Cloud Updates Optimization Tips

A Guide To Automated Cloud Policy Management

Automated cloud policy management can be described as a hands-free way to govern your cloud environment. Although an automated cloud management solution does initially require some input, the description thereafter is remarkably accurate, as it’s possible to automate the management of virtually any cloud governance policy.

Cloud governance policies are the rules under which your business operates in the cloud. Their main purposes are to control costs, optimize performance, and enhance security, with the ultimate objective being to achieve continuous cost optimization based on business strategy, manage the cloud using business KPIs across the entire organization, and proactively manage cloud risk.

For cloud policies to be effective, you not only need to have an understanding of your cloud inventory and how its elements work together, but total visibility into cloud activity and a method of cloud policy enforcement that isn’t counterproductive by being labor-intensive. We also believe cloud policies are likely to more effective when developed by a multi-functional Cloud Center of Excellence.

Automated cloud policy management is an effective way to enforce cloud governance policies. Automated cloud policy management reduces the enforcement workload and allows you to focus on business-critical issues by monitoring compliance with your cloud policies, and notifying you—or performing a preconfigured action—when an event occurs that violates or potentially violates a policy.

How automated cloud policy management works

Let’s say, for example, you have optimized resources deployed on Amazon Web Services (AWS) for both cost and performance, and now you want to make sure they stay optimized. What you need to do is set up two policies (one for cost and one for performance) and specify at what point you want to be notified about their underutilization (for downgrading) or overutilization (for upgrading):

  • If average CPU usage < 20% AND memory usage < 35% AND disk throughput < 35% for over two weeks, send email notification.
  • If average CPU usage OR memory usage OR disk throughput OR network throughput is > 80% AND maximum CPU usage OR memory usage OR disk throughput OR network throughput is > 95% for one week, send email notification.

You can set your own parameters for percentage usage or the period of time over which percentages should be calculated historically and, when you receive an email notification, you have the option to take advantage of the solution’s rightsizing recommendation or customize the recommendation to match unique circumstances you may be aware of.

Other examples of automated cloud policy management in action

Automated cloud policy management solutions allow you to apply a number of different actions to suit the circumstances of a policy violation or potential violation. We won’t list every possible scenario where you could save time and money by automating the management process, because it’s possible to automate the management of virtually any cloud governance policy. But here is a selection to give you some ideas:

  • If projected month-to-date cloud spend is greater than 100% of budget, send email notification to [insert recipients].
  • If a block storage volume is unattached for one week, trigger Snapshot, delete volume, and send email notification.
  • If any S3 Object hasn’t been accessed for more than 60 days, send email notification (potential migration to S3 Infrequent Access).
  • If any volume type average disk throughput is more than 80% for one week, send email notification (potential upgrade).
  • If potential EC2 Reserved Instances reallocation savings exceed $10 (by switching between Regional and an Availability Zone scope), then modify Reserved Instance.
  • If any asset is untagged, stop asset, and send email notification to asset owner and [insert other recipients].
  • If any S3 bucket with tag Function: PII (for example) is unencrypted, encrypt bucket, and send email notification.
  • If any non-conforming Virtual Machine type is launched (i.e. with a larger core size than allowed), stop asset and send through approval workflow.
  • If any Virtual Machine has unauthorized open ports, terminate Virtual Machine, send email notification.
  • If any account has root account API access, execute [Lambda/Azure Functions/Google Cloud Functions] to revoke user access, send email notification.

We could go on with examples of automated cloud policy management in action, but what is important is that the rapidly changing landscape and complexity of the cloud are beyond what most businesses can tackle in a scalable fashion. Automating the management of cloud policies so you’re managing by exemption enables you to stay ahead of the curve and address potential incidents before they cause more serious problems. 

Learn more about how to set up automated cloud policies and how they fit into a holistic cloud operations and governance practice in our in-depth guide: Building a Successful Cloud Operations and Governance Practice