Change Management - Overview
Change Management is a part of Cloudaware CMDB. Any object from your inventory added into Cloudaware CMDB can be tracked in regard to changes.
Once a change has been detected and recorded in Cloudaware CMDB, several possible actions can be taken depending on the customization and the nature of the change detected:
Possible outcomes of a change event can be be combined. For example, we can request an approval and then execute an action if a change was approved and another action if a change was rejected. Virtually any kind of combination and permutation of workflows and approvals can be performed including multiple approvals by different groups of approvers.
What Constitutes a Change Event?
Any modification of any object attribute within CMDB is a change event. By default, all changes are recorded into CMDB and the object history is updated to reflect what changed and when.
Approvals processes are necessary in order to be assured that the system is an approved configuration state. Without approvals, we cannot be certain that the environment is in state that complies with corporate security policies.
Common problems when approval processes are missing or are not implemented correctly:
Unauthorized security group changes
Changes that were approved for a short period of time but still linger
IAM Users who should not longer have access
IAM Users who should not have the level of access that they do
Unauthorized objects instances and databases that were created under the cover
Prepackaged Approval Processes
There is a list of default approval processes that are prepackaged with Cloudaware. These approval processes are deactivated by default. Users can review, modify and activate them depending on their security program requirements.
Assigned To General AWS Security Queue
Assigned To Data Security Queue
Assigned To Network Security Queue
Assigned To Access Control Queue
Creating an Approval Process
Log in to your Cloudaware account → Setup → start typing Approval in the Quick search bar → Approval Processes. To start from, first think of:
Which object will be approved?
What is the entry criteria? (e.g. CloudTrail status has to be disabled)
Who is the approver?
What happens when object is submitted for approval?
What happens after approval?
What happens after rejection?
You would need then to set up Name, entry criteria, apply filter logic if necessary, and select the approver:
Use Approval Processes functionality to get any new record to be automatically submitted for your approval. You may be notified by email of each submission. Review a record’s Approval Status to change and take an action. This field has a value ONLY if approval processes have been turned on. By default, approval processes are not turned on.
Blank, if approval processes have not been turned on
Blank, if a change requiring approval has not occurred
Pending, if a change requiring approval has occurred but has not been approved or rejected
If Approved or Rejected instance is modified once again to meet approval requirements, the value will change back to Pending.
Track approval history directly in Cloudaware CMDB:
More about working with Salesforce Approval Processes is available here.
Field History Tracking
The section 'Changes History' under the tab 'Change Management' on an instance provides a quick way to view the instance lifetime change log. It is not as detailed as CloudTrail change log but is available on demand and does not require additional searching. For example, you can track any attribute of AWS EC2 instance (instance size change, a tag being applied, HIDS Status changed, etc).
Cloudaware does not include any default workflows. However, they are the Cloudaware's powerful feature that allows a user to take custom actions when specific events occur.
As approval processes, workflows can be triggered by a change of any attribute in any object. Here are some examples of popular workflows:
Send out an email when someone launches a 1st generation instance
Create a task if an instance appears to be overutilized for extended period of time
Send an email if an instance is launched using un-approved AMI
Enable a backup policy on an instance based on its name
Auto-attach an instance to an application based on its name
Workflows have the same anatomy as Approval Processes:
What is the entry criteria?
What is the action or actions?
More about working with Salesforce Workflows is available here.