Cloud Compass

Analyze your cloud resource management to enhance oversight and adherence to best practices

Introduction

Cloud Compass by env0 aims to bridge the gap between manual and automated cloud operations, providing deep insights into how your cloud resources are managed.

Cloud Compass periodically scans your cloud account. By identifying non-codified resources and evaluating their associated risks, Cloud Compass enables a more effective Infrastructure as Code (IaC) strategy, helping you expand IaC coverage and enhance cloud governance.

📘

Configure Your First Cloud Account

Utilizing the Cloud Compass Dashboard

Access the Cloud Compass dashboard through the organization menu item (A ‘View Dashboard’ permission is required to access the page).

Settings

Access the Cloud Compass dashboard using the organization menu item (A permission to ‘View Dashboard’ is required to access the page).

Here you can see and manage your cloud accounts.

Click here to see how to configure an account to use with Cloud Compass.

Insights

Once you’ve selected a cloud account, you can begin analyzing your cloud culture.

The dashboard displays the period for which the data is shown (including the initial data time and last updated time) and provides information about the next Cloud Compass cloud scan.

Each run could take several minutes, as env0 scans all new cloud activity and processes it to generate insights.
While the data is being updated in the background, you'll see a relevant message

View Coverage Trends:

AWS

Examine the trend of IaC-managed resources, as a percentage of your overall cloud resource in your cloud account over time.

Azure

Examine the automated resources trend as a percentage of your overall cloud resources in your account over time.

Resource Management Type Breakdown

See the current distribution of management types

  • For AWS
  • For Azure

Assess Resource Breakdown:

AWS: Tracking uses CloudTrail logs stored in S3. Ensure CloudTrail is set up for the resources.

Azure: Tracking relies on Activity Log in the Log Analytics Workspace. Verify logging is enabled.

Resource Detection

Cloud Compass detects and lists your cloud resources, and provides useful information and insights, including:

Let's break it down:

For the resource named compass-drilldown-qa-ddb:

  • 1 manual operations via the Cloud Console (ClickOps)
  • 0 API/CLI operations
  • 1 IaC operations

This resource is managed via an IaC and is categorized with a severity of đŸŸĸ(Optimal).

Drift Detection

Cloud Compass identifies the likelihood of drift based on data from past operational events, and other nuanced relevant information in cloud logs.

For env0-managed resources, Cloud Compass will leverage env0’s deterministic understanding of deviation between the infrastructure's actual state and the desired state, as defined by the IaC configuration. These resources will be flagged as ‘Drifted’.

The drift status options include:

  • “Not Drifted” - This resource is managed by an IaC tool, and no suspicious drift has been detected
  • “Drifted” - This resource is managed in env0, and the Drift Detection capability identified it as drifted
  • “Drift Risk” - This resource is managed by an external IaC tool, and suspicious drift has been detected based on cloud events
  • “Unknown” (Blank label) - this resource is not managed in IaC

You can filter your resources by their drift status using the environment autocomplete and clicking the filter icon.
This search function includes all env0 environments, even if they don't currently match Cloud Compass resources. Learn more about linking env0 environments to cloud resources.

To filter by environment, use the environment autocomplete.

Resource Analysis

Click ’Details’ on any resource row to view additional information, including event actions and a summary.

The resource information will open, displaying the latest events (we store up to 90 days of events history) and management stage, which indicates who manages this resource. If the resource is managed by env0, you'll also see a link to the relevant environment.
Learn more about linking env0 environments to cloud resources.

Understanding Resource Management Types

Cloud Compass categorizes cloud resources into several types based on their management method. Understanding these types is crucial for optimizing your cloud operations.

đŸŸĸ IaC Resource

A resource managed through Infrastructure as Code (IaC) frameworks

🟡 API/CLI or Automated (Scripted) Resource

A resource managed through custom scripts or direct API/CLI interactions

🔴 ClickOps or Manual Resource

A resource primarily managed through the cloud console/UI

Evaluating Management Severity

Cloud Compass assesses the management severity of each resource, providing a score that indicates the potential risk and management efficiency.

Severity is calculated based on:

  • Management type and the type of actions performed on the resource, with clickOps receiving the most weight, followed by API, and Infrastructure as Code (IaC) receiving the least weight
  • Service type, with different service types having varying weights.
    For example, in AWS, we consider IAM, KMS, EC2, and other services as more sensitive than others

The severity levels are:

đŸŸĸ Optimal

Expected Resources: Resources managed through IaC, representing best practices

🟡 Low

Expected Resources: Resources with minor manual interactions, mostly managed through scripts or CLI tools

🟠 Medium

Expected Resources: Resources with a balanced mix of manual and automated interactions

🔴 High

Expected Resources: Resources primarily managed manually, indicating a high risk of misconfigurations and inefficiencies

🔘 Ignored

Expected Resources: Resources explicitly labeled as ignored by users, either temporarily or permanently, to focus on other resources during migration or management efforts

Resetting Severity of a Resource

Cloud Compass helps locate resources that are not managed in IaC, or that include some manual interactions. This should make spotting and remediating non-managed or drifted resources easier.

When you add a resource to your IaC, or when you've prevented manual interaction with the cloud resource, you will slowly see the severity of the resource change in Cloud Compass, as more events related to the resource are processed over time.

If you'd like to see the resource's severity recalculated more quickly, you can pick your resources in Cloud Compass and then click the Reset severity button. This will force Cloud Compass to ignore all past events and start calculating the resource's severity from scratch on the next cloud event affecting the resource.

Take Action! đŸŽŦ

By selecting a resource you have the following options:

  • Generate IaC Code to start migrating your resources (supports OpenTofu and Terraform)
  • Mark or unmark a resource's severity as IgnoredMore info on the “Ignored” severity can be found here.
  • Reset a resource's severity until the next change event

Generating IaC code

  1. Choose your preferred IaC framework
  1. IaC code is generated for your resources. Please make sure to follow the instructions

Conclusion

We know that understanding what's going on in your cloud environment can be a daunting task.

Cloud Compass aims to make it easier by providing a clear breakdown of your organization's cloud culture. Track IaC coverage, focus on the most risky resource management practices, and create a better overall cloud strategy to avoid errors and misconfigurations.

By following the steps above, you can enhance your cloud resource management with Cloud Compass, gaining deeper insights and improving governance.