.

What’s New moved in the application
The What’s New has been removed from the main list of accounts page. You can now find it by clicking on the Settings icon in the top-right corner of the application, from any page within the application. Simply select ‘What’s New’ from the menu and a pop-up will display, showing the details of the latest updates.

Improvements to navigation tooltips
When hovering your mouse over the left-hand report navigation menu, or the top navigation menu, text will display listing its corresponding report/page.

Redesigned the Best Practice Report check icons
The icons to the right of the best practice checks have been completely redesigned, making it easier to see and easier to know what action each icon leads to.

Updated terminology in List of Accounts page
In the list of accounts page the terms “Payer” and “Payee” have been re-named “Parent” and “Child”. You will see this in the checkboxes that are used to filter the list of accounts.

Copying Bookmark links to clipboard will now give ‘Success’ message

Can now add a secondary custom logo for the app (versus emails and reports)
Because the new UI design will modify the space for the custom logo and its background color, you now have the ability to upload a logo solely for the header. If no header logo is specified, the default custom logo will be used for the application header. Supported file types: jpg, png & gif. For best display we recommend an image with a height no larger than 26 pixels. Custom logos can be managed by Admin users by clicking on the Settings icon at the top of the app and selecting ‘Customization’ from the dropdown menu.

Custom Logos will now display properly in the Safari web browser.

 

Access Management Improvements

New Read-Only user role
A new Read-Only user role has been added to the application. Users with this level of access can view all reports/features that they have been granted access to, but will not be able to make any updates, save reports, or make any other changes to an account.

Can now support multiple SSO providers in a single customer
CloudCheckr now supports multiple Single Sign-On providers within a single customer account. If you would like to take advantage of this new capability, please use the CONTACT SUPPORT button at the top of this page to get in touch.

Can now add users to multiple user groups
You now have the ability to assign a user to multiple user groups. When creating or editing a user instead of a dropdown, the ‘Group Permissions’ option will be a multi-select list, allowing you to add the user to as many groups as you would like.
NOTE: The user will inherit ALL permissions within the groups that they are assigned. For example, if a user is added to Group A and Group B, and Group A gives access to the Billing Dashboard for Account1 and Group B does NOT give access to the Billing Dashboard for Account1, the user will have access to the Billing Dashboard.

Tiered customers can now inherit SSO Identity Provider from their parent
Child customers, in a tiered customer configuration, can now inherit the SAML SSO authentication option enabled within the parent customer.

Add/Edit User Group Permissions are now alphabetically sorted
When Admin users are adding or editing users, the list of groups within the ‘Group Permissions’ dropdown will now be sorted alphabetically.

List of Users can now be sorted by the Name column
Admin users can now sort the Name column of the list of users alphabetically. Note that sorting will be added to other columns in future updates.

 

Application-wide Features

Added Integrations to the Alerts notification options
We have added a single location to manage integrations for alert and best practice notifications. These integrations can all be managed within the Account Settings > Configurations > Integrations page. When configuring your alerts, the notification options setup within this page will be available as the notification method. These will include SNS, Syslog, Service Now and Slack.

NOTE: When configuring Service Now as an integration, you will be prompted to enter the following details from Service Now: Instance, ClientId, ClientSecret, Username, Password, and Assignment Group / sys_id.

 

Dashboard Updates

Admins now have access to all Dashboards by default
Admin users will now be able to view all dashboards within their account. Previously they had to be manually assigned to a dashboard to be able to view the dashboard.

New Dashboard Pane:

  • Advanced Grouping Saved Filter

Cost for Saved Filter Over Time Dashboard pane drills into Adv. Grouping report
When viewing the ‘Cost for Saved Filter Over Time’ pane within the Dashboard, you’ll now see a link within the pane. Clicking that link will take you directly to the Advanced Grouping report within that account, filtered to the saved filter and time range.

 

Miscellaneous Updates

Report emails will now be sent from ‘no-reply@cloudcheckr.com’
Report emails that were previously being sent from ‘support@cloudcheckr.com’ will now be sent from ‘no-reply@cloudcheckr.com’. This will allow you to setup email rules to process the report updates and not have those impact communication from the CloudCheckr support team. Please review your email filters related to CloudCheckr.

Whitelabel Customers can have customized alert sender address
Whitelabel customers can now designate a sender address to replace emails that are sent from alerts@cloudcheckr.com. Please contact support@cloudcheckr.com if you would like to take advantage of this new capability.

 

API UPDATES

Added API Keys for multi-account views
You can now create dedicated API keys for multi-account views. These can be created and managed by loading a multi-account view and navigating to the Account Settings > API Access Keys menu.

52 New API Calls:

  • account/add_third_party_account
  • account/add_third_party_accounts
  • account/edit_third_party_account
  • account/edit_third_party_accounts
  • account/get_third_party_account
  • account/get_third_party_accounts
  • account/delete_third_party_account
  • account/delete_third_party_accounts
  • save_best_practice_notification_v2
  • alert/add_cost_alert_percent
  • billing/delete_detailed_billing_grouped_filter
  • billing/schedule_invoice
  • account/forgot_password
  • billing/get_tag_rules
  • billing/add_tag_rule
  • billing/delete_tag_rule
  • billing/create_detailed_billing_grouped_filter
  • billing/schedule_report_email_advanced_grouping
  • admin/list_reseller_links_v2
  • get_resources_ec2_hosts
  • get_resources_vpc_vpn_connections_details
  • get_resources_route_tables
  • get_resources_customer_gateways
  • get_password_policy
  • get_cloudtrail_trails
  • get_resources_vpc_vpn_gateways
  • get_vpc_subnets
  • get_resources_aws_internet_gateways
  • get_resources_ec2_network_interfaces
  • account.json/add_acls_per_account_per_group
  • account.json/add_user_to_group
  • account.json/clone_group
  • account.json/create_group
  • account.json/delete_acl_from_group
  • account.json/delete_group
  • account.json/get_access_control_list
  • account.json/get_accounts_by_group
  • account.json/get_acls_per_account_per_group
  • account.json/get_groups_v2
  • account.json/get_users_by_group
  • account.json/remove_users_from_group
  • billing/add_custom_billing_charge_fixed
  • billing/edit_custom_billing_charge_fixed
  • billing/delete_custom_billing_charge
  • billing/delete_custom_billing_charge_fixed
  • billing/delete_custom_billing_charge_monthly percent
  • billing/delete_custom_billing_charge_percent_all_charges
  • billing/azure_add_custom_billing_charge_fixed
  • best_practice/ignore_best_practice
  • billing/get_billing_detailed_grouped_pdf
  • billing/add_undiscovered_aws_account_id
  • billing/azure_add_custom_billing_charge_monthly_percent

Added 34 new compliance frameworks to get_best_practices_v3
The output of the get_best_practices_v3 API call will now include mappings to 35 compliance frameworks (including CIS, HIPAA, NIST, PCI, and ISO). You can use the filter_by_compliance_controls parameter with this call to retrieve results from specific frameworks. In a future update these frameworks will also be added to the application making them accessible within the Security reports.

Added two optional parameters to create_account_family and modify_account_family API Calls:

  • Project Code
  • Payment Terms

Added new optional parameter to get_best_practices_v3:

  • filter_by_compliance_controls

Added Azure support for:

  • account/get_improperly_tagged_resources
  • billing/get_billing_detailed_grouped_pdf
  • billing/get_improperly_tagged_resources

Added Azure Security Center information to output of:

  • get_best_practices_v2

Added additional output fields to:

  • get_resources_virtual_machine_details

AWS UPDATES

 

AWS GENERAL UPDATES

Improved error messaging when entering account credentials
You will now see a better error response when failing to add/update credentials to an account.

AWS Account Id now included in payload of alerts delivered to SNS topics
The alerts sent through an SNS Topic will now include the AWS account Id.

Add/Edit Credentials page instructions improved
The page where AWS Credentials are added/edited has been updated to match recent changes made to the AWS Console.

 

AWS COST UPDATES

Historic DBRs will now lock automatically
When a historic billing month is processed, CloudCheckr will automatically lock that month. This will prevent any unanticipated reloading of data.

Improvements to Reload DBR page
In addition to renaming the page to “Reprocess Detailed Billing Report”, months will now disable when selected for reprocessing to make it more clear which months you’ve set to reprocess.

Redesigned Account Families
The Account Families user experience has been completely redesigned. In addition to a new interface, you now have the ability to choose custom charges for the families, add project codes, and establish payment terms.

Can now choose usage date range for RI Purchase Recommendations
Within the Cost > Reserved Usage > EC2 > Purchase by Instance and Purchase by Frequency reports, you now have the ability to choose the usage date range that will be used to make RI purchase recommendations. You can choose between 30 (default), 60, 90, and 180 days.

Added DynamoDB to RI Historical Savings report
Support for the DynamoDB service has been added to RI Historical Savings report.

Amortization now supports RDS and EC2 Flex RIs
If amortization is enabled within your account (this can be configured within the Cost > AWS Partner Tools > Configure Custom Cost menu), RDS and EC2 Flex RIs will now be properly accounted for.

Added Redshift and Elasticache to RI Historical Savings report
The Cost > Reserved Usage > Historical Savings report now supports Redshift and Elasticache, in addition to EC2 and RDS.

Added support for RDS Flexible Reserved DB Instances

Amortization now supported for Dedicated Host RIs

Supporting All Upfront RIs within the Cost and Usage report
CloudCheckr can now retrieve the All Upfront EC2 Reserved Instance inventory from the Cost and Usage report to be used for List Cost RI unsharing.

Project Code added to filters and grouping in Advanced Grouping
In a previous update we added a Project Code field to Account Families. You can now create cost reports within the Advanced Grouping report focused on these Projects Codes. You can both filter and group by Project Code within the report.

Can now Group and Aggregate the Advanced Grouping report by week
Users now have the ability to both aggregate and group their cost data by Week within the Advanced Grouping report. With this update you can now view your data by day, week, or month.

New export option added to Profit Analysis
Previously when exporting the Profit Analysis report to CSV it would include both a summary and grouping by account. Now you have the ability to differentiate between the two and export separately.

Standardization improvements to Cost Savings CSV Export
The Cost Savings CSV export has been improved. With this update the same columns for different services (EC2 and RDS, for example) will be in the same order.

List of Redshift Reserved Nodes CSV export maintains filters
Now, when applying filters to the Redshift Reserved Nodes report and generating a CSV export, the export will only contain those nodes that were listed within the report upon export.

Added Instances using RIs to the EC2 and RDS List of Reserved Instances exports

Added spot savings to CSV export from the Cost Savings report
CSV exports from the Cost Savings report will now include the potential spot savings.

Added currently running instances to the RI Purchase Recommendations CSV export
A “Currently Running Instances” column has been added to the CSV export of the EC2 RI Purchase Recommendation report.

Added additional filter options to List Cost Analysis
You can now filter the List Cost Analysis report (found within the AWS Partner Tools menu) by Project Code and/or Charge Type.

Added the ability to enable/disable CUR processing
We have added the ability to enable/disable processing the AWS Cost and Usage Report. This can be managed within the Account Settings > Cost And Usage Report screen.

Enterprise Support added as Payee Support option
When configuring Payee Support charges within the Cost > AWS Partner Tools menu, in addition to Business Support, you can now have CloudCheckr calculate and apply Enterprise Support fees.

Added additional filter options to RI Mapping
The Cost > Partner Tools > Configure > Reserved Instance Mapping report has been updated, allowing you to filter on additional criteria.

DBR Export delivery improvements
When exporting a copy of the DBR you will now be given a download link to obtain the file. This will allow for more consistent and reliable downloads.
NOTE: The link will expire after 24 hours.

Added the ability to generate invoices with increased decimal precision
When generating invoices you now have have the ability to show precise values, which is controlled with a checkbox. Enabling precise values will display the line items out to the maximum number of decimals provided by AWS. Please note that the total will still be rounded to two digits.

Added Account Id search to Cost Summary reports
The Account Id dropdowns within the Cost Summary reports now have a search box that allows you to find accounts by Id or Name.
This is supported for reports within the Cost > AWS Billing > Summary Reports menu.

Added pagination to Profit Analysis
The Profit Analysis report, found within the Cost > AWS Partner Tools > Report menu, now supports pagination making it easier to navigate against a large number of accounts.

 

AWS TOTAL COMPLIANCE UPDATES

HIPAA Compliance page added
Within the Security > Secure Configuration menu, you will now have access to a HIPAA Compliance Controls report. Similarly to the CIS Benchmarks report, this page will map HIPAA compliance controls to CloudCheckr’s best practice checks, alerting you on those that are not set correctly according to HIPAA’s guidelines.

7 New CIS Benchmarks:

  • 1.17 Enable Detailed Billing
  • 1.21 Ensure IAM Instance Roles are used for AWS resource access from Instances
  • 1.24 Ensure IAM Policies that allow full “:” admin privileges are not created
  • 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls
  • 3.14 Ensure a log metric filter and alarm exist for VPC changes
  • 3.3 Ensure a log metric filter and alarm exist for usage of “root” account
  • 3.4 Ensure a log metric filter and alarm exist for IAM policy changes

CIS Benchmark report can now be delivered via weekly/monthly email
You can now have the CIS Benchmark report delivered to your inbox on a weekly and/or monthly basis. These emails can be enabled within the Account Settings > Email Settings menu.

Added text box to some CIS Benchmarks
You can now save notes within specific CIS Benchmarks that are visible to other users within your account.

 

AWS BEST PRACTICE UPDATES

Removed the Best Practice Dashboard view
The Dashboard version of the Best Practice report has been removed.

Expiring RI Best Practice Checks will now include instance count
The Best Practice report checks that focus on expiring reserved instances will now include the number of instances within the reservation.

Improved experience when re-building historic Best Practice Checks within MAVs
When loading an historic Best Practice Check report in large accounts, we may need to re-build the data for the report. In these situations, a back-end process will run to rebuild the data which can take 5-60 minutes, depending on the amount of data. Previously the historic report was inaccessible until this process completed. With this update, the checks will be available immediately for view, however, the details of the checks (when you expand) will still be rebuilt in the background.

Best Practice report drilldown into CIS Benchmark report
Best Practice checks that map only to CIS Benchmarks will now allow you to drilldown from the Best Practice report directly to that check within the CIS Benchmark report.

Blocklisted IP Address best practice check configuration popup improved
When configuring the Blocklisted IP Address Making API Calls best practice check, the screen where you choose the IP lists has been enhanced, allowing you to search and filter.

Performance improvements when loading the Best Practice report

11 New Best Practice Checks:

  • Log metric filter and alarm do not exist for Management Console sign-in without MFA
  • Log metric filter and alarm do not exist for CloudTrail configuration changes
  • Log metric filter and alarm do not exist for AWS Management Console authentication failures
  • Log metric filter and alarm do not exist for disabling or scheduled deletion of customer created CMKs
  • Log metric filter and alarm do not exist for S3 bucket policy changes
  • Log Metric Filter and Alarm Do Not Exist for Usage of “Root” Account
  • Detailed Billing Enabled
  • EC2 Instances Not using IAM Profile role
  • SNS Topics that Allow ‘Everyone’ to Publish
  • SNS Topics that Allow ‘Everyone’ to Subscribe
  • IAM User Policies with full admin privileges

 

AWS SECURITY UPDATES

CloudTrail Performance increases for retrieval of historical CloudTrail data
Improvements have been made to the CloudTrail historic data retrieval process, allowing the data to populate within the accounts much faster.

AWS Config & VPC Flow Log Data Processing Improved
The speed of processing the data from both VPC Flow Logs and AWS Config have also been greatly improved.

Alerting On/Off flag for CloudTrail Alerts updated and color-coded
The slider that allows you to turn CloudTrail Alerts on and off has been re-designed. The new slider is color coded, making it easier to identify those alerts that are currently enabled.

Added support for Elastic File Store in Change Monitoring
The Security > Activity Monitoring > Change Monitoring report will include changes found within the Elastic File Store service.

Changes made to the Blocklisted IP lists are now saved to the Admin Audit Log
The Admin Audit Log, which is accessible through the Admin Functions on the list of accounts page, now will include changes made to the Blocklisted IP lists.

Added ability to manage blocklists in the Blocklisted IP address making API calls CloudTrail alert
When creating a copy of the Blocklisted IP address making API calls CloudTrail alert you now have the ability to choose the blocklists that the alert utilizes.

Improved large PDF export requests from List of VPCs report
When exporting more than 100 VPCs from the Security > Secure Configuration > VPC > List of VPCs report, CloudCheckr will deliver the PDF via email.

CSV export added to List of NAT Gateways report
The List of NAT Gateways report (found within the Security > Secure Configuration menu) now supports exports to CSV.

List of VPCs CSV export improvements
The CSV export from the Security > Secure Configuration > VPC > List of VPCs report has been updated to include all fields available within the report.

5 New CloudTrail Pre-Built Alerts:

  • User without MFA making console logins
  • CloudTrail configuration changed
  • CMK disabled or scheduled for deletion
  • Unauthorized API call
  • Changes have been made to route table

 

AWS INVENTORY UPDATES

Add support for X1e & C5 EC2 instances

Date value for each row added to the EC2 History by Time CSV Export
The exported CSV file from the Inventory > Trending > EC2 History by Time report will now include the date for each row.

Added ability to filter S3 Buckets Not Enforcing Server-Side Encryption With A Bucket Policy check by tag
The S3 Buckets Not Enforcing Server-Side Encryption With A Bucket Policy best practice check can now be filtered by tag.

Added filtering capabilities to the IoT Inventory report
You can now filter the Inventory > IoT > List of Things report by Name and Attribute.

List of IAM Users report added to Inventory Custom Report Builder
When creating custom reports within the Inventory > Custom Reports > Builder you will now have an option to build an ‘IAM Users’ report.

 

AWS AUTOMATION UPDATES

Descriptions for Fix Now actions more clearly written
When executing a Fix Now function within a best practice check, you will now see a list of the steps being taken to execute the request.

Fix Now checks will now display missing permissions
When attempting to set a best practice check to ‘Fix Now’, you will now be alerted to any missing permissions needed to execute the request.

Added Fix Now capabilities to the following Best Practice checks:

  • No IAM Administrators Group Found
  • Regions without AWS Config Enabled check
  • S3 Buckets That Allow Authenticated Users To Access Billing Report Log Files
  • S3 Buckets That Allow Everyone Access to Billing Reports
  • S3 Buckets With Logging Not Enabled
  • IAM Users That Do Not Belong To Groups
  • IAM Role Policies with Full Admin Privileges
  • S3 Buckets That Allow Everyone Access to CloudFront Log Files
  • S3 Buckets That Allow Authenticated Users Access to CloudFront Log Files
  • S3 Buckets With Logging Not Enabled
  • SQS Queues with Permissions set to Everyone check
  • S3 Public Sensitive Objects Stored
  • S3 Public Sensitive Objects Stored Permission Set To Authenticated Users
  • EBS Volumes with Excessive Snapshots check

‘Fix Always’ option now restricted to only Admin users for Fix Now checks
When clicking on the Fix Now button within a best practice check only Admin users will see the ‘Fix Always’ option. Non-Admin users will only have the option to fix now.

Removed Self-Healing ability for resizing EC2 instances
The ability to have EC2 instances automatically right-size has been removed to eliminate the possibility of critical instances being unexpectedly impacted.

Added Self-Healing support for 3 checks
Within the Automation > Setup menu you can now set the following checks to be ‘Self-Healing’, meaning that CloudCheckr will automatically fix these when any issues are detected:

  • EBS Volumes With No Recent Snapshots (30 days)
  • EBS Volumes With No Recent Snapshots (7 days)
  • EBS Volumes Without A Snapshot

AZURE UPDATES

 

AZURE GENERAL UPDATES

CloudCheckr can be configured as an SSO app in Azure Active Directory
You now have the ability to add CloudCheckr as an SSO app within your Azure portal. If you would like to configure this option with your account, please contact support@cloudcheckr.com.

Added Support for the Germany region
When configuring a new account, the “Select the Azure Account Type” option will now include ‘Azure Germany’ as an option. Choose this when setting up an account from the Germany region to ensure proper reporting.

New Active Directory Account Type
When adding accounts to Azure, you now have the option to collect information from Active Directory. In addition to Active Directory information, this account type also allows us to report against Office 365.

Added support for tiered reseller configuration
MSP customers that have their own resellers can now create Level 2 Azure resellers. Previously this was only support for AWS.

Automatically set currency / region when creating new accounts
CloudCheckr will now try to automatically set the billing currency and/or region of an account. If it can’t, these values can be set within the Account Settings > Edit Billing Configuration menu.

Allow a user to not import certain subscriptions under an CSP or EA account
Within the Account Settings > Edit Billing Configuration menu you now have the ability to exclude costs from any subscription from being retrieved by CloudCheckr. When configuring this option be sure to enter only the Subscription GUID associated with the subscription.

New notification message when EA account has account-level access keys instead of enrollment
You will now be notified if the credentials added to your Enterprise Agreement account uses account-level access keys instead of enrollment access keys. Enrollment access keys are recommended as they provide additional data that’s not available with account-level keys.

Added support for new Enterprise Billing APIs
With this behind-the-scenes update we now support the new Billing API.

 

AZURE COST UPDATES

Subscription Family redesign
The Subscription Families user experience has been completely redesigned. In addition to a new interface, you now have the ability to choose custom charges for the families, add project codes, and establish payment terms.

Invoice Generator can now be ordered by invoice amount
The Azure Invoice Generator (accessed within the Cost > Azure Partner Tools > Report menu) now has the option to sort the list of subscription families by invoice amount or alphabetically.

Can now choose usage date range for RI Purchase Recommendations
Within the Cost > Reserved Usage > Recommendations > Virtual Machines report, you now have the ability to choose the usage date range that will be used to make the purchase recommendations. You can choose between 30 (default), 60, 90, and 180 days.

Added ability to convert cost-only account to resource subscription
You now have the ability to convert an account that was setup as cost-only to a subscription with resources account. This allows you to have the accounts automatically created by the billing process and add credentials at a later time.

Better notification system when Billing Settings not configured
When we cannot determine the currency or billing region from an EA or CSP account, the notification system will now alert the customer to this issue and also redirect the user to the billing configuration screen to apply the proper settings.

Notification added for subscription families setup as resellers
For customers with a tiered reseller configuration, the Subscription Families page will now show a ‘Reseller’ notification for those Families that are configured as resellers.

Reserved VM Purchases are now reported in Advanced Grouping
The Advanced Grouping report now offers filter options for ‘Reservation’ within the charge model, allowing you to view and report against your Reserved VM purchases.

Improvements made to Historic Billing Summary Report load time
When loading data within the Cost > Azure Billing > Summary Reports > Historical Monthly Summary report, the data will be returned much quicker.

Added the ability to generate invoices off of saved filters
Within the Cost > Azure Partner Tools > Report > Generate Invoices menu you now have the ability to generate invoices based on saved filters created within the Advanced Grouping report. You will find saved filters as an option under the Report Format dropdown.

VM Reserved Instance Recommendations for non-US currencies
The Cost > Reserved Usage > Recommendations > Virtual Machines report now supports recommendations for non-US currencies.

Redirect users to the billing configuration page when appropriate
If you load an account that has not had its billing configuration set, you will now be redirected to the configuration page. This ensures your cost data is properly flowing into the account(s).

Improvements to Reserved Instance Purchase Recommendations
The Savings columns in the report have been updated to add clarity to the difference between 1 year and 3 year recommendations.
Clarity has also been improved where a one year purchase may not be cost effective, but a three year purchase would be.

Reserved Instance unsharing support added for Tiered Resellers
Reserved Instances will now be unshared when cost data is funneled down through the reseller tiers.

New CSP vs EA pricing comparison report
This new report within the Azure Partner Tools menu allows you to generate a CSV file showing the cost benefits of moving a specific Enterprise Agreement (EA) under your CSP.
Note, the EA account will need to be added to CloudCheckr to generate this comparison.

Added an Enterprise Agreement Cost Overage Alert
EA and CSP accounts will now receive one aggregated bill summary email per day (instead of one per subscription)

New price list comparison tool

Billing periods automatically lock when the period closes

Added the ability to manually lock/unlock billing periods

Added the ability to group by Instance Id in Advanced Grouping

Added support for basic Reserved Instance Unsharing
CloudCheckr will ‘unshare’ your Azure RIs, meaning it will ensure that only the accounts that should be getting the reserved instance benefit will. Those that are receiving a benefit will have those discounted costs recalculated at the proper rate.

Added the ability to generate invoices with increased decimal precision
When generating invoices you now have have the ability to show precise values, which is controlled with a checkbox. Enabling precise values will display the line items out to the maximum number of decimals provided by Azure. The total will still be rounded to two digits.

Improved the performance of the billing summary reports
The Cost > Summary Reports > Single Day, Single Month, and Historical Summary reports have been revamped, allowing them to load data much faster.

Custom charges can now display by description on invoices
A new checkbox has been added to the Cost > Azure Partner Tools > Generate Invoices screen, labeled, ‘Show custom charge descriptions’. When this checkbox is enabled, when you export an invoice any custom charges added to CloudCheckr will display as their description (instead of displaying as coming from the ‘Custom’ service). This will be true for any invoice other than Summary by Region, or invoices based on Saved Filters (those will adhere to the saved filter formatting). This will make it clear to the invoice recipient what the charges are for.

Advanced Grouping Emails Now Have Download Link for CSV
When the Advanced Grouping report is configured to send a CSV version of the report via email, those CSVs will now be delivered within a download link.

Added Chart to the EA Usage Summary report
A summary chart has been added to the EA Usage Summary report, which is available within the Cost > Summary Reports menu.

Added exports to the EA Usage Summary report
You can now also export the data from the EA Usage Summary report.

Added Spend Analysis report to multi-account views
The Spend Analysis report has been added to multi-account views. It can be accessed within the Cost > Spend Analysis menu.

Added monthly savings to the Right-Sizing reports
The summary table at the top of the Right-Sizing reports will include the estimated monthly savings achieved by acting on the recommendations.

 

AZURE BEST PRACTICE UPDATES

Added ability to edit best practice checks
CloudCheckr Admin users will now have the ability to edit the severity level of best practice checks, as well as disable/enable any check. The Best Practice Editor can be accessed within the Admin Functions dropdown on the main list of accounts. Be sure to choose Azure from the cloud provider dropdown to manage Azure-specific checks.

Added 8 new Best Practice Checks:

  • Virtual Machines using older version of VM types
  • Virtual Machines not using Managed Disks
  • VM without Forced Tunnelling Enabled
  • Blob Containers whose URLs are publicly accessible
  • Blob Containers whose URLs are publicly accessible
  • App Service Plan with Expired SSL Certificate
  • App Service Plan with Expiring SSL Certificate
  • Blob Containers Set to Full Public Read Access

 

AZURE SECURITY UPDATES

Publicly Accessible Resources alerts now support SQL Server
When creating Publicly Accessible Resources alerts within the Security > Alerts > Resources menu, you now have the option to alert against public SQL Servers.

Added support for App Service Plans tags to Inventory reports

Added support for Virtual Networks to change monitoring
The Security > Activity Monitoring > Change Monitoring report will include changes being made to Virtual Networks.

Added support for Subnets to change monitoring
The Security > Activity Monitoring > Change Monitoring report will include changes being made to Virtual Network Subnets.

Added List of Subnets and Subnet Summary reports

Security Group best practice checks now support augmented security rules
The Security best practice checks now correctly handle properties that allow multiple entries (i.e. source, destination, and port properties). This includes public access detection, ports exposes, etc. See here for more information: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#augmented-security-rules

 

AZURE INVENTORY UPDATES

Reporting on certificate information in App Service Plan reports

The details found within the Inventory > App Service Plan > List of App Service Plans will now include SSL Certificates. These can be found within the Web Apps section of the report.

Added Redis Cache right-sizing report
The Utilization menu now includes a Right-Sizing report for Redis Cache.

Update CSV output of List of Resource Groups report
The CSV export now includes the tag names and values of the Resource Groups.

Added the VM Trending report to Multi-Account Views

Added Virtual Network Detail report

3 New Dashboard Panes:

  • VM CPU Utilization
  • Azure VM Count
  • Virtual Machines Pie Chart

Additional Operating System information added to List of VMs report
Now you will be able to see the exact operation system of your VMs within the Inventory > VM > List of VMs report.

Added Load Balancers to the Publicly Accessible Resources alert
When configuring the Publicly Accessible Resources alert within the Security > Alerts > Manager screen, you now have the option to also be alerted against publicly accessible Load Balancers.

Inventory reports will now include tags from App Service Plans where applicable

 

AZURE OFFICE 365 UPDATES

The new Active Directory accounts include the following Office 365 users reports:

  • Sharepoint User Activity
  • OneDrive Overall Usage
  • Mailbox Overall Usage
  • Teams Usage by User
  • Licenses Report
  • Yammer Usage Report
  • Mailbox
  • Skype
  • OneDrive
  • Teams
  • User Summary
  • List of Users



April 2018

CloudCheckr has published an update to it’s self-hosted offering. This update contains several new features and reports to the application.

You can obtain this update by downloading the newest version from the marketplace where you purchased CloudCheckr originally, or by contacting your CloudCheckr account manager.

Please note that, upon installation of the updates, all new features and reports may not appear in your account until CloudCheckr performs report updates against these changes.

Note: For information on how to get started with the self-hosted offering, click here.


Details of the Update:

GENERAL UPDATES

Re-implemented two Admin functions on List of Accounts page:

  • CSV Account Upload – allows you to upload a CSV for bulk account creation.
  • Save List of Accounts to CSV – allows you to export a list of your accounts to a CSV file.

Updated Forgot Password screens and workflow
In addition to an improved look and feel, when using the forgot password function, CloudCheckr will email you a link to the rest password page, and a key you must enter into a form on that page.

Showing/hiding columns on the list of accounts page
The list of accounts page now gives you the option to choose which columns to show or hide.

API Updates

7 New Azure Calls:

  • account/add_azure_csp_account
  • account/add_azure_ea_account
  • account/add_azure_inventory_account
  • account/edit_azure_csp_credential
  • account/edit_azure_ea_credential
  • account/edit_azure_inventory_credential
  • inventory/get_resources_virtual_machine_details

1 New Admin Call:

  • account/get_accounts_v4

2 Calls Updated:

  • best_practice/get_best_practices_v2 API call now supports Azure
    billing/get_detailed_billing_with_grouping_v2 call now supports multi-account views

AWS UPDATES

GENERAL AWS UPDATES

CloudFormation Template will now read as ‘CC’ instead of ‘CloudCheckr’
When using the CloudFormation (instead of Manual) option when configuring accounts, the template URL will read ‘CC’ instead of ‘CloudCheckr’.
Partner Tools being logged in Audit Log
Any changes being made against the following features within the Cost > AWS Partner Tools menu will be captured by the Admin Audit log.

  • Custom Billing Charges
  • Configure Custom Cost
  • Payee Support Charges
  • Custom Usage Rates
AWS COST UPDATES

Custom Charges display by description in invoices
A new checkbox has been added to the Cost > AWS Partner Tools > Report > Generate Invoices screen, labeled, ‘Show custom charge descriptions’. When this checkbox is enabled, when you export an invoice any custom charges added to CloudCheckr will display as their description (instead of displaying as coming from the ‘Custom’ service). This will be true for any invoice other than Summary by Region, or invoices based on Saved Filters (those will adhere to the saved filter formatting). This will make it clear to the invoice recipient what the charges are for.

Added rounding notification to Monthly Billing Summary report
The Cost > AWS Billing > Summary Reports > Monthly report now includes help text at the top explaining how rounding large decimals can impact the costs displayed within CloudCheckr.

Added the ability to include credits in Advance Grouping report
The Advanced Grouping report will now include credits by default. There is a checkbox added to the report that allows you to hide these credits if you would like a cost-only report. Note that historic months will need to be reloaded to see credits in this report.

Performance Improvements to Advanced Grouping saved filter generation
The back-end process to build that data for saved filters for the Advanced Grouping report has been improved, allowing for much faster build times.

Added the ability to include account families in advance grouping report
When filtering by accounts within the Advanced Grouping report you now can choose to filter by AWS account, or by Account Family.

Enable custom charges by a group of accounts
When adding custom charge tiers you now have the option to either sum all accounts and pass those through the custom tiers, or to pass each individual account through the tiers. This provides greater control and flexibility when establishing custom charges.

Tag Mapping now supports Tag AND Property mapping in same rule
When setting up tag mappings previously they could only be setup to map a tag or a property. Not both. Now, you can map both a tag and a property in the same mapping. These are configured within the Cost > Tags > Tag Mapping report.

Added PDF Export to RI Purchase Recommendation Reports

  • EC2 by Instance
  • EC2 by Frequency
  • RDS
AWS INVENTORY UPDATES

Re-implemented Find AWS Resource functionality to list of accounts page
The main list of accounts page offers the ‘Find AWS Resource’ button and functionality once again. This button allows you to find which account owns specific AWS resources.

Updated RDS List of Instances CSV export
The CSV export from the Inventory > RDS > List of DB Instances has been updated to more closely match the format from the List of EC2 Instances export.

Can now add List of S3 buckets directly to custom reports
You can now save your List of S3 Buckets reports directly to custom reports from the Inventory > S3 > List of Buckets report. Previously you had to use the Create Custom Report functionality to save S3 reports.

Lambda added to the Untagged Resources report
The Inventory > Tagged and Inventory > Untagged Resources reports will now both report against Lambda.

Added inventory tag support for:

  • Glacier
  • DynamoDB
  • Elasticache
  • Lambda
  • KMS
  • EFS

Added List of Elastic File Systems Inventory reports
A Summary and List of Elastic File Systems report has been added to the Inventory > EFS menu.

CSV export added to Certificate Manager

AWS ALERTING UPDATES

Ability to filter Network Usage alerts by Account
When creating Network Usage alerts within the Cost > Alerts > Manager menu, you now have the ability to filter these alerts by AWS account.

More information added to SNS Alert Notifications
Alerts delivered via SNS will now include details for the alert that was triggered. Previously, the SNS message only stated that an alert was triggered with no other information. Please note that the next update will expand upon the amount of detail being delivered within the SNS alert.

AWS BEST PRACTICE UPDATES

Stale IAM Users check now shows user and password creation date
The data displayed within the Stale IAM Users best practice check has been updated to include the user and password creation date.

Added the ability to configure the IP list in the Blocklisted IP Address Making API Calls check
You now have the ability to configure the IP lists for the Blocklisted IP Address Making API Calls best practice check. To update the check configuration click on the gear icon to the right of that check, which can be found on the Security tab.
NOTE: The IP lists can be created and managed within the Admin Functions list on the main list of accounts page.

10 new best practice checks:

  • IAM Role Policies with full admin privileges
  • Default Security Groups Allowing Traffic
  • IAM Users with Console Access Should Not Have Access Keys That Were Created at Initial User Setup
  • Default Security Groups Should Not Allow Any Traffic
  • Lambda functions with Admin privileges
  • CloudTrail Logs Not Encrypted at Rest Using KMS CMK
  • No support role has been created to manage incidents with AWS Support
  • Rotation not enabled for customer created CMKs for KMS encryption
  • Cloudtrail Bucket(s) Without Access Logging Enabled
  • EC2-Classic Security Groups Inbound Rules With Potentially Dangerous Port 22 Exposed
AWS SECURITY UPDATES

Added KMS Key Id to List of Trails report
The Security > Activity Monitoring > AWS API (CloudTrail) > List of Trails report will now display the KMS key Id, if applicable.

Added ability to view more than 20 connections in VPC Flow Logs
Pagination capabilities have been added to the VPC Flow Logs report, allowing users to view more than the top 20 connections.

11 New CIS Benchmarks

  • 1.18 Enable Ensure IAM Master and IAM Manager Roles are Active
  • 1.19 – Maintain current contact details
  • 1.2 – Ensure CloudTrail log file validation is enabled
  • 1.23 – Do not setup access keys during initial user setup for all IAM users that have a console password
  • 2.6 – Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • 2.8 – Ensure rotation for customer created CMKs is enabled
  • 3.15 – Ensure appropriate subscribers to each SNS topic
  • 4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
  • 4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 338
  • 4.3 – Ensure VPC flow logging is enabled in all VPCs
  • 4.4 – Ensure The Default Security Group of Every VPC Restricts All Traffic
AWS AUTOMATION UPDATES

Workflows broken into tabs
The Automation > Workflows page has been reorganized into multiple tabs. Non-workflow admin users will see tabs for their open and closed workflows. Workflow admins will see their open and closed workflows, as well as all open and closed admin workflows.

Automation Workflows screen reorganized to display newest items first
Workflows now default to showing the newest items first, making it easier to identify the most recently executed tasks.

Fix-Now Capabilities added to 3 best practice checks:

  • IAM Password Policy Not Enabled
  • CloudTrail Unauthorized Access Attempts
  • EBS Volumes without Recent Snapshot

Fix Now capabilities will now only display on most recent Best Practice Report
When viewing the Best Practice report you will only be able to utilize the ‘Fix Now’ capabilities in the most recent version of the report. Looking at historical reports will disable this functionality.

Usability improvements to Inbound Rules Fix Now capability
The interface and workflow for configuring the Fix Now options for the inbound rules best practice checks has been improved.

AWS UTILIZATION UPDATES

Added instance name and average metrics to Heatmap exports
When exporting Heatmaps to PDF from the Utilization menu, you will now see a second page showing the instance name and instance-specific metrics.


AZURE UPDATES

GENERAL AZURE UPDATES

Added support for South Africa’s North and West locations

AZURE COST UPDATES

Added EA Usage Summary Report
The EA Usage Summary report, available within the Cost > Summary Reports menu, will show details including Balance, Commitment, and Overages, for the agreement.

Custom Charges now support an end date
When creating and editing custom charged within the Cost > Azure Partner Tools > Custom Charges screen, you can now apply an end date to the custom charges.

Performance improvement to the Billing Dashboard
The Cost > Azure Billing > Dashboard report has been revamped, making it load and retrieve data much faster.

Improvements to the following CSV exports:

  • Historical Month Billing Summary
  • Single Day Billing Summary
  • Single Month Billing Summary

Added Profit Analysis report
The Profit Analysis report has been added to the Partner Tools menu.

Can now specify currency and region for billing collection
You can now specify the currency and region for an Azure Inventory account that has billing data collection enabled. This is managed within the Billing Settings menu.

AZURE INVENTORY UPDATES

Added Service Requests Inventory reports for CSP
CSP accounts will now have an Inventory > Service Request menu where details about services requests can be reviewed.

Added List of Application Gateways Inventory report
There is new List of Application Gateways report. This report can be accessed within the Inventory > Networking menu.

Added Subscription to List of VMs report in Multi-Account Views
When viewing the List of Virtual Machines report within multi-account views, the Subscription where the VM resides will now display.

Added Azure Container Service Inventory Reports
A new Summary and Detailed report has been added to the Inventory > Container Services menu.

Added an Improperly Tagged Resources daily email
You can now have the output of the Improperly Tagged Resources report emailed on a daily basis. This email can be enabled and configured within the Account Settings > Email Settings menu. NOTE: you must first create tag rules within the Cost > Tagging > Tagging Rules menu.

Improved the format of the Improperly Tagged Resources CSV export

Additional data displayed for Redis Cache inventory

Added charts to VM Scale Set Summary
The VM Scale Set Summary report within the Inventory menu now has additional pie charts.

Added Untagged Resources Report
An Untagged Resources report has been added to the Inventory module. This report allows you to see which resources are missing tags, or are missing specific tags.

Added Snapshots to Managed Disk inventory reports
A new report for Snapshots has been added to the Managed Disk inventory.

AZURE SECURITY UPDATES

Added three services to change monitoring:

  • App Service Plans
  • Load Balancers
  • Application Gateways

Redis Cache added to Change Monitoring
The Security > Activity Monitoring > Change Monitor report now reports against changes made to Redis Cache.

AZURE BEST PRACTICE UPDATES

Reorganized Azure Network Security Group check into ‘with’ and ‘without’ resources
The Network Security Group best practice checks have been redone. Now there ware two checks for each: one for those groups WITH resources, and one for those WITHOUT.
These are the checks that have been updated:

  • Network Security Groups Outbound Rules Set To All Ports
  • Network Security Groups Inbound Rules with Potentially Dangerous Ports Exposed
  • Network Security Groups Inbound Rules with Specific Ports Exposed
  • Network Security Groups Outbound Rules with Dangerous Ports Exposed
  • Network Security Groups Outbound Rules with Potentially Dangerous Ports Exposed
  • Network Security Groups Inbound Rules Set to All IPs and All Ports
  • Network Security Groups Outbound Rules Set to All IPs and All Ports

Added cost to the details of the App Service Plans with No Apps check
The App Service Plans with No Apps best practice check has been updated to show the cost of the App Service Plan(s) being flagged by the check.

Added 15 New Best Practice Checks

  • Managed Disk without Backup Protection
  • Application Gateway with Web Application Firewall (WAF) Disabled
  • App Services with Unknown resource health
  • App Service Plan without AutoHeal Enabled
  • App Service Plan with under utilized memory
  • App Service Plan with over utilized memory
  • Managed Disk without delete lock
  • Network Security Groups Outbound Rules With Potentially Dangerous Ports Exposed
  • App Service Plan is Unavailable
  • App Service Plan Has Exceeded Usage Quota
  • App Service Plan CPU Under / Over Utilized
  • App Service without Backup Scheduling Enabled
  • App Service with SSL Disabled
  • App Service with Critical Recommendations
  • Idle SQL Server Database Instance

Added SQL DB Advisor recommendations to Best Practice Report
The Azure Advisor tab in the Best Practice report will now also include SQL DB Advisor recommendations.

Added configuration options to Idle SQL Database Instances check
You can now configure the parameters of the Idle SQL Database Instances best practice check, dictating the idle percentage as well as the number of days to check against.

AZURE UTILIZATION UPDATES

Added a Right-Sizing report for Azure SQL
The Utilization menu now includes a Right-Sizing report for Azure SQL.

Added App Service Plan Right Sizing report
A new right sizing report, specific to App Service Plan, has been added to the Utilization menu.

VM Right Sizing updated with information on enabling memory metrics for your VMs
If no memory metrics are available for your virtual machines, the right sizing report will notify you and offer information on how to populate that data.

Collecting SQL DTU metrics
SQL DTU (database transaction units) are now being collected for the SQL databases.



How did we do?