Information is one thing. Acting on it is another. Whether it be corporate policy or culture, inertia or interrupts, it’s often difficult to see something that needs doing and then to do it. Are there a bunch of old volumes gathering dust? Eventually you’ll get around to deleting them. A few EC2 instances you don’t need anymore? Maybe. But you’ll need to approval for terminating those instances and then go bug someone to actually do it for you…because you don’t have the proper privileges.
CloudHealth Technologies has taken the first step in allowing you to go from information to action with Automated Tasks. Using Automated Tasks you can easily allow any CloudHealth user to request a change to your AWS environment. Each type of task is configured with a list of approvers and an “authorizer.” Thus, if modifying a reserved instance needs CTO and CIO approval, but instance termination requires only Operations Manager-level approval, you can do that.
A properly authorized user can kick-off an Automated Task workflow with a single click in the console, web browser, or mobile device. When a request is made to, say, modify a reserved instance, an email is sent to the first approver, stating the change and asking for approval. If this approver agrees, then additional emails are sent to each successive approver until everyone signs off. At that point, a final email is sent to the “authorizer,” and when she authorizes the request, it is immediately acted on with a call to Amazon.
It’s important to realize that at no point does CloudHealth ever have persistent escalated privileges to your AWS accounts. Instead we dynamically acquire a least-privileged, shortest-lived session token from IAM STS and use that to take action on your behalf. And as soon as the request completes, even those privileges are forgotten.
Of course, at any point along the way an approver may deny the request, the creator may cancel it, or it might simply be ignored. In the case of being ignored, a reminder email will be sent after a few hours of inactivity. If twelve more hours go by, then the request is considered “IGNORED” and the workflow ends. An audit trail is maintained, so you can view the up to the moment status of a task.
And this is just the beginning. Besides planned user interface enhancements (comments, fast setup), we will be introducing Automated Tasks that allow CloudHealth users to act on nearly all the information we provide. Can you benefit from archiving some S3 buckets to Glacier? Click! It’s in process. Does your security risk exposure report say that 10 servers have all their ports open? Click! Close them.
But even that just scratches the service. The true power of Automated Tasks will be evident when everything is, indeed, automated. In short order, it will be possible to assign policies to automated tasks, such that human initiation is not even required (of course, the approval workflow is). When this “autonomic system” is in place, senior management in your organization can configure simple, automated governance policies to bring your cloud environment inline with corporate goals.
Imagine, a policy that states:
Within an annual budget of $500,000, make capacity reservations no more than once per month, with a single purchase not to exceed $200,000 in a given calendar quarter, that achieves no less than a 40% cost benefit over non-reserved usage, and makes a term commitment not to exceed 12 months. Reservations should not be made on any legacy instance types. All proposed purchases must go through a two level approval chain that includes the director of operations and the chief financial officer.
And then finding a request in your email one day seeking approval to buy a one year heavy utilization reservation for 12 – c3.xlarge instances in us-east-1b because that’s going to save you $6,000 per month!
Take Automation Tasks for a test drive today. Give us your feedback. And stay tuned for more.
