Rules

AWS

Rules is a CCA feature that checks the resources used in the cloud, returning recommendations for optimizing the environment.

The rules are divided into two categories: Savings and Best Practices.

How to get to Rules:

  1. In the CCA side feature menu, select Rules.

  1. Filters

On the home screen, it is possible to search for available rules and filter by category.

  1. Report

When you click on “Download report”, a .csv file is downloaded with details of all the rules.

  1. Rules

The CCA Rules are a set of recommendations based on the services available by the provider, and are divided into the two categories mentioned above.

For each rule, it is possible to view some information:

  • Monitored accounts: Displays the number of accounts being monitored for this recommendation.

  • Total resources found: Lists the number of resources that apply to the rule.

  • Total estimated savings: Estimated cost savings by implementing the recommendations.

Clicking on the rule name in blue opens a detailed breakdown of the rule, showing the following information:

  • Monitored accounts

  • Non-compliance resources

  • Total ignored resources found

  • Ignored resources cost

  • Total estimated savings

The system also allows you to filter by Account ID, Resource ID, or Region, as highlighted below:

As filters are applied, the data displayed in the rule’s overview panel may change.

Clicking on the option “Download report”, a .csv file is downloaded with details only for the selected rule.

Further down, the system presents some action options:

  • By clicking the ignore icon "" you can ignore the recommendation for that selected resource. The system will display a screen to you explain the reason why you want to ignore the resource.

By describing the reason and confirming the action, clicking the checkbox, the system will enable the button to complete the action:

  • In the icon next to " you can view details about the chosen resource such as resource information and Meta Data:

  1. Rule settings

Clicking on the "" gear, opens the rule configuration.

In the configuration, you can search for the customization you want to view.

By clicking on the "" key corresponding to the customization, it is possible to open the rule customizations, allowing you to disable the rule chosen in “Status”.

Default Setting:

In default setting, it is possible to have the configuration specified for each resource as:

  • Non-compliance after: Number of days after which the resource begins to be considered non-compliant. Example: Infrequent users: after 15 days, it is considered non-compliant.

  • Regions: The regions that will be listed are the regions that are being monitored.

By clicking the Edit option, you can configure the acceptable period for the resource to be considered out of compliance.

The system will prompt you to fill in the following fields:

  • Filter period operator: Select from the available options

    • Less than: When you want the number of days for the resource to be considered out of compliance to be less than the specified number.

    • Greater than: When you want the number of days for the resource to be considered out of compliance to be greater than the specified number.

  • Filter period days: Specify the number of days for the rule to be considered out of compliance.

By clicking the save button, the system will complete the rule compliance customization.

If this rule has no customization, the compliance value will be as per the default values.

It is possible to add new customizations to the rule.

Clicking Add opens the customization screen, where you will need to fill in the following information:

  • Filter kind: Select between the two existing filter types

    • Filter only the resources that match the filter

    • Filter only the resources that do not match the filter

  • Filter key: Enter the filter key that matches the tag

  • Enter the filter value: Enter the value you want to return in the filter

After including the customizations you want, just click save, and the customization will be added to the rule.

  1. Integration with Autofix

Some rules have the Autofix product integrated, where it is possible to execute the recommendation automatically through the CCA.

In rules that have integration with autofix, there will be an indication of how many accounts linked to that rule have autofix active.

By clicking on the highlighted "" icon, the system will present more detailed information on the recommendation for execution in Autofix.

By clicking on the highlighted "" icon, you can activate the account with autofix.

It will list all accounts linked to the rule, just activate autofix in the account and configure the autofix product to automate the execution of the rule.

Rules of Savings

  1. S3 Intelligent-Tiering not configured: Identify S3 buckets that do not have Intelligent-Tiering configured.

  2. Public IPv4 network: Identify IPv4 resources with public exposure that can be migrated to IPv6 at no cost.

  3. Migrating from EC2 Intel to Graviton: EC2 Intel instances qualified for migration to Graviton.

  4. Migration of EC2 Intel to AMD: EC2 Intel instances qualified for migration to AMD.

  5. ELB without requests: Identify Load Balancers without requests for a long time.

  6. EC2 Stopped: EC2 instances have been stopped longer than the specified period.

  7. EBS Snapshot: Detect EBS snapshots with long retention time.

  8. Migrating from EC2 AMD to Graviton: EC2 AMD instances qualified for migration to Graviton.

  9. S3 Bucket inactive: Identify S3 Buckets without Recent Activity.

  10. RDS Snapshot: Identify RDS Snapshot available for a long period.

  11. S3 outdated version objects: Identifies outdated version objects in S3 buckets that do not have a delete marker in AWS. The goal is to identify outdated versions of objects that are not following the best practice of using a delete marker for S3 object versioning, helping to optimize costs.

  12. Cloudwatch without retention period: Identify CloudWatch with no retention period set.

  13. ASG without using Spot: Identify auto scaling groups that do not use Spot Instances.

  14. Migration from EBS GP2 to GP3: GP2 volumes eligible for upgrade to GP3 technology.

  15. VPC Endpoint inactive: Identify VPC Endpoint with low or no data traffic.

  16. EC2 Reserved Instance Expiration: EC2 reservation instances nearing expiration date.

  17. EBS with low IOPS usage: Identify EBS with IOPs usage below 70%.

  18. Underutilized EC2 instances: EC2 instances with low CPU and network usage.

  19. Unused ELB: Elastic Load Balancers that do not have instances, target group, or listener configured.

  20. EIP Detached: Identify EIP not attached to any resource

  21. Lambda with low provisioned memory usage: Identify Lambda Functions with low provisioned memory usage.

  22. RDS without connections: RDS instances without a database connection for longer than the specified period.

  23. S3 Multipart upload incomplete: Identify the amount of incomplete Multipart uploads in your S3 Buckets.

  24. Lambda with excessive timeout duration: Lambda with excessive timeout time.

  25. Migration from EBS IO1 and IO2 to GP3: IO1 and IO2 volumes eligible for upgrade to GP3 technology.

  26. DynamoDB OnDemand: Identify DynamoDB tables running in OnDemand mode.

  27. EKS Extended Support: Check if your EKS clusters are using old versions and if extended support is enabled.

  28. RDS Migration to Graviton: Identify RDS Instances that can be migrated to Graviton.

  29. RDS Reserved Instance Expiration: RDS reservation instances nearing expiration date.

  30. Detached EBS: Identifies persistent EBS volumes in AWS that are not attached to any EC2 instance and are older than the configured checker period. The goal is to identify unused EBS volumes that are not assigned to any resource and return them, helping to optimize costs.

  31. Migration from RDS GP2 to GP3: Identify RDS instance volumes that can be migrated from GP2 to GP3.

  32. Compressing CloudFront Distributions: Identify CloudFront Distributions without Compression Enabled

Best Practice Rules

  1. Unused IAM Roles: Identify IAM Roles that have been unused for a long period of time.

  2. Public security groups: Identify security groups with public access allowed.

  3. Users without MFA: Users who do not have MFA.

  4. IAM Infrequent Users: Identify users who have not logged in for a long period of time

  5. S3 buckets with public access: Identify S3 Buckets with public access.

  6. Lambda with high error rate: Identify Lambda Functions with High Error Rate.

PreviousOverviewNextRightsizing

Last updated