Release Notes 4.2 (2305)
about 1 year ago by Alpha Mukhopadhyay
Released October 4, 2023
CoreStack FinOps
FinOps Policies
The following cost optimization policies are added for FinOps:
- Improved rightsizing optimizations using AI models for:
- AWS EC2
- AWS RDS
- Azure VM
- GCP VM
- GCP Services
- Idle Checks GCP Memory Store – Memcached
- Idle Checks GCP Memory Store – Redis
- Optimize Configuration - GCP App Engine Flexible Instance – Storage Checks
- Optimize Configuration - GCP App Engine Flexible instance – CPU Checks
- AWS Services
- Optimize Configuration - AWS DMS Replication Instances Storage
- Optimize Configuration - AWS FSX Filesystems Backups
- Idle checks - AWS CloudWatch Alarm
- Governance checks - AWS CloudWatch
Recommendation Logic
- In cases where there are multiple recommendations available for the same resource, Schedule Recommendation will only show the top cost saving recommendation for that resource in the CoreStack portal.
- For example: If a resource has both an hourly and weekly recommendation, the recommendation that has the highest cost savings potential will be selected by the system and shown in the portal.
Optimization Actions
- The list of actions performed on a recommendation, which is shown on the Optimization Actions screen, has been enhanced to show more tracked actions.
CoreStack SecOps
-
Enhancements have been made to the AWS threat email template.
-
Correction of policy mapping for NIST V5 compliance standard.
-
Security Posture field realignment made for AWS and Azure vulnerabilities.
Downloadable CSV Reports for Security Hub Findings
- Users can apply filters on Security Hub posture and the relevant data can be downloaded as CSV.
Compliance Standards
Added the following compliance standard:
- CIS Azure (2.0) - CS
SecOps Dashboard
- Added two additional widgets in Security Executive Dashboard:
- Five Cloud Accounts with Least Compliant by Standard
- Top 5 Cloud Accounts with High Risk
CoreStack CloudOps
- AWS backup failure and monitoring metrics have been added for: abort, created, pending, failed, and completed. Alerts will be created if they are configured through monitoring and alerts configuration.
- The inventory by tag report has been enhanced to accommodate new data and graphs as per customer request. Support is now available for region-wise details of tags along with revamp of the report.
- AWS Patch report is now available as an SSRS report that can be scheduled and emailed by the customer and downloaded as a PDF or excel file.
Impersonate
- Impersonate service account for GCP has been added. This will allow users to perform any required operation on Terraform templates.
Terraform Templates - CI/CD Config File Management
- CoreStack Automation now provides the opportunity to edit/manage the saved CI/CD configuration files on the GitHub deployment repo for provisioned resources. A user would be able to perform an edit and save the changes in the config management of provisioned resources.
- After the user edits and saves these pre-existing CI/CD configuration files on the deployment repo for the provisioned resources through CoreStack, the existing Azure DevOps/ADO pipeline would sense the changes to these CI/CD config files and trigger the pipeline execution. This in turn will update the configuration setting of the resource on the target account.
Service Resource Integration
Below is the list of service resources supported:
Service Name | Metrics Added | Inventory Support | Activity Support | Relationships Support | Tagging Governance Support |
---|---|---|---|---|---|
Azure Backup | NumberOfBackupJobsCompleted, NumberOfBackupJobsRunning,NumberOfBackupJobsCreated,NumberOfBackupJobsPending | ||||
AWS Security Hub | No | Yes | No | No | No |
Azure_Analysis_Services_Servers | MemoryUsage,qpu_metric,MemoryLimitHard,memory_metric,mashup_engine_memory_metric,mashup_engine_qpu_metric | Yes | Yes | No | Yes |
AWS FSx | No | Yes | Yes | Yes | Yes |
AWS Database Migration Service | CPUUtilization, WriteIOPS, ReadIOPS, MemoryAllocated, AvailableMemory, FreeStorageSpace | No | Yes | No | Yes |
Azure Standard Private Endpoint | PEBytesIn,PEBytesOut | No | No | No | No |
Cloud Composer | composer.googleapis.com/environment/database/cpu/utilization | No | No | No | Yes |
Certificate Authority Service | privateca.googleapis.com/ca/cert/create_count, privateca.googleapis.com/ca/cert/create_request_count, privateca.googleapis.com/ca/resource_state, privateca.googleapis.com/ca/cert_expiration, privateca.googleapis.com/ca/cert_chain_expiration, privateca.googleapis.com/ca/cert_revoked, privateca.googleapis.com/ca/cert/ca_cert_creation, privateca.googleapis.com/ca/cert/create_failure_count | Yes | Yes | Yes | Yes |
App Engine | appengine.googleapis.com/system/cpu/utilization appengine.googleapis.com/system/memory/usage appengine.googleapis.com/flex/cpu/utilization appengine.googleapis.com/flex/memory/usage appengine.googleapis.com/flex/connections/current appengine.googleapis.com/flex/instance/cpu/utilization appengine.googleapis.com/flex/instance/guest/memory/bytes_used appengine.googleapis.com/flex/instance/nginx/connections/current appengine.googleapis.com/flex/instance/guest/disk/bytes_used | Yes | Yes | Yes | Yes |
Networking | QueryVolume, RecordSetCapacityUtilization, RecordSetCount | No | No | No | No |
Dataproc Metastore | metastore.googleapis.com/service/request_count, metastore.googleapis.com/service/health | Yes | Yes | No | Yes |
Cloud Key Management Service | No | Yes | Yes | No | Yes |
DataFusion | No | Yes | Yes | No | Yes |
Activity Swagger Mapping
- Defining three level hierarchy to categorize the resources.
AWS Simple System Manager (SSM) - Email Notification Failure
- The AWS Simple System Manager (SSM) feature now supports an email notification for any SSM document related failure that occurs during execution from CoreStack.
- If there is a failure, the user will get a notification about the failure through email. They will receive all the details in the email and will be able to navigate to the respective execution for mitigation.
Map Configuration Item from CMDB in Incident Ticket
- When a new threshold alert incident is created in ServiceNow, it will be mapped with a right CMDB configuration item automatically.
CMDB Table Reference
- Configuration item as an inventory attribute is added for all the inventory resource positioning by default and is visible as False.
CoreStack Core
User Delegation
- Rules are created to perform user delegation.
- Rules help to delegate a particular tenant-role(s)/user(s)/user groups from a source account master to a target account master.
- A rule can be modified, deleted, and viewed anytime.
Accessing and Switching Account Masters
- An Admin user having access to multiple account masters can use a new drop-down option next to the Tenant selection drop-down to select an account master. By using the account master drop-down, Admin users can switch from one account master to another one.
Policy Engine Support for Azure
- The CoreStack policy engine option has been added for Azure cloud accounts (in addition to AWS).
CoreStack Assessments
Auto-Assessment Completion
Auto-assessment has been introduced in CoreStack Assessments through which:
- Automated workload gets created for onboarded cloud accounts in bundles CoreStack Assessments and Cumulus Plus.
- Upon inventory sync, assessment gets triggered based on pre-defined well-architected framework, that is, AWS-WAF for AWS account, Azure-WAF for Azure accounts, and so on.
- After assessment scanning is complete, an email is sent with the assessment report in PDF format.
- The user can edit/update both automated workloads and assessments and can use manually created ones.
Frameworks
- AWS Well Architected Framework: Updated to latest available version from AWS (April 2023).
Bulk Action for Workloads
- Added the bulk action to change workload state (active/inactive) and workload owner name.
Bugs Fixed
- Tagging Governance: Bulk remediation is now provided with the progress monitor so users can know the status in real time.
- For Tagging Governance, the baseline enabled at the cloud account scope was showing in other cloud accounts as well. This has been fixed.
- Template execution failed due to the frequent STS token expiry. The timeout value has been increased to 24 hours to allow smooth execution of the templates.
- Executive Dashboard: The default edit permission was not working and has been fixed.
- Users who were using Azure AD Single Sign-On were not able to access the CoreStack portal. This has been fixed.
- Bugs related to FinOps reports, including the generation of these reports, have been addressed.
- Customers who have configured the white-labelled SMTP address were not able to send emails after the last major product release. This has been addressed.
- CoreStack External API: Changes in the parameters resulted in an error while fetching the data through the CoreStack external API. The correct parameter details have been updated in the API notes.
- Incorrect parameters resulted in the wrong recommendations showing in the AWS EFS Orphan policy. This is now fixed.
External APIs
- To see the external APIs which are added, modified, and removed in this release, refer to: https://docs.corestack.io/docs/external-apis-42-2305
- To see all the available external APIs, refer to: https://docs.corestack.io/reference/authtoken
Known Issues
Below APIs are not working as expected. We will try to fix it before the next release.
- /operations/anomaly_detector/activity_insights/{tenant_id}/list_category
- /operations/anomaly_detector/activity_insights/{tenant_id}/list_user