Change Management is a part of Cloudaware CMDB. Any object from your inventory added into Cloudaware CMDB can be tracked in regard to changes.

Once a change has been detected and recorded in Cloudaware CMDB, several possible actions can be taken depending on the customization and the nature of the change detected:

Possible outcomes of a change event can be be combined. For example, we can request an approval and then execute an action if a change was approved and another action if a change was rejected. Virtually any kind of combination and permutation of workflows and approvals can be performed including multiple approvals by different groups of approvers.

What Constitutes a Change Event?

Any modification of any object attribute within CMDB is a change event. By default, all changes are recorded into CMDB and the object history is updated to reflect what changed and when.

Approval Processes

Approvals processes are necessary in order to be assured that the system is an approved configuration state. Without approvals, we cannot be certain that the environment is in state that complies with corporate security policies.

Common problems when approval processes are missing or are not implemented correctly:

  • Unauthorized security group changes

  • Changes that were approved for a short period of time but still linger

  • IAM Users who should not longer have access

  • IAM Users who should not have the level of access that they do

  • Unauthorized AMIs

  • Unauthorized objects instances and databases that were created under the cover.

Prepackaged Approval Processes

There is a list default approval processes that are prepackaged with Cloudaware. These approval processes are de-activated by default. Users can review, modify and activate them depending on their security program requirements.

Assigned To General AWS Security Queue

Assigned To Data Security Queue

  • CloudTail is disabled

  • Snapshot shared into another account or made public

  • KMS Key Created or Granted

  • KMS Key Policy Modified

Assigned To Network Security Queue

Assigned To Access Control Queue

  • EC2 Instance open to 0.0.0.0/0

  • RDS Instance open to 0.0.0.0/0

  • VPC Peering Request Accepted/Initiated

  • All VPC Network ACL Modifications

  • All VPC Routing modifications

  • New IAM Policy attached to user

  • New IAM Policy attached to group

  • Access Key Granted To User

  • User group membership is modified

  • New IAM Policy attached to role

  • S3 bucket policy modified

  • New SAML Provider is created

Creating an Approval Process

Log in to your Cloudaware account → Setup → start typing Approval in the Quick search bar → Approval Processes. To start from, first think of:

  • Which object will be approved?

  • What is the entry criteria? (e.g. CloudTrail status has to be disabled)

  • Who is the approver?

  • What happens when object is submitted for approval?

  • What happens after approval?

  • What happens after rejection?

You would need then to set up Name, entry criteria, apply filter logic if necessary, and select the approver:

Approval Status

Use Approval Processes functionality to get any new record to be automatically submitted for your approval. You may be notified by email of each submission. Review a record’s Approval Status to change and take an action. This field has a value ONLY if approval processes have been turned on. By default, approval processes are not turned on.

Possible values:

  • Blank, if approval processes have not been turned on

  • Blank, if a change requiring approval has not occurred

  • Pending, if a change requiring approval has occurred but has not been approved or rejected

  • Approved

  • Rejected


If Approved or Rejected instance is modified once again to meet approval requirements, the value will change back to Pending.

Track approval history directly in Cloudaware CMDB:

More about working with Salesforce Approval Processes is available here.

Field History Tracking

The section 'Changes History' under the tab 'Change Management' on an instance provides a quick way to view the instance lifetime change log. It is not as detailed as CloudTrail change log but is available on demand and does not require additional searching. For example, you can track any attribute of AWS EC2 instance (instance size change, a tag being applied, HIDS Status changed, etc).

Workflows

Cloudaware does not include any default workflows. However, they are the Cloudaware's powerful feature that allows a user to take custom actions when specific events occur.

As approval processes, workflows can be triggered by a change of any attribute in any object. Here are some examples of popular workflows:

  • Send out an email when someone launches a 1st generation instance

  • Create a task if an instance appears to be overutilized for extended period of time

  • Send an email if an instance is launched using un-approved AMI

  • Enable a backup policy on an instance based on its name

  • Auto-attach an instance to an application based on its name

Workflows have the same anatomy as Approval Processes:

  • What objeсt?

  • What is the entry criteria?

  • What is the action or actions?

More about working with Salesforce Workflows is available here.