This repository contains a library of open source Flexera CMP Policy Templates to provide governance via automation across Cost, Security, Operational, and Compliance categories. All contributions are shared under the MIT license.
Please contact [email protected] to learn more.
Categories
Reference
- Budget Alerts
- Budget Alerts by Cloud Account
- Cheaper Regions
- Cloud Cost Anomaly Alerts
- Downsize Instances
- Inefficient Instance Utilization using RightLink
- Old Snapshots
- Running Instance Count Anomaly
- Unattached IP Addresses
- Unattached Volumes
- Schedule Instances
- Scheduled Report
- Scheduled Report with Estimates
- Scheduled Report with Markups & Markdowns
- Superseded Instances
- Superseded Instance Remediation
- Terminate Instances with End Date
- Cloud Spend Forecast - Moving Average
- Cloud Spend Forecast - Straight-Line (Linear Regression Model)
- Cloud Spend Forecast - Straight-Line (Simple Model)
- Vendor Commitment Forecast
- AWS Burstable Instance CloudWatch Utilization
- AWS Expiring Reserved Instances
- AWS Idle Compute Instances
- AWS Inefficient Instance Utilization using CloudWatch
- AWS Reserved Instances Utilization
- AWS Reserved Instance Reservation Coverage
- AWS Reserved Instances Report by Billing Center
- AWS Reserved Instance Recommendations
- AWS Savings Plan Recommendations
- AWS Savings Plan Utilization
- AWS Savings Realized from Reservations
- AWS Schedule Instance
- AWS Unused IP Addresses
- AWS Bucket Size Check
- AWS Unused Volumes
- AWS S3 Buckets without Server Access Logging
- AWS Object Storage Optimization
- AWS Old Snapshots
- AWS S3 Bucket Intelligent Tiering Check
- Azure Hybrid Use Benefit
- Azure Hybrid Use Benefit for Linux
- Azure Hybrid Use Benefit for SQL
- Azure Idle Compute Instances
- Azure Inefficient Instance Utilization using Log Analytics
- Azure Expiring Reserved Instances
- Azure Reserved Instance Utilization
- Azure Reserved Instance Recommendations
- Azure Rightsize Compute Instances
- Azure Unused IP Addresses
- Azure Savings Realized from Reservations
- Azure Schedule Instance
- Azure Blob Storage Optimization
- Azure Old Snapshots
- Azure Unused Volumes
- Azure Storage Accounts without Lifecycle Management Policies
- Google Inefficient Instance Utilization using StackDriver
- Google Committed Use Discount (CUD)
- Google Committed Use Discount Recommender (CUD)
- Google Idle Compute Instances
- Google Expiring Committed Use Discount (CUD)
- Google Schedule Instance
- Google Idle VM Recommender
- Google Unused CloudSQL Instances
- Google Rightsize CloudSQL Instances
- Google Cloud SQL Idle Instance Recommender
- Google Object Storage Optimization
- Google Old Snapshots
- Google Unused Volumes
- Google Idle Persistent Disk Recommender
- Security Group: ICMP Enabled
- Security Group: Rules Without Description
- Security Group: High Open Ports
- Security Groups With Ports Open To The World
- AWS No Root Access Keys
- AWS MFA Enabled For Root User
- AWS Hardware MFA Enabled For Root User
- AWS MFA Enabled For IAM Users
- AWS Minimum Password Length
- AWS Prevent Password Reuse
- AWS Disable Credentials Unused For 45+ Days
- AWS Ensure One Active Key Per IAM User
- AWS Rotate Access Keys
- AWS Ensure IAM Users Receive Permissions Only Through Groups
- AWS Access Analyzer Enabled
- AWS Support Role Created
- AWS Report Attached Admin IAM Policies
- AWS Expired SSL Certs
- AWS EBS Ensure Encryption By Default
- AWS S3 Ensure Buckets Block Public Access
- AWS S3 Ensure MFA Delete Enabled
- AWS Unencrypted S3 Buckets
- AWS S3 Buckets Deny HTTP
- AWS Ensure Log File Validation Enabled For All CloudTrails
- AWS Ensure CloudTrail Enabled In All Regions
- AWS Internet-facing ELBs & ALBs
- AWS Unencrypted ELB Listeners (CLB)
- AWS Unencrypted ELB Listeners (ALB/NLB)
- AWS Ensure Object-level Events Logging Enabled For CloudTrails
- AWS Ensure CloudTrail Logs Encrypted At Rest
- AWS Ensure CloudTrail S3 Buckets Have Access Logging
- AWS Ensure CloudTrail Integrated With Cloudwatch
- AWS Ensure AWS Config Enabled In All Regions
- Azure Ensure MySQL Flexible Servers Use Secure TLS
- Azure Ensure MySQL Servers Enforce SSL Connections
- Azure Ensure PostgreSQL Servers Infrastructure Encryption
- Azure Ensure SQL Server Auditing Enabled
- Azure Ensure SQL Server AD Admin Configured
- Azure Ensure SQL Server VA Email Notifications
- Azure Ensure SQL Server VA Notify Admins/Subscription Owners
- Azure Ensure SQL Server Vulnerability Assessment (VA) Enabled
- Azure Ensure Storage Account Default Network Access Set To Deny
- Azure Ensure Blob Containers Set To Private
- Azure Ensure Storage Logging Enabled For Blob Service
- Azure Ensure Storage Logging Enabled For Queue Service
- Azure Ensure Storage Logging Enabled For Table Service
- Azure Ensure Secure Transfer Required
- Azure Ensure Soft Delete Enabled For Azure Storage
- Azure Ensure Storage Accounts Require Secure TLS Version
- Azure Ensure Trusted Microsoft Services Enabled
- Azure Ensure Owners Receive Security Alerts
- Azure Ensure High Severity Alerts
- Azure Ensure Security Contact Email
- Azure Network Security Groups With Inbound RDP Open
- Azure Network Security Groups With Inbound SSH Open
- AWS Disallowed Regions
- AWS Unused ECS Clusters
- AWS EC2 Instances not running FlexNet Inventory Agent
- AWS Long-stopped Instances
- AWS Untagged Resources
- AWS Service Control Policy Audit
- AWS IAM Role Audit
- Azure AHUB Utilization with Manual Entry
- Azure Disallowed Regions
- Azure Instances not running FlexNet Inventory Agent
- Azure Long Stopped Instances
- Azure Policy Audit
- Azure Regulatory Compliance
- Azure Subscription Access
- Azure Tag Resources with Resource Group Name
- Azure Untagged Resources
- FlexNet Manager Licenses At Risk
- FlexNet Manager Low Available Licenses
- ITAM Missing Active Machines
- ITAM Ignored Recent Inventory Dates
- ITAM Overused Licenses
- ITAM VMs Missing Host ID
- GitHub.com Available Seats
- GitHub.com Unpermitted Outside Collaborators
- GitHub.com Unpermitted Repository Names
- GitHub.com Unpermitted Top-Level Teams
- GitHub.com Unpermitted Sized Repositories
- GitHub.com Repository Branches without Protection
- GitHub.com Repositories without Admin Team
- Application Migration Recommendations
- No Recent Snapshots
- Stranded Servers
- NetFlow Top Talkers
- Applied Policy Error Notification
- Bill Processing Error Notification
- AWS Cloud Credentials Rotation
- AWS RDS Backup Settings
- AWS Subnet Name Tag Sync
- AWS VPC Name Tag Sync
- AWS Long Running Instances
- AWS Instance Scheduled Events
- AWS Lambda Functions with high error rate
- AWS Tag Cardinality Report
- AWS Usage Report - Number of Instance Hours Used
- AWS Usage Report - Number of Instance vCPUs Used
- AWS Usage Forecast - Number of Instance Hours Used
- AWS Usage Forecast - Number of Instance vCPUs Used
- Azure VMs Not Using Managed Disks
- Azure Expiring Certificates
- Azure Migrate Integration
- AzureAD Group Sync
- Azure Sync Tags with Optima
- Azure SQL Databases without Elastic Pools
- Azure Tag Cardinality Report
- Okta Inactive Users
- ServiceNow Inactive Approvers
- Office 365 Security Alerts
- SaaS Manager - Renewal Reminder
- SaaS Manager - User Status Change
- SaaS Manager - Suspicious Users
- SaaS Manager - Unsanctioned Spend
- SaaS Manager - Redundant Apps
- SaaS Manager - Inactive Users by Department
- SaaS Manager - Inactive Users for Integrated Applications
- SaaS Manager - Duplicate User Accounts
- SaaS Manager - Unsanctioned Applications with Existing Contract
- SaaS Manager - SaaS App User Report by Category
- AWS Regions
- AWS Instance Types
- Azure Instance Types
- Google Instance Types
- Currency Reference
- Azure SQL Service Tier Types
- TZ database Timezone List
- The policy templates in the repo are the files that have a .pt extension.
- Select the desired policy template, click on the “Raw” button, and then right-click and choose “Save As” to save the file to your computer.
- To upload the template to your account, navigate over to the Templates page in the left nav bar in Governance. Ensure you have the role to access policy management in RightScale. Learn More about Policy Access Control.
- Click the “Upload Policy Template” button in the account you wish to test the policy and follow the instructions to upload the template you just downloaded.
- Getting Started
- Reference Documentation
- Policy Template Language
- Markdown Editor - Use this to test Markdown Syntax
- Libraries
- README GUIDELINE
Support for these policy templates will be provided though GitHub Issues and the Flexera Community. Visit Flexera Community to join!
Github issues contain a template for three types of requests(Bugs, New Features to an existing Policy Template, New Policy Template Request)
- Bugs: Any issue you are having with an existing policy template not functioning correctly, this does not include missing features, or actions.
- New Feature Request: Any feature(Field, Action, Link, Output, etc) that are to be added to an existing policy template.
- New Policy Template Request: Request for a new policy template.
- You can test against a pull request via:
bundle exec danger pr https://github.com/flexera-public/policy_templates/pull/73 --pry - Danger Troubleshooting