Cloud Compass
Analyze your cloud resource management to enhance oversight and adherence to best practices
Introduction
Cloud Compass by env0 aims to bridge the gap between manual and automated cloud operations, providing deep insights into how your cloud resources are managed.
Cloud Compass periodically scans your cloud account. By identifying non-codified resources and evaluating their associated risks, Cloud Compass enables a more effective Infrastructure as Code (IaC) strategy, helping you expand IaC coverage and enhance cloud governance.
Configure Your First Cloud Account
- If you haven't configured your cloud account for usage with Cloud Compass yet, follow the steps in Configuring Your First Cloud Account to get started.
Utilizing the Cloud Compass Dashboard
Access the Cloud Compass dashboard through the organization menu item (A âView Dashboardâ permission is required to access the page).
Settings
Access the Cloud Compass dashboard using the organization menu item (A permission to âView Dashboardâ is required to access the page).
Here you can see and manage your cloud accounts.
Click here to see how to configure an account to use with Cloud Compass.
Insights
Once youâve selected a cloud account, you can begin analyzing your cloud culture.
The dashboard displays the period for which the data is shown (including the initial data time and last updated time) and provides information about the next Cloud Compass cloud scan.
Each run could take several minutes, as env0 scans all new cloud activity and processes it to generate insights.
While the data is being updated in the background, you'll see a relevant message
View Coverage Trends:
AWS
Examine the trend of IaC-managed resources, as a percentage of your overall cloud resource in your cloud account over time.
Azure
Examine the automated resources trend as a percentage of your overall cloud resources in your account over time.
Resource Management Type Breakdown
See the current distribution of management types
- For AWS
- For Azure
Assess Resource Breakdown:
AWS: Tracking uses CloudTrail logs stored in S3. Ensure CloudTrail is set up for the resources.
Azure: Tracking relies on Activity Log in the Log Analytics Workspace. Verify logging is enabled.
Resource Detection
Cloud Compass detects and lists your cloud resources, and provides useful information and insights, including:
- Tracking (only for resources logged to S3 by CloudTrail (for AWS) or Log Analytics Workspace by Azure's Activity Log (for Azure)
- Exploring detailed resource breakdown
- Viewing the total number of operations detected for each resource
- Reviewing severity scores to prioritize tasks effectively and improve management practices
Let's break it down:
For the resource named compass-drilldown-qa-ddb:
- 1 manual operations via the Cloud Console (ClickOps)
- 0 API/CLI operations
- 1 IaC operations
This resource is managed via an IaC and is categorized with a severity of đĸ(Optimal).
Drift Detection
Cloud Compass identifies the likelihood of drift based on data from past operational events, and other nuanced relevant information in cloud logs.
For env0-managed resources, Cloud Compass will leverage env0âs deterministic understanding of deviation between the infrastructure's actual state and the desired state, as defined by the IaC configuration. These resources will be flagged as âDriftedâ.
The drift status options include:
- âNot Driftedâ - This resource is managed by an IaC tool, and no suspicious drift has been detected
- âDriftedâ - This resource is managed in env0, and the Drift Detection capability identified it as drifted
- âDrift Riskâ - This resource is managed by an external IaC tool, and suspicious drift has been detected based on cloud events
- âUnknownâ (Blank label) - this resource is not managed in IaC
You can filter your resources by their drift status using the environment autocomplete and clicking the filter icon.
This search function includes all env0 environments, even if they don't currently match Cloud Compass resources. Learn more about linking env0 environments to cloud resources.
To filter by environment, use the environment autocomplete.
Resource Analysis
Click âDetailsâ on any resource row to view additional information, including event actions and a summary.
The resource information will open, displaying the latest events (we store up to 90 days of events history) and management stage, which indicates who manages this resource. If the resource is managed by env0, you'll also see a link to the relevant environment.
Learn more about linking env0 environments to cloud resources.
Understanding Resource Management Types
Cloud Compass categorizes cloud resources into several types based on their management method. Understanding these types is crucial for optimizing your cloud operations.
đĸ IaC Resource
A resource managed through Infrastructure as Code (IaC) frameworks
đĄ API/CLI or Automated (Scripted) Resource
A resource managed through custom scripts or direct API/CLI interactions
đ´ ClickOps or Manual Resource
A resource primarily managed through the cloud console/UI
Evaluating Management Severity
Cloud Compass assesses the management severity of each resource, providing a score that indicates the potential risk and management efficiency.
Severity is calculated based on:
- Management type and the type of actions performed on the resource, with clickOps receiving the most weight, followed by API, and Infrastructure as Code (IaC) receiving the least weight
- Service type, with different service types having varying weights.
For example, in AWS, we consider IAM, KMS, EC2, and other services as more sensitive than others
The severity levels are:
đĸ Optimal
Expected Resources: Resources managed through IaC, representing best practices
đĄ Low
Expected Resources: Resources with minor manual interactions, mostly managed through scripts or CLI tools
đ Medium
Expected Resources: Resources with a balanced mix of manual and automated interactions
đ´ High
Expected Resources: Resources primarily managed manually, indicating a high risk of misconfigurations and inefficiencies
đ Ignored
Expected Resources: Resources explicitly labeled as ignored by users, either temporarily or permanently, to focus on other resources during migration or management efforts
Resetting Severity of a Resource
Cloud Compass helps locate resources that are not managed in IaC, or that include some manual interactions. This should make spotting and remediating non-managed or drifted resources easier.
When you add a resource to your IaC, or when you've prevented manual interaction with the cloud resource, you will slowly see the severity of the resource change in Cloud Compass, as more events related to the resource are processed over time.
If you'd like to see the resource's severity recalculated more quickly, you can pick your resources in Cloud Compass and then click the Reset severity button. This will force Cloud Compass to ignore all past events and start calculating the resource's severity from scratch on the next cloud event affecting the resource.
Take Action! đŦ
By selecting a resource you have the following options:
- Generate IaC Code to start migrating your resources (supports OpenTofu and Terraform)
- Mark or unmark a resource's severity as IgnoredMore info on the âIgnoredâ severity can be found here.
- Reset a resource's severity until the next change event
Generating IaC code
- Choose your preferred IaC framework
- IaC code is generated for your resources. Please make sure to follow the instructions
Conclusion
We know that understanding what's going on in your cloud environment can be a daunting task.
Cloud Compass aims to make it easier by providing a clear breakdown of your organization's cloud culture. Track IaC coverage, focus on the most risky resource management practices, and create a better overall cloud strategy to avoid errors and misconfigurations.
By following the steps above, you can enhance your cloud resource management with Cloud Compass, gaining deeper insights and improving governance.
Updated 10 days ago