What's New (Self-Hosted)

October 2019

CloudCheckr has published an update to its self-hosted offering.

We highly recommend that you obtain this update by downloading the newest version from the marketplace where you purchased CloudCheckr originally, or by contacting your CloudCheckr account manager.

Please note that upon installation of the updates, all new features and reports may not appear in your account until CloudCheckr performs report updates against these changes.

For information on how to get started with the self-hosted offering, click here.

Details of the documentation updates:

  • updated installation and configuration screens due to minor UI changes
  • added Trusted User Not in Standard Region section
  • added recommendation to configure public subnets
  • revamped Upgrade the Self-Hosted App section
  • updated least privilege policies to match most recent changes
  • rebranded content to reflect brand changes
  • added Deploy CC to Additional Availability Zones section to MT versions
  • reorganized and removed content for a better user experience
  • created GovCloud versions of the self-hosted guides
  • added instructions on how to configure a CPV app for Azure CSP Commercial and Gov/Germany accounts

New features included with this update:

GENERAL UPDATES

JIRA Added To Integrations

You can now have your alerts and best practice check notifications delivered to your JIRA project(s) through a JIRA (beta) integration app.  This app can be configured within the Account Settings > Integrations menu.  

API UPDATES

Two New AWS API Calls:

  • get_aws_billing_configuration
  • edit_aws_billing_configuration

One New Azure API Call:

  • Modify_subscription_family

AWS UPDATES

GENERAL UPDATES

Added Support for two new AWS Regions:

  • GovCloud (US-East) Region
  • Hong Kong Region
CREDENTIALING UPDATES

Added Support for Cost Explorer API

We now have the ability to ingest new datapoints from AWS using their Cost Explorer API.

With this update we've begun leveraging this API, implementing some small improvements in our cost reports. Other reporting capabilities will be updated to support these new datapoints in future updates. Details of these improvements will be shared here, with each update.

To gain the benefits that this new API integration offers, please update the permission policy attached to your IAM role.  

The permission needed within your IAM policy:

ce:GetReservationUtilization

COST UPDATES

Added Multi-Select Capabilities to Filters Within EC2 RI Purchase Recommendation Reports

The filter option have been improved in both EC2 RI Purchase Recommendation reports (found within the Cost > AWS Billing > Reserved Usage > EC2 menu). Previously, the Region, Instance Type, Platform, and Tenancy options required the user to input text. With this update these are now multi-select options, making it easier for the user to select the filters they want and eliminate the possibility for error.

Added Multi-Select Capabilities to Filters Within the following reports:

  • RDS RI Purchase Recommendation Report
  • Redshift Reserved Node Purchase Recommendation Report
  • DynamoDB Reserved Capacity Purchase Recommendation Report
  • ElastiCache RI Purchase Recommendation Report

Previously, the filter options required the user to input text. With this update, these are now multi-select options, making it easier for the user to select the filters they want and eliminate the possibility for error.

Improved ability to export large datasets from Advanced Grouping

If you are exporting a report in Advanced Grouping to CSV that includes grouping for EC2 Instance Id, Resource Id, or you have more than 5 groupings, a back-end process will execute and deliver your CSV via email.  This prevents long wait times when trying to process the large dataset within the browser.

Access to the GSA Service Catalog

Through the Cost > AWS Partner Tools menu you now have access to the GSA Service Catalog.  This catalog provides you with a comprehensive list of all of the products, their SKUs, and their price from AWS.   You have the ability to filter and export the data from this report.

New Report: Service Charge Breakdown

The new Service Charge Breakdown report was designed with enterprise customers in mind, showing you the value you provide by buying RI's and negotiating discounts. The report has columns showing the savings accrued by your purchased reservations along with the impact of your custom charges. These costs will be broken down by service, with the ability to filter by accounts/account families, as well as by date.

This new report is available within the Cost > AWS Partner Tools > Report menu.

Custom Charge Percent Charge by Service

In conjunction with the new Service Charge Breakdown report, we will now apply your percent-based custom charges per service. Historically, these custom charges were lumped together under a new Service named 'Custom', with no ability to see how much of the charge was from EC2, RDS, etc. Moving forward the charges will be applied to the corresponding service, but placed under a Usage Type named 'Custom'. This way you still have the ability to see your Custom Charges, but will be able to better report against spend by service.

Update to Enterprise Support

When using the Enterprise Support option within Payee Support, we will now assign the Enterprise Support charges to all or selected accounts within your consolidated bill. This allows you to see your enterprise support charges throughout the month and have those charges allocated to the account(s) you choose.

New Bill Prediction Method

We have re-written the algorithm that makes the monthly bill prediction, resulting in much more accurate predictions. You will see this prediction in the Cost Summary reports, such as the Single Day Summary and Billing Dashboard.

Ability to filter on Reserved Instances in Advanced Grouping Report

A new filter option has been added to the Advanced Grouping report which allows you to filter the data based on whether or not the costs originated from a Reserved Instance.

New Advanced Grouping CSV Export Option: Chart-Only

You now have a new option when exporting data from the Advanced Grouping report into a CSV file: Chart-Only. This option will include the data from the chart as well as the summary totals, but will not include the grouping table in the output.

Improved Handling of Automated EDPs

Customers that have their EDP discount automated by AWS will now have that discount automatically ingested as a credit. This allows the discount to be managed within the Assign Credits page, to show/hide or assign as desired. Customers who are not eligible to have their EDP discount modified will not be impacted by this change.

New Custom Charge Display Options

We have added a new configuration option when adding/editing Custom Charges within the AWS Partners menu. You will now have the ability to choose whether to have custom charges display within a service category (EC2, RDS, etc.), or as a separate service category.

Historically, discounts that spanned multiple services were combined, regardless of service category. For example a 10% charge on EC2 & RDS, was calculated as (EC2+RDS)*.10 and was given a new service category of "Custom Charge". Now, we have the ability to calculate (EC2.1)+(RDS*.10) and have those charges written to EC2 and RDS respectively, or continue to have them written to the "Custom Charge" category.

INVENTORY UPDATES

Added Support for new EC2 Instance Types:

  • m5a
  • r5a
  • c5n
  • a1
  • m5ad
  • r5ad
  • t3a
  • i3en
  • m5d
  • m5
  • r5

Date Selector Added to Lookup Resources

The Lookup Resources report (found within the Cost > Tags menu) has been updated to include user-defined Start and End dates. Any resources found within the selected date range will be returned.

List of Load Balancers report updated to include ALBs and ELBs

The Inventory > EC2 > Load Balancers > List of Load Balancers report has been updated with a new column labeled 'Load Balancer Type'. This column will specify whether the Load Balancer is a Network or Application Load Balancer.

New Report: Saving Showback

The new Saving Showback report was designed with enterprise customers in mind, showing you the value you provide by buying RI’s and negotiating discounts. The report has columns showing the savings accrued by your purchased reservations along with the impact of your custom charges. These costs will be broken down by service, with the ability to filter by accounts/account families, as well as by date.

This new report is available within the Cost > AWS Partner Tools > Report menu.

New Billing and Usage Configuration Process

The Edit Billing Bucket and Cost and Usage configuration pages have been combined into a single page, which can be found under the Account Settings menu.

This new page allows you to manage the following configuration items in a single location:

  • Configure the Cost and Usage Report (CUR)
  • Set the S3 billing bucket for the Detailed Billing Report (DBR)
  • Limit AWS Accounts
  • Manage Partner-Level Settings:
    • Automatically Register Payee Accounts
    • Hide Credits from Payees

Option to show percent-based custom charges during month or at end of month

When configuring percent-based custom charges you now have the option to have the custom charges calculated and displayed with your cost reports as the month progresses (it will be updated with each new billing update), or have the charge calculated and presented at the close of the month.

NOTE: All existing custom charges will default to showing at the end of the month. You can edit these within your AWS Partner Tools > Configure > Custom Billing Charges menu. Also, all new custom charges will default to be calculated during the month. This can be modified while you are creating the custom charge (or any point after).

Improvement to Custom Charge configuration

When configuring custom charges, you will now have the ability to set the custom charge to automatically inherit future usage types. Two new checkboxes have been added to the configuration options labeled 'include all current and future EC2 Box' and 'include all current and future EC2 Heavy'. With these selected, all EC2 box and/or EC2 Heavy usage types will be selected from the filter list. And, if any new Box or Heavy usage types are added in the future, those will automatically be added to the custom charge. This prevents users from having to constantly update their custom charge as new usage types are added by AWS.

Removed "reserved instance applied" description from list cost

With a recent update to the way the Detailed Billing Report (DBR) is written, AWS now includes the text "reserved instance applied" in the description for any cost that includes the use of a reserved instance. Because CloudCheckr can be configured to apply reserved instances in a different manner than they were written to the DBR, this could potentially cause confusion when reviewing cost reports or invoices. To resolve this, the "reserved instance applied" description will not be displayed when viewing the description column in a report based off of List Cost.

BEST PRACTICE UPDATES

Added one new Best Practice Check:

  • Regions Without AWS Config Enabled

Improvements to the Unused ELBs Best Practice Check

The Unused ELBs Best Practice Check has been updated to more accurately report against application load balancers.

Added ALBs and NLBs to 'Unused Elastic Load Balancers" Check

In addition to supporting Classic load balancers, the 'Unused Elastic Load Balancers' best practice check now also supports Application Load Balancers (ALBs) and Network Load Balancers (NBLs).

SECURITY UPDATES

CIS Benchmark Updates

Our CIS Benchmark report has been updated to map to CIS v1.2. These changes include re-mapping controls to a new control number.

Note that these are just cosmetic changes; the contents of these benchmarks have not been modified:

  • Control 1.9 moved from L2 to L1
  • Control 1.19 changed to 1.17
  • Control 1.22 changed to 1.20
  • Control 1.23 changed to 1.21
  • Control 1.24 changed to 1.22
  • Control 1.21 changed to 1.19
  • Control 4.3 changed to 2.9
  • Control 4.4 changed to 4.3

2 new Benchmarks (and corresponding Best Practice Checks) added:

  • 3.10: Ensure a log metric filter and alarm exist for security group changes
  • 4.4: Ensure routing tables for VPC peering are "Least access"

AZURE UPDATES

CREDENTIALING UPDATES

New CPV Authentication Model

To comply with the new CSP Security Model Microsoft Azure will begin enforcing soon, we have modified the way we interact with your partner center API.  Moving forward, we will make requests through a Control Panel Vendor (CPV) application. To avoid an interruption with your account, once this new model is being enforced, you will need to update the credentials saved within your CSP account(s).  To update your credentials, login to your CSP account(s) and navigate to Account Settings > Azure Credentials from the left-hand navigation.  

NOTE: You only need to update your CSP payer accounts. This change does not impact Enterprise Agreement accounts or inventory subscriptions.

COST UPDATES

Ability to Aggregate by Week in Advanced Grouping

In addition to being able to aggregate the cost data by Day and Month, you now also have the ability to aggregate the data by week within the Advanced Grouping report.

Added Retail Cost option to Invoice Generator

Within the Cost > Azure Partner Tools > Reports > Invoice Generator you now have the ability to generate invoices using the Retail cost type. Simply select 'Retail' from the Cost Type option.

Two Enhancements to the Advanced Grouping Report

  • Additional Chart Types - you can now choose between Area, Bar, Column, or Pie charts when generating a report.
  • Option to Include Zero Costs - you can now choose to include, or exclude, rows with no cost from the report.

Added ability to CSPs to create cost alerts by Customer

CSP customers will now have additional filtering capabilities within their cost alerts that allow them to create alerts by Customer. These alerts can be configured within the Cost > Alerts > Manager menu.

New Advanced Grouping CSV Export Option: Chart-Only

You now have a new option when exporting data from the Advanced Grouping report into a CSV file: Chart-Only. This option will include the data from the chart as well as the summary totals, but will not include the grouping table in the output.

Added Ability to Group by Week and Month to Advanced Grouping

Two new options have been added to the group by options within the Advanced Grouping report: By Week and By Month.

Custom Credit Memos

You now have the ability to add custom credit memos within the Cost > Azure Partner Tools > Configure menu. Credits added here will be displayed in the cost reports that reflect credits.

INVENTORY UPDATES

The VM Right-Sizing report has been updated to include the following VM series:

  • DC-series
  • Lsv2-series
  • NVv2-series
  • NDv2-series
  • NCv3-series
  • NCv2-series

VM Launch Date Added to List of VMs Report

When viewing the List of VMs report within the Inventory module, you will now see a column option to display the Launch Date for each VM. You can also expand on any VM to see this value, which includes both the date and time that the VM was launched.

BEST PRACTICE UPDATES

Added support for additional Azure Advisor checks

  • Enable Soft Delete to Protect your Blob Data
  • Enable Virtual Machine Backup to Protect your Data from Corruption or Accidental Deletion
  • Use Availability Sets for Improved Fault Tolerance
  • Add at least 1 or more endpoints to a Traffic Manager Profile
  • Enable Network Security Groups on subnets
  • Enable Advanced data security on your SQL servers
  • Provision an Azure AD administrator for SQL server
  • Enable Network Security Groups on virtual machines
  • Require secure transfer to storage account
  • Require secure transfer to storage account
  • Restrict access of Internet-facing VMs’ permissive Network Security Groups
  • Restrict access to App Services (Preview)
  • Enable DDoS protection standard
  • Install a vulnerability assessment solution on your virtual machines
  • Enable virtual machine backup to protect your data from corruption and accidental deletion
  • Close management ports on your virtual machines
  • Delete Public IP address not associated to a running Azure resource
  • Restrict access to storage accounts with firewall and virtual network configurations (Preview)
  • Enable diagnostic logs in Key Vault
  • Enable diagnostics logs in Service Bus
  • Enable diagnostics logs in Virtual Machine Scale Sets
  • Enable Active-Active gateways for redundancy

June 2019

CloudCheckr has published an update to its self-hosted offering.

We highly recommend that you obtain this update by downloading the newest version from the marketplace where you purchased CloudCheckr originally, or by contacting your CloudCheckr account manager.

Please note that upon installation of the updates, all new features and reports may not appear in your account until CloudCheckr performs report updates against these changes.

For information on how to get started with the self-hosted offering, click here.

Details of this update:

Support for AWS DBR Updates

On June 17, 2019, AWS is making updates to the way reserved instance costs are written to the Detailed Billing Report (DBR).

With this update, the self-hosted version of CloudCheckr will properly handle these chages and continue to properly process reserved instances and their costs.

You can find more information about this change here.

Support for Single Sign-On via Azure Active Directory

With this update, you can now configure your application to allow user access using Azure Active Directory.

Please refer to our Configure Single Sign-On for Active Directory help document for step-by-step instructions for implementing this solution within your account.


January 2019

CloudCheckr has published an update to its self-hosted offering. This update contains several new features and reports to the application.

You can obtain this update by downloading the newest version from the marketplace where you purchased CloudCheckr originally, or by contacting your CloudCheckr account manager.

Please note that upon installation of the updates, all new features and reports may not appear in your account until CloudCheckr performs report updates against these changes.

For information on how to get started with the self-hosted offering, click here.

Details of this update:

GENERAL UPDATES

UI Updates

Loading Improvements on the List of Accounts page

Loading times for the List of Accounts page (where you are directed upon login) has been improved. In addition to speed improvements, pagination options have been added to the page. These allow you to choose how many accounts to list on the page as well as quickly cycle through pages.

Column Sorting and Cost Columns re-implemented on List of Accounts Page

In a previous update we temporarily removed the Cost columns as well as the ability to sort columns on the List of Accounts page (where you are directed upon login). In this update, we have re-implemented these features. You can sort the columns by simply clicking on the column headers. To see the Cost columns again, click the ‘EDIT COLUMNS’ button and select the columns you would like to see on this page.

NOTE: This page is still under construction. While we continue to improve the page, Cost columns will only be visible for Admin users. These will be exposed to all users in a future update.

Additional Filter Options Added to Admin Audit History

Admin users now have the ability to filter the Audit History by both Created Date and Object Name.

Added report export options

CloudCheckr created additional export options to enable customers to export all fields available on the report or export only those fields that are displayed.

For selected reports, we have also added back in a deprecated export format to meet the current needs of our customers.

White Label Improvements

White label customers can have SSO initiated login via login page

The login page can be updated with a button that will allow users to initiate their login directly through their SSO provider.  

Improvements to white labeled emails

Emails delivered from the system to white labeled customers will now have the Login button direct users to the proper login page.

Removed Login Button from Summary of Daily Consolidated Bill White-Labeled Emails

For white-labeled customers, the Summary of Daily Consolidated Bill email will no longer have a Login button.

API UPDATES

Added email input to alert/add_cost_alert_percent

When adding cost alerts with this API call you can now choose the email recipient(s) by adding the parameter in your request.

CloudWatch metrics added to inventory/get_resources_s3_summary

Update to inventory/get_resources_virtual_machine_details

The output of this API call will now include a field for “ScaleSet”.

New Azure Call:

• create_detailed_billing_grouped_filter

AWS UPDATES

Cost Updates

The Advanced Filtering Report is being deprecated

The Advanced Filtering report is being deprecated from the application. It will be removed from the application with a future update.  Any saved filters within the Advanced Filtering report should be created and saved within the Advanced Grouping report prior to your next upgrade.

New Amortization Method

We now support amortization for unblended rates. This setting is ideal for enterprises who buy their RI’s centrally but want the individual teams/department to bear their portion of the upfront RI payment. To configure your account to use this method, within the Cost > AWS Partner Tools > Configure > Configure Custom Cost menu, you will want to choose ‘Unblended’ and ‘Amortize upfront costs by proportional payee hourly usage’.

Added the ability to ignore S3 buckets with incorrect programmatic billing files

You can now have your account ignore any S3 bucket where programmatic billing files reside (such as the DBR), if the files within that bucket are not the ones you intend to use for billing ingestion. This occurs when a customer is modifying a detailed billing report and uploading to S3. If you would like to ensure a specific programmatic billing bucket is not being used for data ingestion, please contact support@cloudcheckr.com.

Added Copy DBR Version Flag

When editing the setup of Copy DBR (from within the Cost > AWS Partner Tools > DBR > Copy menu, you will now see a toggle switch to choose between the current or deprecated version of the copy.

NOTE: The new version includes the ReservedInstance column, where the previous version did not.

IMPORTANT: The deprecated version will be removed in a future update. Please make plans to account for the additional column.

EC2 Operations Mapped to Operating Systems

The names of the EC2 Operations have been updated to include the Operating System. This will make it easier to run reports in Advanced Grouping that targets specific Operating Systems or to generate Custom Charges against a specific OS.

Example: RunInstances:0002 will now be RunInstances:0002 (Windows)

Enhanced the Copy DBR functionality

The Copy DBR function now updates the Reserved Instance (RI) Y/N column depending on if an RI is being shared with an instance. We also added a new column that shows a key/value pair which identifies if the instance is a partial RI and provides the percentage breakdown of usage.

Improved WorkSpaces prediction algorithm for higher accuracy

Customers using the WorkSpaces service from AWS will see a more accurate prediction for its costs within the Cost module.

Credentialing Updates

Improvements to the IAM policy template

When creating a new account and leveraging the CloudFormation template, you’ll now get to choose which permissions to apply, per module (Cost, Security, etc.).

Please note that as part of this, if you would like billing data or security logs ingested into your account, you will need to add the name of your programmatic billing bucket, as well as the bucket where your CloudTrail logs are stored. These will be fields you fill out within the AWS console while saving the CloudFormation template.

Security Updates

CloudTrail Assume Role ARN Consolidation

To help eliminate extremely large lists of users and roles within the CloudTrail Events report, the Assume Role ARNs which are being created for each resource Id are being consolidated.

Example:
arn:aws:sts::[AWS Account Id]:assumed-role/aws:ec2-infrastructure/i-1234abcd
will be converted to
arn:aws:sts::[AWS Account Id]:assumed-role/aws:ec2-infrastructure/*

This will allow you to run a query against all activity from the assume role and not have to selected multiples, depending on how many unique values the role had. It should also help with load times when building the list of users with the CloudTrail Events report.

Improved detection for VPCs with publicly accessible subnets

The Perimeter Assessment report and Publicly Accessible Resources alert will now properly identify VPCs that have publicly accessible subnets.

New Total Compliance Report

There is a new item in the report navigation on the left-hand side of the application for Compliance. Within that menu you’ll find a new report, titled Total Compliance. This report reviews more than 30 compliance frameworks (including NIST, HIPAA, PCI, ISO) against the configuration of AWS accounts and resources. By leveraging the Total Compliance standards, security professionals can more easily and consistently ensure that their deployments are following established best practices for compliance. You’re able to select up to five favorite frameworks and have the report track your compliance against those on a daily or weekly basis.

Added integration notifications into CloudWatch Logs

In a previous update we added a single location to manage integrations for alert and best practice notifications. With this release, you can now leverage these integrations when configuring alerts within the Security > CloudWatch Logs > Define Events report. NOTE: You can manage the integrations within the Account Settings > Configurations > Integrations page.

Inventory Updates

Added Support for AWS GovCloud (US-East) Region

Added Support for new EC2 Instance Types:

  • m5a
  • r5a
  • c5n
  • A1
  • g3s
  • u.metal

New Cognito Inventory Reports

Within the Inventory > Cognito menu, you will now find resource inventory reports for:

  • User Pool Summary
  • List of User Pools
Best Practice Updates

Added new Best Practice Checks:

  • Regions Without AWS Config Enabled
  • Log metric filter and alarm do not exist for changes to Network Access Control Lists (NACL)
  • Log metric filter and alarm do not exist for changes to network gateways
  • Log metric filter and alarm do not exist for route table changes
  • Log metric filter and alarm do not exist for AWS Config configuration changes

AZURE UPDATES

Cost Updates

Added CSV export option to the Profit Analysis Report

You can now export the Profit Analysis report to CSV. This report can be accessed within the Cost > Azure Partner Tools > report menu.

Added Retail Cost option to Invoice Generator

Within the Cost > Azure Partner Tools > Reports > Invoice Generator you now have the ability to generate invoices using the Retail cost type. Simply select 'Retail' from the Cost Type option.

Three Enhancements to the Advanced Grouping Report

  • Additional Chart Types - you can now choose between Area, Bar, Column, or Pie charts when generating a report.
  • Option to Include Zero Costs - you can now choose to include, or exclude, rows with no cost from the report.
  • Include/Exclude Chart Data - when choosing to export data to a CSV file you will now have the option to either include or exclude the chart data. Previously the chart data was included in every export.

Added support for CSP VM RI Unsharing

Within the Cost > Azure Partner Tools > Configure > Configure Custom Cost menu, you now have the ability to enable unsharing. Enabling this feature will change the usage cost of Virtual Machines using reservations to its corresponding on-demand costs.

Added RI Amortization to List Cost Analysis

If using the amortization option within the CSP RI Configuration menu, you will now see this reflected within the List Cost Analysis page.

Added the ability to add/edit custom charges based on Cost Source (Azure, Azure Marketplace, etc.)

When configuring custom charges, you now have the ability to include or exclude any Cost Source from the custom charge.

This allows you to create custom charges that apply a percentage increase to a customer’s usage, but will exclude Marketplace costs to ensure those aren’t being inflated.

Custom charges can be managed within the Cost > Azure Partner Tools > Configure menu.

New CSP RI Configuration menu

CSP Customers now have the ability to choose the owner, per reservation, as well as whether that reservation should be unshared.  In addition to choosing RI owner and unsharing, you also have the ability to amortize the upfront cost of the RI and apply that to the customer. You can add a percentage-based upcharge to the amortized amount, if you choose.

This is only available within CSP accounts, and can be accessed within the Cost > Azure Partner Tools > Configure menu.

New CSP Virtual Machine Reservation Purchase Recommendation Report

CSP Accounts will now find a VM Reservation Purchase Recommendation report within the Cost > Reserved Usage > Recommendations menu. This report will look at your VM usage and make purchase recommendations, identifying areas where reservations can be leveraged to save money. These reservations will be made, and organized, by customer.

Added filtering for BYOL Virtual Machines

New meter sub-categories have been added to identify Bring-Your-Own-License virtual machines. This will make it easier to identify and report against these within the Advanced Grouping report as well as managing custom charges.

Inventory Updates

Better Scale Sets to Virtual Machine Reporting

The Inventory > Virtual Machines > List of Virtual Machines report will now better report against the VM>Scale Set relationship. A Scale Set column has been added to the report, making it easily to identify which Scale Set, if any, that a VM belongs to. When expanding on a VM there is also a data point for Scale Set. You can click on the Scale Set name to drill down to its corresponding inventory report.


September 2018

CloudCheckr has published an update to its self-hosted offering. This update contains several new features and reports to the application.

You can obtain this update by downloading the newest version from the marketplace where you purchased CloudCheckr originally, or by contacting your CloudCheckr account manager.

Please note that, upon installation of the updates, all new features and reports may not appear in your account until CloudCheckr performs report updates against these changes.

For information on how to get started with the self-hosted offering, click here.

Details of the Update:

GENERAL UPDATES

Performance Improvements

Page load time improvements

Improvements were made to the load times for reports across the application.

Performance of the list of accounts page has been improved

When navigating to the main list of accounts page (the landing page upon logging in) the page will now load faster.

Improved experience for users utilizing IE11

Bug fixes and usability enhancements to allow for a better user experience with Internet Explorer 11.

 

UI Updates

The report navigation and user interface has been revamped

The new design takes a lot of cues from the mobile app world and frees up more of the screen’s real estate for CloudCheckr’s extensive reports. Previously, the side menu had a long list of text-based menu options. Now, the app shows icons for categories like Cost, Best Practice Checks, Security, Utilization, and Automation. Once an icon is selected, the familiar text menu displays. Select a task and the menu goes away. The header also takes up less vertical space by using icons and a “hamburger” (three horizontal lines, like a slice of meat between a bun) menu, similar to a mobile app.


Check out this walkthrough of the new user interface:

Added Report/Settings search to the application

When logged into any account you will now find a search bar at the top of the application. You can type into the search and CloudCheckr will display a list of reports that match that term. You can then click on the name of the report you would like and you will automatically be taken to that report. That allows you to bypass the left-hand report navigation and more easily and quickly find the reports you’d like to view.

Redesigned report action icons

The action icons in the reports (CSV and PDF exports, show/hide filters, and bookmarks) have been redesigned, make it easier to identify the icons and understand what each does.

What’s New moved in the application

The What’s New has been removed from the main list of accounts page. You can now find it by clicking on the Settings icon in the top-right corner of the application, from any page within the application. Simply select ‘What’s New’ from the menu and a pop-up will display, showing the details of the latest updates.

Improvements to navigation tooltips

When hovering your mouse over the left-hand report navigation menu, or the top navigation menu, text will display listing its corresponding report/page.

Redesigned the Best Practice Report check icons

The icons to the right of the best practice checks have been completely redesigned, making it easier to see and easier to know what action each icon leads to.

Updated terminology in List of Accounts page

In the list of accounts page the terms “Payer” and “Payee” have been re-named “Parent” and “Child”. You will see this in the checkboxes that are used to filter the list of accounts.

Copying Bookmark links to clipboard will now give ‘Success’ message

Can now add a secondary custom logo for the app (versus emails and reports)

Because the new UI design will modify the space for the custom logo and its background color, you now have the ability to upload a logo solely for the header. If no header logo is specified, the default custom logo will be used for the application header. Supported file types: jpg, png & gif. For best display we recommend an image with a height no larger than 26 pixels. Custom logos can be managed by Admin users by clicking on the Settings icon at the top of the app and selecting ‘Customization’ from the dropdown menu.

Custom Logos will now display properly in the Safari web browser.

 

Access Management Improvements

New Read-Only user role

A new Read-Only user role has been added to the application. Users with this level of access can view all reports/features that they have been granted access to, but will not be able to make any updates, save reports, or make any other changes to an account.

Can now support multiple SSO providers in a single customer

CloudCheckr now supports multiple Single Sign-On providers within a single customer account. If you would like to take advantage of this new capability, please use the CONTACT SUPPORT button at the top of this page to get in touch.

Can now add users to multiple user groups

You now have the ability to assign a user to multiple user groups. When creating or editing a user instead of a dropdown, the ‘Group Permissions’ option will be a multi-select list, allowing you to add the user to as many groups as you would like.

NOTE: The user will inherit ALL permissions within the groups that they are assigned. For example, if a user is added to Group A and Group B, and Group A gives access to the Billing Dashboard for Account1 and Group B does NOT give access to the Billing Dashboard for Account1, the user will have access to the Billing Dashboard.

Tiered customers can now inherit SSO Identity Provider from their parent

Child customers, in a tiered customer configuration, can now inherit the SAML SSO authentication option enabled within the parent customer.

Add/Edit User Group Permissions are now alphabetically sorted

When Admin users are adding or editing users, the list of groups within the ‘Group Permissions’ dropdown will now be sorted alphabetically.

List of Users can now be sorted by the Name column

Admin users can now sort the Name column of the list of users alphabetically. Note that sorting will be added to other columns in future updates.

 

Application-wide Features

Added Integrations to the Alerts notification options

We have added a single location to manage integrations for alert and best practice notifications. These integrations can all be managed within the Account Settings > Configurations > Integrations page. When configuring your alerts, the notification options setup within this page will be available as the notification method. These will include SNS, Syslog, Service Now and Slack.

NOTE: When configuring Service Now as an integration, you will be prompted to enter the following details from Service Now: Instance, ClientId, ClientSecret, Username, Password, and Assignment Group / sys_id.

 

Dashboard Updates

Admins now have access to all Dashboards by default

Admin users will now be able to view all dashboards within their account. Previously they had to be manually assigned to a dashboard to be able to view the dashboard.

New Dashboard Pane:

  • Advanced Grouping Saved Filter

Cost for Saved Filter Over Time Dashboard pane drills into Adv. Grouping report

When viewing the ‘Cost for Saved Filter Over Time’ pane within the Dashboard, you’ll now see a link within the pane. Clicking that link will take you directly to the Advanced Grouping report within that account, filtered to the saved filter and time range.

 

Miscellaneous Updates

Report emails will now be sent from ‘no-reply@cloudcheckr.com’

Report emails that were previously being sent from ‘support@cloudcheckr.com’ will now be sent from ‘no-reply@cloudcheckr.com’. This will allow you to setup email rules to process the report updates and not have those impact communication from the CloudCheckr support team. Please review your email filters related to CloudCheckr.

Whitelabel Customers can have customized alert sender address

Whitelabel customers can now designate a sender address to replace emails that are sent from alerts@cloudcheckr.com. Please contact support@cloudcheckr.com if you would like to take advantage of this new capability.

 

API UPDATES

Added API Keys for multi-account views

You can now create dedicated API keys for multi-account views. These can be created and managed by loading a multi-account view and navigating to the Account Settings > API Access Keys menu.

52 New API Calls:

  • account/add_third_party_account
  • account/add_third_party_accounts
  • account/edit_third_party_account
  • account/edit_third_party_accounts
  • account/get_third_party_account
  • account/get_third_party_accounts
  • account/delete_third_party_account
  • account/delete_third_party_accounts
  • save_best_practice_notification_v2
  • alert/add_cost_alert_percent
  • billing/delete_detailed_billing_grouped_filter
  • billing/schedule_invoice
  • account/forgot_password
  • billing/get_tag_rules
  • billing/add_tag_rule
  • billing/delete_tag_rule
  • billing/create_detailed_billing_grouped_filter
  • billing/schedule_report_email_advanced_grouping
  • admin/list_reseller_links_v2
  • get_resources_ec2_hosts
  • get_resources_vpc_vpn_connections_details
  • get_resources_route_tables
  • get_resources_customer_gateways
  • get_password_policy
  • get_cloudtrail_trails
  • get_resources_vpc_vpn_gateways
  • get_vpc_subnets
  • get_resources_aws_internet_gateways
  • get_resources_ec2_network_interfaces
  • account.json/add_acls_per_account_per_group
  • account.json/add_user_to_group
  • account.json/clone_group
  • account.json/create_group
  • account.json/delete_acl_from_group
  • account.json/delete_group
  • account.json/get_access_control_list
  • account.json/get_accounts_by_group
  • account.json/get_acls_per_account_per_group
  • account.json/get_groups_v2
  • account.json/get_users_by_group
  • account.json/remove_users_from_group
  • billing/add_custom_billing_charge_fixed
  • billing/edit_custom_billing_charge_fixed
  • billing/delete_custom_billing_charge
  • billing/delete_custom_billing_charge_fixed
  • billing/delete_custom_billing_charge_monthly percent
  • billing/delete_custom_billing_charge_percent_all_charges
  • billing/azure_add_custom_billing_charge_fixed
  • best_practice/ignore_best_practice
  • billing/get_billing_detailed_grouped_pdf
  • billing/add_undiscovered_aws_account_id
  • billing/azure_add_custom_billing_charge_monthly_percent

Added 34 new compliance frameworks to get_best_practices_v3

The output of the get_best_practices_v3 API call will now include mappings to 35 compliance frameworks (including CIS, HIPAA, NIST, PCI, and ISO). You can use the filter_by_compliance_controls parameter with this call to retrieve results from specific frameworks. In a future update these frameworks will also be added to the application making them accessible within the Security reports.

Added two optional parameters to create_account_family and modify_account_family API Calls:

  • Project Code
  • Payment Terms

Added new optional parameter to get_best_practices_v3:

  • filter_by_compliance_controls

Added Azure support for:

  • account/get_improperly_tagged_resources
  • billing/get_billing_detailed_grouped_pdf
  • billing/get_improperly_tagged_resources

Added Azure Security Center information to output of:

  • get_best_practices_v2

Added additional output fields to:

  • get_resources_virtual_machine_details

AWS UPDATES

 

AWS GENERAL UPDATES

Improved error messaging when entering account credentials

You will now see a better error response when failing to add/update credentials to an account.

AWS Account Id now included in payload of alerts delivered to SNS topics

The alerts sent through an SNS Topic will now include the AWS account Id.

Add/Edit Credentials page instructions improved

The page where AWS Credentials are added/edited has been updated to match recent changes made to the AWS Console.

 

AWS COST UPDATES

Historic DBRs will now lock automatically

When a historic billing month is processed, CloudCheckr will automatically lock that month. This will prevent any unanticipated reloading of data.

Improvements to Reload DBR page

In addition to renaming the page to “Reprocess Detailed Billing Report”, months will now disable when selected for reprocessing to make it more clear which months you’ve set to reprocess.

Redesigned Account Families

The Account Families user experience has been completely redesigned. In addition to a new interface, you now have the ability to choose custom charges for the families, add project codes, and establish payment terms.

Can now choose usage date range for RI Purchase Recommendations

Within the Cost > Reserved Usage > EC2 > Purchase by Instance and Purchase by Frequency reports, you now have the ability to choose the usage date range that will be used to make RI purchase recommendations. You can choose between 30 (default), 60, 90, and 180 days.

Added DynamoDB to RI Historical Savings report

Support for the DynamoDB service has been added to RI Historical Savings report.

Amortization now supports RDS and EC2 Flex RIs

If amortization is enabled within your account (this can be configured within the Cost > AWS Partner Tools > Configure Custom Cost menu), RDS and EC2 Flex RIs will now be properly accounted for.

Added Redshift and Elasticache to RI Historical Savings report

The Cost > Reserved Usage > Historical Savings report now supports Redshift and Elasticache, in addition to EC2 and RDS.

Added support for RDS Flexible Reserved DB Instances

Amortization now supported for Dedicated Host RIs

Supporting All Upfront RIs within the Cost and Usage report

CloudCheckr can now retrieve the All Upfront EC2 Reserved Instance inventory from the Cost and Usage report to be used for List Cost RI unsharing.

Project Code added to filters and grouping in Advanced Grouping

In a previous update we added a Project Code field to Account Families. You can now create cost reports within the Advanced Grouping report focused on these Projects Codes. You can both filter and group by Project Code within the report.

Can now Group and Aggregate the Advanced Grouping report by week

Users now have the ability to both aggregate and group their cost data by Week within the Advanced Grouping report. With this update you can now view your data by day, week, or month.

New export option added to Profit Analysis

Previously when exporting the Profit Analysis report to CSV it would include both a summary and grouping by account. Now you have the ability to differentiate between the two and export separately.

Standardization improvements to Cost Savings CSV Export

The Cost Savings CSV export has been improved. With this update the same columns for different services (EC2 and RDS, for example) will be in the same order.

List of Redshift Reserved Nodes CSV export maintains filters

Now, when applying filters to the Redshift Reserved Nodes report and generating a CSV export, the export will only contain those nodes that were listed within the report upon export.

Added Instances using RIs to the EC2 and RDS List of Reserved Instances exports

Added spot savings to CSV export from the Cost Savings report

CSV exports from the Cost Savings report will now include the potential spot savings.

Added currently running instances to the RI Purchase Recommendations CSV export

A “Currently Running Instances” column has been added to the CSV export of the EC2 RI Purchase Recommendation report.

Added additional filter options to List Cost Analysis

You can now filter the List Cost Analysis report (found within the AWS Partner Tools menu) by Project Code and/or Charge Type.

Added the ability to enable/disable CUR processing

We have added the ability to enable/disable processing the AWS Cost and Usage Report. This can be managed within the Account Settings > Cost And Usage Report screen.

Enterprise Support added as Payee Support option

When configuring Payee Support charges within the Cost > AWS Partner Tools menu, in addition to Business Support, you can now have CloudCheckr calculate and apply Enterprise Support fees.

Added additional filter options to RI Mapping

The Cost > Partner Tools > Configure > Reserved Instance Mapping report has been updated, allowing you to filter on additional criteria.

DBR Export delivery improvements

When exporting a copy of the DBR you will now be given a download link to obtain the file. This will allow for more consistent and reliable downloads.

NOTE: The link will expire after 24 hours.

Added the ability to generate invoices with increased decimal precision

When generating invoices you now have have the ability to show precise values, which is controlled with a checkbox. Enabling precise values will display the line items out to the maximum number of decimals provided by AWS. Please note that the total will still be rounded to two digits.

Added Account Id search to Cost Summary reports

The Account Id dropdowns within the Cost Summary reports now have a search box that allows you to find accounts by Id or Name.

This is supported for reports within the Cost > AWS Billing > Summary Reports menu.

Added pagination to Profit Analysis

The Profit Analysis report, found within the Cost > AWS Partner Tools > Report menu, now supports pagination making it easier to navigate against a large number of accounts.

 

AWS TOTAL COMPLIANCE UPDATES

HIPAA Compliance page added

Within the Security > Secure Configuration menu, you will now have access to a HIPAA Compliance Controls report. Similarly to the CIS Benchmarks report, this page will map HIPAA compliance controls to CloudCheckr’s best practice checks, alerting you on those that are not set correctly according to HIPAA’s guidelines.

7 New CIS Benchmarks:

  • 1.17 Enable Detailed Billing
  • 1.21 Ensure IAM Instance Roles are used for AWS resource access from Instances
  • 1.24 Ensure IAM Policies that allow full “:” admin privileges are not created
  • 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls
  • 3.14 Ensure a log metric filter and alarm exist for VPC changes
  • 3.3 Ensure a log metric filter and alarm exist for usage of “root” account
  • 3.4 Ensure a log metric filter and alarm exist for IAM policy changes

CIS Benchmark report can now be delivered via weekly/monthly email

You can now have the CIS Benchmark report delivered to your inbox on a weekly and/or monthly basis. These emails can be enabled within the Account Settings > Email Settings menu.

Added text box to some CIS Benchmarks

You can now save notes within specific CIS Benchmarks that are visible to other users within your account.

 

AWS BEST PRACTICE UPDATES

Removed the Best Practice Dashboard view

The Dashboard version of the Best Practice report has been removed.

Expiring RI Best Practice Checks will now include instance count

The Best Practice report checks that focus on expiring reserved instances will now include the number of instances within the reservation.

Improved experience when re-building historic Best Practice Checks within MAVs

When loading an historic Best Practice Check report in large accounts, we may need to re-build the data for the report. In these situations, a back-end process will run to rebuild the data which can take 5-60 minutes, depending on the amount of data. Previously the historic report was inaccessible until this process completed. With this update, the checks will be available immediately for view, however, the details of the checks (when you expand) will still be rebuilt in the background.

Best Practice report drilldown into CIS Benchmark report

Best Practice checks that map only to CIS Benchmarks will now allow you to drilldown from the Best Practice report directly to that check within the CIS Benchmark report.

Blocklisted IP Address best practice check configuration popup improved

When configuring the Blocklisted IP Address Making API Calls best practice check, the screen where you choose the IP lists has been enhanced, allowing you to search and filter.

Performance improvements when loading the Best Practice report

11 New Best Practice Checks:

  • Log metric filter and alarm do not exist for Management Console sign-in without MFA
  • Log metric filter and alarm do not exist for CloudTrail configuration changes
  • Log metric filter and alarm do not exist for AWS Management Console authentication failures
  • Log metric filter and alarm do not exist for disabling or scheduled deletion of customer created CMKs
  • Log metric filter and alarm do not exist for S3 bucket policy changes
  • Log Metric Filter and Alarm Do Not Exist for Usage of “Root” Account
  • Detailed Billing Enabled
  • EC2 Instances Not using IAM Profile role
  • SNS Topics that Allow ‘Everyone’ to Publish
  • SNS Topics that Allow ‘Everyone’ to Subscribe
  • IAM User Policies with full admin privileges

 

AWS SECURITY UPDATES

CloudTrail Performance increases for retrieval of historical CloudTrail data

Improvements have been made to the CloudTrail historic data retrieval process, allowing the data to populate within the accounts much faster.

AWS Config & VPC Flow Log Data Processing Improved

The speed of processing the data from both VPC Flow Logs and AWS Config have also been greatly improved.

Alerting On/Off flag for CloudTrail Alerts updated and color-coded

The slider that allows you to turn CloudTrail Alerts on and off has been re-designed. The new slider is color coded, making it easier to identify those alerts that are currently enabled.

Added support for Elastic File Store in Change Monitoring

The Security > Activity Monitoring > Change Monitoring report will include changes found within the Elastic File Store service.

Changes made to the Blocklisted IP lists are now saved to the Admin Audit Log

The Admin Audit Log, which is accessible through the Admin Functions on the list of accounts page, now will include changes made to the Blocklisted IP lists.

Added ability to manage blocklists in the Blocklisted IP address making API calls CloudTrail alert

When creating a copy of the Blocklisted IP address making API calls CloudTrail alert you now have the ability to choose the blocklists that the alert utilizes.

Improved large PDF export requests from List of VPCs report

When exporting more than 100 VPCs from the Security > Secure Configuration > VPC > List of VPCs report, CloudCheckr will deliver the PDF via email.

CSV export added to List of NAT Gateways report

The List of NAT Gateways report (found within the Security > Secure Configuration menu) now supports exports to CSV.

List of VPCs CSV export improvements

The CSV export from the Security > Secure Configuration > VPC > List of VPCs report has been updated to include all fields available within the report.

5 New CloudTrail Pre-Built Alerts:

  • User without MFA making console logins
  • CloudTrail configuration changed
  • CMK disabled or scheduled for deletion
  • Unauthorized API call
  • Changes have been made to route table

 

AWS INVENTORY UPDATES

Add support for X1e & C5 EC2 instances

Date value for each row added to the EC2 History by Time CSV Export

The exported CSV file from the Inventory > Trending > EC2 History by Time report will now include the date for each row.

Added ability to filter S3 Buckets Not Enforcing Server-Side Encryption With A Bucket Policy check by tag

The S3 Buckets Not Enforcing Server-Side Encryption With A Bucket Policy best practice check can now be filtered by tag.

Added filtering capabilities to the IoT Inventory report

You can now filter the Inventory > IoT > List of Things report by Name and Attribute.

List of IAM Users report added to Inventory Custom Report Builder

When creating custom reports within the Inventory > Custom Reports > Builder you will now have an option to build an ‘IAM Users’ report.

 

AWS AUTOMATION UPDATES

Descriptions for Fix Now actions more clearly written

When executing a Fix Now function within a best practice check, you will now see a list of the steps being taken to execute the request.

Fix Now checks will now display missing permissions

When attempting to set a best practice check to ‘Fix Now’, you will now be alerted to any missing permissions needed to execute the request.

Added Fix Now capabilities to the following Best Practice checks:

  • No IAM Administrators Group Found
  • Regions without AWS Config Enabled check
  • S3 Buckets That Allow Authenticated Users To Access Billing Report Log Files
  • S3 Buckets That Allow Everyone Access to Billing Reports
  • S3 Buckets With Logging Not Enabled
  • IAM Users That Do Not Belong To Groups
  • IAM Role Policies with Full Admin Privileges
  • S3 Buckets That Allow Everyone Access to CloudFront Log Files
  • S3 Buckets That Allow Authenticated Users Access to CloudFront Log Files
  • S3 Buckets With Logging Not Enabled
  • SQS Queues with Permissions set to Everyone check
  • S3 Public Sensitive Objects Stored
  • S3 Public Sensitive Objects Stored Permission Set To Authenticated Users
  • EBS Volumes with Excessive Snapshots check

‘Fix Always’ option now restricted to only Admin users for Fix Now checks

When clicking on the Fix Now button within a best practice check only Admin users will see the ‘Fix Always’ option. Non-Admin users will only have the option to fix now.

Removed Self-Healing ability for resizing EC2 instances

The ability to have EC2 instances automatically right-size has been removed to eliminate the possibility of critical instances being unexpectedly impacted.

Added Self-Healing support for 3 checks

Within the Automation > Setup menu you can now set the following checks to be ‘Self-Healing’, meaning that CloudCheckr will automatically fix these when any issues are detected:

  • EBS Volumes With No Recent Snapshots (30 days)
  • EBS Volumes With No Recent Snapshots (7 days)
  • EBS Volumes Without A Snapshot

AZURE UPDATES

 

AZURE GENERAL UPDATES

CloudCheckr can be configured as an SSO app in Azure Active Directory

You now have the ability to add CloudCheckr as an SSO app within your Azure portal. If you would like to configure this option with your account, please contact support@cloudcheckr.com.

Added Support for the Germany region

When configuring a new account, the “Select the Azure Account Type” option will now include ‘Azure Germany’ as an option. Choose this when setting up an account from the Germany region to ensure proper reporting.

New Active Directory Account Type

When adding accounts to Azure, you now have the option to collect information from Active Directory. In addition to Active Directory information, this account type also allows us to report against Office 365.

Added support for tiered reseller configuration

MSP customers that have their own resellers can now create Level 2 Azure resellers. Previously this was only support for AWS.

Automatically set currency / region when creating new accounts

CloudCheckr will now try to automatically set the billing currency and/or region of an account. If it can’t, these values can be set within the Account Settings > Edit Billing Configuration menu.

Allow a user to not import certain subscriptions under an CSP or EA account

Within the Account Settings > Edit Billing Configuration menu you now have the ability to exclude costs from any subscription from being retrieved by CloudCheckr. When configuring this option be sure to enter only the Subscription GUID associated with the subscription.

New notification message when EA account has account-level access keys instead of enrollment

You will now be notified if the credentials added to your Enterprise Agreement account uses account-level access keys instead of enrollment access keys. Enrollment access keys are recommended as they provide additional data that’s not available with account-level keys.

Added support for new Enterprise Billing APIs

With this behind-the-scenes update we now support the new Billing API.

 

AZURE COST UPDATES

Subscription Family redesign

The Subscription Families user experience has been completely redesigned. In addition to a new interface, you now have the ability to choose custom charges for the families, add project codes, and establish payment terms.

Invoice Generator can now be ordered by invoice amount

The Azure Invoice Generator (accessed within the Cost > Azure Partner Tools > Report menu) now has the option to sort the list of subscription families by invoice amount or alphabetically.

Can now choose usage date range for RI Purchase Recommendations

Within the Cost > Reserved Usage > Recommendations > Virtual Machines report, you now have the ability to choose the usage date range that will be used to make the purchase recommendations. You can choose between 30 (default), 60, 90, and 180 days.

Added ability to convert cost-only account to resource subscription

You now have the ability to convert an account that was setup as cost-only to a subscription with resources account. This allows you to have the accounts automatically created by the billing process and add credentials at a later time.

Better notification system when Billing Settings not configured

When we cannot determine the currency or billing region from an EA or CSP account, the notification system will now alert the customer to this issue and also redirect the user to the billing configuration screen to apply the proper settings.

Notification added for subscription families setup as resellers

For customers with a tiered reseller configuration, the Subscription Families page will now show a ‘Reseller’ notification for those Families that are configured as resellers.

Reserved VM Purchases are now reported in Advanced Grouping

The Advanced Grouping report now offers filter options for ‘Reservation’ within the charge model, allowing you to view and report against your Reserved VM purchases.

Improvements made to Historic Billing Summary Report load time

When loading data within the Cost > Azure Billing > Summary Reports > Historical Monthly Summary report, the data will be returned much quicker.

Added the ability to generate invoices off of saved filters

Within the Cost > Azure Partner Tools > Report > Generate Invoices menu you now have the ability to generate invoices based on saved filters created within the Advanced Grouping report. You will find saved filters as an option under the Report Format dropdown.

VM Reserved Instance Recommendations for non-US currencies

The Cost > Reserved Usage > Recommendations > Virtual Machines report now supports recommendations for non-US currencies.

Redirect users to the billing configuration page when appropriate

If you load an account that has not had its billing configuration set, you will now be redirected to the configuration page. This ensures your cost data is properly flowing into the account(s).

Improvements to Reserved Instance Purchase Recommendations

The Savings columns in the report have been updated to add clarity to the difference between 1 year and 3 year recommendations.

Clarity has also been improved where a one year purchase may not be cost effective, but a three year purchase would be.

Reserved Instance unsharing support added for Tiered Resellers

Reserved Instances will now be unshared when cost data is funneled down through the reseller tiers.

New CSP vs EA pricing comparison report

This new report within the Azure Partner Tools menu allows you to generate a CSV file showing the cost benefits of moving a specific Enterprise Agreement (EA) under your CSP.

Note, the EA account will need to be added to CloudCheckr to generate this comparison.

Added an Enterprise Agreement Cost Overage Alert

EA and CSP accounts will now receive one aggregated bill summary email per day (instead of one per subscription)

New price list comparison tool

Billing periods automatically lock when the period closes

Added the ability to manually lock/unlock billing periods

Added the ability to group by Instance Id in Advanced Grouping

Added support for basic Reserved Instance Unsharing

CloudCheckr will ‘unshare’ your Azure RIs, meaning it will ensure that only the accounts that should be getting the reserved instance benefit will. Those that are receiving a benefit will have those discounted costs recalculated at the proper rate.

Added the ability to generate invoices with increased decimal precision

When generating invoices you now have have the ability to show precise values, which is controlled with a checkbox. Enabling precise values will display the line items out to the maximum number of decimals provided by Azure. The total will still be rounded to two digits.

Improved the performance of the billing summary reports

The Cost > Summary Reports > Single Day, Single Month, and Historical Summary reports have been revamped, allowing them to load data much faster.

Custom charges can now display by description on invoices

A new checkbox has been added to the Cost > Azure Partner Tools > Generate Invoices screen, labeled, ‘Show custom charge descriptions’. When this checkbox is enabled, when you export an invoice any custom charges added to CloudCheckr will display as their description (instead of displaying as coming from the ‘Custom’ service). This will be true for any invoice other than Summary by Region, or invoices based on Saved Filters (those will adhere to the saved filter formatting). This will make it clear to the invoice recipient what the charges are for.

Advanced Grouping Emails Now Have Download Link for CSV

When the Advanced Grouping report is configured to send a CSV version of the report via email, those CSVs will now be delivered within a download link.

Added Chart to the EA Usage Summary report

A summary chart has been added to the EA Usage Summary report, which is available within the Cost > Summary Reports menu.

Added exports to the EA Usage Summary report

You can now also export the data from the EA Usage Summary report.

Added Spend Analysis report to multi-account views

The Spend Analysis report has been added to multi-account views. It can be accessed within the Cost > Spend Analysis menu.

Added monthly savings to the Right-Sizing reports

The summary table at the top of the Right-Sizing reports will include the estimated monthly savings achieved by acting on the recommendations.

 

AZURE BEST PRACTICE UPDATES

Added ability to edit best practice checks

CloudCheckr Admin users will now have the ability to edit the severity level of best practice checks, as well as disable/enable any check. The Best Practice Editor can be accessed within the Admin Functions dropdown on the main list of accounts. Be sure to choose Azure from the cloud provider dropdown to manage Azure-specific checks.

Added 8 new Best Practice Checks:

  • Virtual Machines using older version of VM types
  • Virtual Machines not using Managed Disks
  • VM without Forced Tunnelling Enabled
  • Blob Containers whose URLs are publicly accessible
  • Blob Containers whose URLs are publicly accessible
  • App Service Plan with Expired SSL Certificate
  • App Service Plan with Expiring SSL Certificate
  • Blob Containers Set to Full Public Read Access

 

AZURE SECURITY UPDATES

Publicly Accessible Resources alerts now support SQL Server

When creating Publicly Accessible Resources alerts within the Security > Alerts > Resources menu, you now have the option to alert against public SQL Servers.

Added support for App Service Plans tags to Inventory reports

Added support for Virtual Networks to change monitoring

The Security > Activity Monitoring > Change Monitoring report will include changes being made to Virtual Networks.

Added support for Subnets to change monitoring

The Security > Activity Monitoring > Change Monitoring report will include changes being made to Virtual Network Subnets.

Added List of Subnets and Subnet Summary reports

Security Group best practice checks now support augmented security rules

The Security best practice checks now correctly handle properties that allow multiple entries (i.e. source, destination, and port properties). This includes public access detection, ports exposes, etc. See here for more information: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#augmented-security-rules

 

AZURE INVENTORY UPDATES

Reporting on certificate information in App Service Plan reports

The details found within the Inventory > App Service Plan > List of App Service Plans will now include SSL Certificates. These can be found within the Web Apps section of the report.

Added Redis Cache right-sizing report

The Utilization menu now includes a Right-Sizing report for Redis Cache.

Update CSV output of List of Resource Groups report

The CSV export now includes the tag names and values of the Resource Groups.

Added the VM Trending report to Multi-Account Views

Added Virtual Network Detail report

3 New Dashboard Panes:

  • VM CPU Utilization
  • Azure VM Count
  • Virtual Machines Pie Chart

Additional Operating System information added to List of VMs report

Now you will be able to see the exact operation system of your VMs within the Inventory > VM > List of VMs report.

Added Load Balancers to the Publicly Accessible Resources alert

When configuring the Publicly Accessible Resources alert within the Security > Alerts > Manager screen, you now have the option to also be alerted against publicly accessible Load Balancers.

Inventory reports will now include tags from App Service Plans where applicable

 

AZURE OFFICE 365 UPDATES

The new Active Directory accounts include the following Office 365 users reports:

  • Sharepoint User Activity
  • OneDrive Overall Usage
  • Mailbox Overall Usage
  • Teams Usage by User
  • Licenses Report
  • Yammer Usage Report
  • Mailbox
  • Skype
  • OneDrive
  • Teams
  • User Summary
  • List of Users



April 2018

CloudCheckr has published an update to it’s self-hosted offering. This update contains several new features and reports to the application.

You can obtain this update by downloading the newest version from the marketplace where you purchased CloudCheckr originally, or by contacting your CloudCheckr account manager.

Please note that, upon installation of the updates, all new features and reports may not appear in your account until CloudCheckr performs report updates against these changes.

Note: For information on how to get started with the self-hosted offering, click here.


Details of the Update:

GENERAL UPDATES

Re-implemented two Admin functions on List of Accounts page:

  • CSV Account Upload – allows you to upload a CSV for bulk account creation.
  • Save List of Accounts to CSV – allows you to export a list of your accounts to a CSV file.

Updated Forgot Password screens and workflow

In addition to an improved look and feel, when using the forgot password function, CloudCheckr will email you a link to the rest password page, and a key you must enter into a form on that page.

Showing/hiding columns on the list of accounts page

The list of accounts page now gives you the option to choose which columns to show or hide.

API Updates

7 New Azure Calls:

  • account/add_azure_csp_account
  • account/add_azure_ea_account
  • account/add_azure_inventory_account
  • account/edit_azure_csp_credential
  • account/edit_azure_ea_credential
  • account/edit_azure_inventory_credential
  • inventory/get_resources_virtual_machine_details

1 New Admin Call:

  • account/get_accounts_v4

2 Calls Updated:

  • best_practice/get_best_practices_v2 API call now supports Azure
    billing/get_detailed_billing_with_grouping_v2 call now supports multi-account views

AWS UPDATES

GENERAL AWS UPDATES

CloudFormation Template will now read as ‘CC’ instead of ‘CloudCheckr’

When using the CloudFormation (instead of Manual) option when configuring accounts, the template URL will read ‘CC’ instead of ‘CloudCheckr’.

Partner Tools being logged in Audit Log

Any changes being made against the following features within the Cost > AWS Partner Tools menu will be captured by the Admin Audit log.

  • Custom Billing Charges
  • Configure Custom Cost
  • Payee Support Charges
  • Custom Usage Rates
AWS COST UPDATES

Custom Charges display by description in invoices

A new checkbox has been added to the Cost > AWS Partner Tools > Report > Generate Invoices screen, labeled, ‘Show custom charge descriptions’. When this checkbox is enabled, when you export an invoice any custom charges added to CloudCheckr will display as their description (instead of displaying as coming from the ‘Custom’ service). This will be true for any invoice other than Summary by Region, or invoices based on Saved Filters (those will adhere to the saved filter formatting). This will make it clear to the invoice recipient what the charges are for.

Added rounding notification to Monthly Billing Summary report

The Cost > AWS Billing > Summary Reports > Monthly report now includes help text at the top explaining how rounding large decimals can impact the costs displayed within CloudCheckr.

Added the ability to include credits in Advance Grouping report

The Advanced Grouping report will now include credits by default. There is a checkbox added to the report that allows you to hide these credits if you would like a cost-only report. Note that historic months will need to be reloaded to see credits in this report.

Performance Improvements to Advanced Grouping saved filter generation

The back-end process to build that data for saved filters for the Advanced Grouping report has been improved, allowing for much faster build times.

Added the ability to include account families in advance grouping report

When filtering by accounts within the Advanced Grouping report you now can choose to filter by AWS account, or by Account Family.

Enable custom charges by a group of accounts

When adding custom charge tiers you now have the option to either sum all accounts and pass those through the custom tiers, or to pass each individual account through the tiers. This provides greater control and flexibility when establishing custom charges.

Tag Mapping now supports Tag AND Property mapping in same rule

When setting up tag mappings previously they could only be setup to map a tag or a property. Not both. Now, you can map both a tag and a property in the same mapping. These are configured within the Cost > Tags > Tag Mapping report.

Added PDF Export to RI Purchase Recommendation Reports

  • EC2 by Instance
  • EC2 by Frequency
  • RDS
AWS INVENTORY UPDATES

Re-implemented Find AWS Resource functionality to list of accounts page

The main list of accounts page offers the ‘Find AWS Resource’ button and functionality once again. This button allows you to find which account owns specific AWS resources.

Updated RDS List of Instances CSV export

The CSV export from the Inventory > RDS > List of DB Instances has been updated to more closely match the format from the List of EC2 Instances export.

Can now add List of S3 buckets directly to custom reports

You can now save your List of S3 Buckets reports directly to custom reports from the Inventory > S3 > List of Buckets report. Previously you had to use the Create Custom Report functionality to save S3 reports.

Lambda added to the Untagged Resources report

The Inventory > Tagged and Inventory > Untagged Resources reports will now both report against Lambda.

Added inventory tag support for:

  • Glacier
  • DynamoDB
  • Elasticache
  • Lambda
  • KMS
  • EFS

Added List of Elastic File Systems Inventory reports

A Summary and List of Elastic File Systems report has been added to the Inventory > EFS menu.

CSV export added to Certificate Manager

AWS ALERTING UPDATES

Ability to filter Network Usage alerts by Account

When creating Network Usage alerts within the Cost > Alerts > Manager menu, you now have the ability to filter these alerts by AWS account.

More information added to SNS Alert Notifications

Alerts delivered via SNS will now include details for the alert that was triggered. Previously, the SNS message only stated that an alert was triggered with no other information. Please note that the next update will expand upon the amount of detail being delivered within the SNS alert.

AWS BEST PRACTICE UPDATES

Stale IAM Users check now shows user and password creation date

The data displayed within the Stale IAM Users best practice check has been updated to include the user and password creation date.

Added the ability to configure the IP list in the Blocklisted IP Address Making API Calls check

You now have the ability to configure the IP lists for the Blocklisted IP Address Making API Calls best practice check. To update the check configuration click on the gear icon to the right of that check, which can be found on the Security tab.

NOTE: The IP lists can be created and managed within the Admin Functions list on the main list of accounts page.

10 new best practice checks:

  • IAM Role Policies with full admin privileges
  • Default Security Groups Allowing Traffic
  • IAM Users with Console Access Should Not Have Access Keys That Were Created at Initial User Setup
  • Default Security Groups Should Not Allow Any Traffic
  • Lambda functions with Admin privileges
  • CloudTrail Logs Not Encrypted at Rest Using KMS CMK
  • No support role has been created to manage incidents with AWS Support
  • Rotation not enabled for customer created CMKs for KMS encryption
  • Cloudtrail Bucket(s) Without Access Logging Enabled
  • EC2-Classic Security Groups Inbound Rules With Potentially Dangerous Port 22 Exposed
AWS SECURITY UPDATES

Added KMS Key Id to List of Trails report

The Security > Activity Monitoring > AWS API (CloudTrail) > List of Trails report will now display the KMS key Id, if applicable.

Added ability to view more than 20 connections in VPC Flow Logs

Pagination capabilities have been added to the VPC Flow Logs report, allowing users to view more than the top 20 connections.

11 New CIS Benchmarks

  • 1.18 Enable Ensure IAM Master and IAM Manager Roles are Active
  • 1.19 – Maintain current contact details
  • 1.2 – Ensure CloudTrail log file validation is enabled
  • 1.23 – Do not setup access keys during initial user setup for all IAM users that have a console password
  • 2.6 – Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • 2.8 – Ensure rotation for customer created CMKs is enabled
  • 3.15 – Ensure appropriate subscribers to each SNS topic
  • 4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
  • 4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 338
  • 4.3 – Ensure VPC flow logging is enabled in all VPCs
  • 4.4 – Ensure The Default Security Group of Every VPC Restricts All Traffic
AWS AUTOMATION UPDATES

Workflows broken into tabs

The Automation > Workflows page has been reorganized into multiple tabs. Non-workflow admin users will see tabs for their open and closed workflows. Workflow admins will see their open and closed workflows, as well as all open and closed admin workflows.

Automation Workflows screen reorganized to display newest items first

Workflows now default to showing the newest items first, making it easier to identify the most recently executed tasks.

Fix-Now Capabilities added to 3 best practice checks:

  • IAM Password Policy Not Enabled
  • CloudTrail Unauthorized Access Attempts
  • EBS Volumes without Recent Snapshot

Fix Now capabilities will now only display on most recent Best Practice Report

When viewing the Best Practice report you will only be able to utilize the ‘Fix Now’ capabilities in the most recent version of the report. Looking at historical reports will disable this functionality.

Usability improvements to Inbound Rules Fix Now capability

The interface and workflow for configuring the Fix Now options for the inbound rules best practice checks has been improved.

AWS UTILIZATION UPDATES

Added instance name and average metrics to Heatmap exports

When exporting Heatmaps to PDF from the Utilization menu, you will now see a second page showing the instance name and instance-specific metrics.


AZURE UPDATES

GENERAL AZURE UPDATES

Added support for South Africa’s North and West locations

AZURE COST UPDATES

Added EA Usage Summary Report

The EA Usage Summary report, available within the Cost > Summary Reports menu, will show details including Balance, Commitment, and Overages, for the agreement.

Custom Charges now support an end date

When creating and editing custom charged within the Cost > Azure Partner Tools > Custom Charges screen, you can now apply an end date to the custom charges.

Performance improvement to the Billing Dashboard

The Cost > Azure Billing > Dashboard report has been revamped, making it load and retrieve data much faster.

Improvements to the following CSV exports:

  • Historical Month Billing Summary
  • Single Day Billing Summary
  • Single Month Billing Summary

Added Profit Analysis report

The Profit Analysis report has been added to the Partner Tools menu.

Can now specify currency and region for billing collection

You can now specify the currency and region for an Azure Inventory account that has billing data collection enabled. This is managed within the Billing Settings menu.

AZURE INVENTORY UPDATES

Added Service Requests Inventory reports for CSP

CSP accounts will now have an Inventory > Service Request menu where details about services requests can be reviewed.

Added List of Application Gateways Inventory report

There is new List of Application Gateways report. This report can be accessed within the Inventory > Networking menu.

Added Subscription to List of VMs report in Multi-Account Views

When viewing the List of Virtual Machines report within multi-account views, the Subscription where the VM resides will now display.

Added Azure Container Service Inventory Reports

A new Summary and Detailed report has been added to the Inventory > Container Services menu.

Added an Improperly Tagged Resources daily email

You can now have the output of the Improperly Tagged Resources report emailed on a daily basis. This email can be enabled and configured within the Account Settings > Email Settings menu. NOTE: you must first create tag rules within the Cost > Tagging > Tagging Rules menu.

Improved the format of the Improperly Tagged Resources CSV export

Additional data displayed for Redis Cache inventory

Added charts to VM Scale Set Summary

The VM Scale Set Summary report within the Inventory menu now has additional pie charts.

Added Untagged Resources Report

An Untagged Resources report has been added to the Inventory module. This report allows you to see which resources are missing tags, or are missing specific tags.

Added Snapshots to Managed Disk inventory reports

A new report for Snapshots has been added to the Managed Disk inventory.

AZURE SECURITY UPDATES

Added three services to change monitoring:

  • App Service Plans
  • Load Balancers
  • Application Gateways

Redis Cache added to Change Monitoring

The Security > Activity Monitoring > Change Monitor report now reports against changes made to Redis Cache.

AZURE BEST PRACTICE UPDATES

Reorganized Azure Network Security Group check into ‘with’ and ‘without’ resources

The Network Security Group best practice checks have been redone. Now there ware two checks for each: one for those groups WITH resources, and one for those WITHOUT.

These are the checks that have been updated:

  • Network Security Groups Outbound Rules Set To All Ports
  • Network Security Groups Inbound Rules with Potentially Dangerous Ports Exposed
  • Network Security Groups Inbound Rules with Specific Ports Exposed
  • Network Security Groups Outbound Rules with Dangerous Ports Exposed
  • Network Security Groups Outbound Rules with Potentially Dangerous Ports Exposed
  • Network Security Groups Inbound Rules Set to All IPs and All Ports
  • Network Security Groups Outbound Rules Set to All IPs and All Ports

Added cost to the details of the App Service Plans with No Apps check

The App Service Plans with No Apps best practice check has been updated to show the cost of the App Service Plan(s) being flagged by the check.

Added 15 New Best Practice Checks

  • Managed Disk without Backup Protection
  • Application Gateway with Web Application Firewall (WAF) Disabled
  • App Services with Unknown resource health
  • App Service Plan without AutoHeal Enabled
  • App Service Plan with under utilized memory
  • App Service Plan with over utilized memory
  • Managed Disk without delete lock
  • Network Security Groups Outbound Rules With Potentially Dangerous Ports Exposed
  • App Service Plan is Unavailable
  • App Service Plan Has Exceeded Usage Quota
  • App Service Plan CPU Under / Over Utilized
  • App Service without Backup Scheduling Enabled
  • App Service with SSL Disabled
  • App Service with Critical Recommendations
  • Idle SQL Server Database Instance

Added SQL DB Advisor recommendations to Best Practice Report

The Azure Advisor tab in the Best Practice report will now also include SQL DB Advisor recommendations.

Added configuration options to Idle SQL Database Instances check

You can now configure the parameters of the Idle SQL Database Instances best practice check, dictating the idle percentage as well as the number of days to check against.

AZURE UTILIZATION UPDATES

Added a Right-Sizing report for Azure SQL

The Utilization menu now includes a Right-Sizing report for Azure SQL.

Added App Service Plan Right Sizing report

A new right sizing report, specific to App Service Plan, has been added to the Utilization menu.

VM Right Sizing updated with information on enabling memory metrics for your VMs

If no memory metrics are available for your virtual machines, the right sizing report will notify you and offer information on how to populate that data.

Collecting SQL DTU metrics

SQL DTU (database transaction units) are now being collected for the SQL databases.



How did we do?