Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Change Management is a part of CloudAware CMDB. Any object from your inventory added into CloudAware CMDB can be tracked in regard to changes.

Once a change has been detected and recorded in CloudAware CMDB, several possible actions can happen depending on the customization and the nature of the change detected:

Possible outcomes of a change event can be be combined. For example, we can request an approval and then execute an action if change was approved and another action if change was rejected.
Virtually any kind of combination and permutation of workflows and approvals can be performed including multiple approvals by different groups of approvers.

What Constitutes a Change Event?


Any modification of any object attribute within CMDB is a change event. By default, all changes are recorded into CMDB and the object history is updated to reflect what changed and when.

Approval Processes

Approvals processes are necessary in order to be assured that the system is an approved configuration state. Without approvals, we cannot be certain that the environment is in state that complies with corporate security policies. Common problems when approval processes are missing or are not implemented correctly:

  • Unauthorized security group changes

  • Changes that were approved for a short period of time but still linger

  • IAM Users who should not longer have access

  • IAM Users who should not have the level of access that they do

  • Unauthorized AMIs

  • Unauthorized objects instances and databases that were created under the cover.

Prepackaged Approval Processes


There is a list default approval processes that are prepackaged with CloudAware. These approval processes are de-activated by default. Users can review, modify and activate them depending on their security program requirements.

Assigned To General AWS Security Queue

Assigned To Data Security Queue

  • CloudTail is disabled

  • Snapshot shared into another account or made public

  • KMS Key Created or Granted

  • KMS Key Policy Modified

Assigned To Network Security Queue

Assigned To Access Control Queue

  • EC2 Instance open to 0.0.0.0/0

  • RDS Instance open to 0.0.0.0/0

  • VPC Peering Request Accepted/Initiated

  • All VPC Network ACL Modifications

  • All VPC Routing modifications

  • New IAM Policy attached to user

  • New IAM Policy attached to group

  • Access Key Granted To User

  • User group membership is modified

  • New IAM Policy attached to role

  • S3 bucket policy modified

  • New SAML Provider is created

Approval Status

Use Approval Processes functionality to get any new record to be automatically submitted for your approval. You may be notified by email of each submission. Review a record’s Approval Status to change and take an action. This field has a value ONLY if approval processes have been turned on. By default, approval processes are not turned on.

Possible values:

  • Blank, if approval processes have not been turned on

  • Blank, if a change requiring approval has not occurred

  • Pending, if a change requiring approval has occurred but has not been approved or rejected

  • Approved

  • Rejected


If Approved or Rejected instance is modified once again to meet approval requirements, the value will change back to Pending.

Track approval history directly in CloudAware CMDB:

Field History Tracking

You can track any attribute of AWS EC2 instance (instance size change, a tag being applied, HIDS Status changed, etc).

  • No labels