Cloud Compass

Introduction

Cloud Compass by env0 aims to bridge the gap between manual and automated cloud operations, providing deep insights into how your cloud resources are managed.

By identifying non-codified resources and evaluating their associated risks, Cloud Compass enables a more effective Infrastructure as Code (IaC) strategy, helping you expand IaC coverage and enhance cloud governance.

📘

Configure Your First Cloud Account

• If you haven't configured your first cloud account yet, follow the steps in the Configuring Your First Cloud Account to get started.

Utilizing the Cloud Compass Dashboard

The Cloud Compass dashboard offers a complete view of your cloud assets, highlights uncodified resources, and assigns severity scores to the risks they may pose.

Settings

Access the Cloud Compass dashboard using the organization menu item. (A permission to ‘View Dashboard’ is required to access the page).

Here you can see and manage your cloud accounts.

Click here to see how to configure an account.

Insights

By selecting a cloud account, you can begin analyzing your cloud posture.

The dashboard displays the period for which the data is shown (including the initial data time and last updated time) and provides information about the next run.

Each run could take a few minutes because env0 scans all new cloud activity and processes it to generate insights.
While the data is being processed, you'll see this message.

View Coverage Trends:

AWS

• Examine the trend of IaC resource percentages in your cloud account over time.

Azure

• Examine the trend of automated resource percentages in your cloud account over time

Resource Management Type Breakdown

• See the current distribution of management types
• For AWS:

• For Azure:

Assess Resource Breakdown:

🚧

Resource Detection

• For AWS, tracking is possible only for resources logged to S3 by the cloud trail
• Tracking is possible only for resources logged to:
  • For AWS - S3 by CloudTrail
  • For Azure - Log Activity Workspace by Azure's Activity Log

• Explore the detailed breakdown of resources
• View the total number of operations detected for each resource
• Review the Severity scores to prioritize tasks effectively and improve management practices

Let's break it down:

For the resource named prod-entity-response:

• 5 manual operations via the Cloud Console
• 156 API/CLI operations
• 0 IaC operations

This resource is managed via API and is categorized with a severity of 🔴 High.

Take Action! 🎬

By selecting a resource you have the following options:

• Generate IaC Code to start migrating your resources (supporting OpenTofu and Terraform)
• Mark resource's severity as Ignored
• Remove an ignored note from a resource
• Reset a resource's severity until the next change event

Codify

1. Choose your preferred IaC framework

2. IaC Code is generated for your resources, please make sure to follow the instructions given

   
   

Understanding Resource Management Types

Cloud Compass categorizes cloud resources into several types based on their management method. Understanding these types is crucial for optimizing your cloud operations.

🟢 IaC Resource

• Definition: A resource managed through Infrastructure as Code (IaC) frameworks

🟡 API/CLI or Automated (Scripted) Resource

• Definition: A resource that is managed through custom scripts or direct API/CLI interactions

🔴 ClickOps or Manual Resource

• Definition: A resource primarily managed through the cloud console/UI

Evaluating Management Severity

Cloud Compass assesses the management severity of each resource, providing a score that indicates the potential risk and management efficiency.

Severity is calculated based on:

• Management type and the type of actions performed on the resource, with ClickOps receiving the most weight, followed by API, and Infrastructure as Code (IaC) receiving the least weight
• Service type, with different service types having varying weights.
  For example, in AWS, we consider IAM, KMS, EC2, and other services as more sensitive than others

The severity levels are:

🟢 Optimal

• Expected Resources: Resources managed through IaC, representing the best practice

🟡 Low

• Expected Resources: Resources with minor manual interactions, mostly managed through scripts or CLI tools

🟠 Medium

• Expected Resources: Resources with a balanced mix of manual and automated interactions

🔴 High

• Expected Resources: Resources primarily managed manually, indicating a high risk of misconfigurations and inefficiencies

🔘 Ignored

• Expected Resources: Resources labeled as ignored by users, either temporarily or permanently, to focus on other resources during migration or management efforts

Conclusion

We know that understanding what's going on in your cloud environment can be a daunting task.
Cloud Compass aims to make it easier by providing a clear breakdown of your organization's cloud posture. Track IaC coverage, focus on the most risky resource management practices, and create a better overall cloud strategy to avoid errors and misconfigurations. By following this tutorial, you can enhance your cloud resource management with Cloud Compass, gaining deeper insights and improving governance.