Release Notes 4.2 (2305)

Released October 4, 2023

CoreStack FinOps

FinOps Policies

The following cost optimization policies are added for FinOps:

  • Improved rightsizing optimizations using AI models for:
    • AWS EC2
    • AWS RDS
    • Azure VM
    • GCP VM
  • GCP Services
    • Idle Checks GCP Memory Store – Memcached
    • Idle Checks GCP Memory Store – Redis
    • Optimize Configuration - GCP App Engine Flexible Instance – Storage Checks
    • Optimize Configuration - GCP App Engine Flexible instance – CPU Checks
  • AWS Services
    • Optimize Configuration - AWS DMS Replication Instances Storage
    • Optimize Configuration - AWS FSX Filesystems Backups
    • Idle checks - AWS CloudWatch Alarm
    • Governance checks - AWS CloudWatch

Recommendation Logic

  • In cases where there are multiple recommendations available for the same resource, Schedule Recommendation will only show the top cost saving recommendation for that resource in the CoreStack portal.
    • For example: If a resource has both an hourly and weekly recommendation, the recommendation that has the highest cost savings potential will be selected by the system and shown in the portal.

Optimization Actions

  • The list of actions performed on a recommendation, which is shown on the Optimization Actions screen, has been enhanced to show more tracked actions.

CoreStack SecOps

  • Enhancements have been made to the AWS threat email template.

  • Correction of policy mapping for NIST V5 compliance standard.

  • Security Posture field realignment made for AWS and Azure vulnerabilities.

Downloadable CSV Reports for Security Hub Findings

  • Users can apply filters on Security Hub posture and the relevant data can be downloaded as CSV.

Compliance Standards

Added the following compliance standard:

  • CIS Azure (2.0) - CS

SecOps Dashboard

  • Added two additional widgets in Security Executive Dashboard:
    • Five Cloud Accounts with Least Compliant by Standard
    • Top 5 Cloud Accounts with High Risk

CoreStack CloudOps

  • AWS backup failure and monitoring metrics have been added for: abort, created, pending, failed, and completed. Alerts will be created if they are configured through monitoring and alerts configuration.
  • The inventory by tag report has been enhanced to accommodate new data and graphs as per customer request. Support is now available for region-wise details of tags along with revamp of the report.
  • AWS Patch report is now available as an SSRS report that can be scheduled and emailed by the customer and downloaded as a PDF or excel file.

Impersonate

  • Impersonate service account for GCP has been added. This will allow users to perform any required operation on Terraform templates.

Terraform Templates - CI/CD Config File Management

  • CoreStack Automation now provides the opportunity to edit/manage the saved CI/CD configuration files on the GitHub deployment repo for provisioned resources. A user would be able to perform an edit and save the changes in the config management of provisioned resources.
  • After the user edits and saves these pre-existing CI/CD configuration files on the deployment repo for the provisioned resources through CoreStack, the existing Azure DevOps/ADO pipeline would sense the changes to these CI/CD config files and trigger the pipeline execution. This in turn will update the configuration setting of the resource on the target account.

Service Resource Integration

Below is the list of service resources supported:

Service NameMetrics AddedInventory SupportActivity SupportRelationships SupportTagging Governance Support
Azure BackupNumberOfBackupJobsCompleted, NumberOfBackupJobsRunning,NumberOfBackupJobsCreated,NumberOfBackupJobsPending
AWS Security HubNoYesNoNoNo
Azure_Analysis_Services_ServersMemoryUsage,qpu_metric,MemoryLimitHard,memory_metric,mashup_engine_memory_metric,mashup_engine_qpu_metricYesYesNoYes
AWS FSxNoYesYesYesYes
AWS Database Migration ServiceCPUUtilization, WriteIOPS, ReadIOPS, MemoryAllocated, AvailableMemory, FreeStorageSpaceNoYesNoYes
Azure Standard Private EndpointPEBytesIn,PEBytesOutNoNoNoNo
Cloud Composercomposer.googleapis.com/environment/database/cpu/utilizationNoNoNoYes
Certificate Authority Serviceprivateca.googleapis.com/ca/cert/create_count,

privateca.googleapis.com/ca/cert/create_request_count,

privateca.googleapis.com/ca/resource_state,

privateca.googleapis.com/ca/cert_expiration,

privateca.googleapis.com/ca/cert_chain_expiration,

privateca.googleapis.com/ca/cert_revoked,

privateca.googleapis.com/ca/cert/ca_cert_creation,

privateca.googleapis.com/ca/cert/create_failure_count
YesYesYesYes
App Engineappengine.googleapis.com/system/cpu/utilization

appengine.googleapis.com/system/memory/usage

appengine.googleapis.com/flex/cpu/utilization

appengine.googleapis.com/flex/memory/usage

appengine.googleapis.com/flex/connections/current

appengine.googleapis.com/flex/instance/cpu/utilization

appengine.googleapis.com/flex/instance/guest/memory/bytes_used

appengine.googleapis.com/flex/instance/nginx/connections/current

appengine.googleapis.com/flex/instance/guest/disk/bytes_used
YesYesYesYes
NetworkingQueryVolume, RecordSetCapacityUtilization, RecordSetCountNoNoNoNo
Dataproc Metastoremetastore.googleapis.com/service/request_count,

metastore.googleapis.com/service/health
Yes YesNoYes
Cloud Key Management ServiceNoYesYesNoYes
DataFusionNoYesYesNoYes

Activity Swagger Mapping

  • Defining three level hierarchy to categorize the resources.

AWS Simple System Manager (SSM) - Email Notification Failure

  • The AWS Simple System Manager (SSM) feature now supports an email notification for any SSM document related failure that occurs during execution from CoreStack.
  • If there is a failure, the user will get a notification about the failure through email. They will receive all the details in the email and will be able to navigate to the respective execution for mitigation.

Map Configuration Item from CMDB in Incident Ticket

  • When a new threshold alert incident is created in ServiceNow, it will be mapped with a right CMDB configuration item automatically.

CMDB Table Reference

  • Configuration item as an inventory attribute is added for all the inventory resource positioning by default and is visible as False.

CoreStack Core

User Delegation

  • Rules are created to perform user delegation.
  • Rules help to delegate a particular tenant-role(s)/user(s)/user groups from a source account master to a target account master.
  • A rule can be modified, deleted, and viewed anytime.

Accessing and Switching Account Masters

  • An Admin user having access to multiple account masters can use a new drop-down option next to the Tenant selection drop-down to select an account master. By using the account master drop-down, Admin users can switch from one account master to another one.

Policy Engine Support for Azure

  • The CoreStack policy engine option has been added for Azure cloud accounts (in addition to AWS).

CoreStack Assessments

Auto-Assessment Completion

Auto-assessment has been introduced in CoreStack Assessments through which:

  • Automated workload gets created for onboarded cloud accounts in bundles CoreStack Assessments and Cumulus Plus.
  • Upon inventory sync, assessment gets triggered based on pre-defined well-architected framework, that is, AWS-WAF for AWS account, Azure-WAF for Azure accounts, and so on.
  • After assessment scanning is complete, an email is sent with the assessment report in PDF format.
  • The user can edit/update both automated workloads and assessments and can use manually created ones.

Frameworks

  • AWS Well Architected Framework: Updated to latest available version from AWS (April 2023).

Bulk Action for Workloads

  • Added the bulk action to change workload state (active/inactive) and workload owner name.

Bugs Fixed

  • Tagging Governance: Bulk remediation is now provided with the progress monitor so users can know the status in real time.
  • For Tagging Governance, the baseline enabled at the cloud account scope was showing in other cloud accounts as well. This has been fixed.
  • Template execution failed due to the frequent STS token expiry. The timeout value has been increased to 24 hours to allow smooth execution of the templates.
  • Executive Dashboard: The default edit permission was not working and has been fixed.
  • Users who were using Azure AD Single Sign-On were not able to access the CoreStack portal. This has been fixed.
  • Bugs related to FinOps reports, including the generation of these reports, have been addressed.
  • Customers who have configured the white-labelled SMTP address were not able to send emails after the last major product release. This has been addressed.
  • CoreStack External API: Changes in the parameters resulted in an error while fetching the data through the CoreStack external API. The correct parameter details have been updated in the API notes.
  • Incorrect parameters resulted in the wrong recommendations showing in the AWS EFS Orphan policy. This is now fixed.

External APIs

Known Issues

Below APIs are not working as expected. We will try to fix it before the next release.

  • /operations/anomaly_detector/activity_insights/{tenant_id}/list_category
  • /operations/anomaly_detector/activity_insights/{tenant_id}/list_user

<