Recommendations

DigiUsher features a set of automated tools for ongoing optimization of registered data sources. The section is intended to help maintain awareness of the less apparent deficiencies of the infrastructure like configuration flaws and security risks.

At the moment, a check-up is performed every 3 hours and the results are reflected in the Recommendations hub, which is accessible via the left sidebar of the main page. A user with the Manager role can initialize a Force check that will immediately run the data sources’ evaluation sequence.

There are two types of recommendations that are featured: Security and Cost Optimisation.

Security Recommendations

Insecure Security Groups

Security check that browses through the resources to find network vulnerabilities and provides a list of instances that are liable to RDP/SSH hacking.

Insecure ports and permissions:

• port tcp/22
• port tcp/3389
• all inbound traffic

with one of:

• CidrIp: 0.0.0.0/0
• CidrIpv6: ::/0

AWS

• Describe regions: ec2.describe_regions()
• Describe instances: ec2.describe_instances()
• Describe security groups: ec2.describe_security_groups()

Azure

• Describe instances: compute.virtual_machines.list_all()
• Describe security groups: network.network_security_groups.list_all()

Network interfaces without associated security groups are skipped.

The list of insecure SGs can be downloaded in the json format for subsequent automated processing.

Inactive IAM Users in AWS

Users that have not been active for more than 90 days may be considered obsolete and become subject to deletion due to the potential security risks they produce for the organization as they can be compromised and become access points for malicious users.

The list of inactive users can be downloaded in the json format for subsequent automated processing with the help of Cleanup Scripts.

Cost Optimisation Recommendations

Spot Instance Utilisation

Assessment of the recent short-living pay-as-you-go instances. By and large, spot instance usage is more suitable and cost-efficient when dealing with less critical workloads. DigiUsher is designed to detect such cases both in AWS and Azure and will recommend switching to an alternative billing option.

The list of suggested non-spot instances can be downloaded in the json format for subsequent automated processing.

Unattached Volumes

Notification about volumes that have not been attached for more than one day. These are considered to be forgotten or no longer relevant; deletion of such resources may be advised.

The list of unattached volumes can be downloaded in the json format for subsequent automated processing with the help of Cleanup Scripts.

Non-deallocated VMs in Azure

Detection of inactive non-deallocated machines that are still being billed by the cloud.

The list of non-deallocated VMs can be downloaded in the json format for subsequent automated processing with the help of Cleanup Scripts.

Regions with more effective price offerings in AWS

In the event when an existing instance can have a cheaper flavor in another geographically close region, a migration will be recommended.

The list of instances recommended for migration to another region can be downloaded in the json format for subsequent automated processing.

Obsolete images in AWS

Images that have not been used for a while might be subject to deletion, which would unlock the underlying snapshots.

Selection criteria:

• Image creation date was more than 1 week ago.
• There has been no instances created from/related to this image in the past 7 days.

The list of obsolete images can be downloaded in the json format for subsequent automated processing with the help of Cleanup Scripts.

Obsolete snapshots in AWS

Redundant and old snapshots will save up on storage expenses if deleted. The list of snapshots can be downloaded from DigiUsher in JSON format to be used in further implementations like clean-up scripts and maintenance procedures.

Selection criteria:

• Source volume doesn’t exist.
• Snapshot creation date was more than 3 days ago.
• There has been no volumes created from/related to this snapshot in the past 3 days.
• There has been no AMI created from this snapshot.

The list of obsolete snapshots can be downloaded in the json format for subsequent automated processing with the help of Cleanup Scripts.

Obsolete IPs

Obsolete IPs can be tracked for Alibaba, Azure and AWS clouds.

Selection criteria:

• IP was created more than 7 days ago.
• IP has not been used during last 7 days.
• It costs money to be kept.

Underutilised instances

This recommendation is aimed at detection of underutilized instances in AWS and Azure and suggests more suitable flavors for these machines.

Instance is considered to be underutilized if:

• It is active.
• It exists for more than 3 days.
• Its CPU metric average for past 3 days is less than 30%.

Rightsizing RDS

This module finds underutilized RDS (Relational Database Service) instances in Alibaba Cloud and looks for appropriate flavors for these instances.

It is conceptually similar to the Underutilized instances recommendation, but RDS instances are different from ordinary ECS instances and have to be handled separately.

Recommendation criteria:

• Cloud is Alibaba.
• RDS Instance is active in cloud.
• RDS Instance exists for more than three days.
• CPU metric average for the past number of days is less than 30%

Instance Migration

Different regions have different prices for the same resource types (instances) so this recommendation will suggest another region to migrate user’s instances to if DigiUsher detects that in some geographically close region (same continent) the same flavor is cheaper.

Clean-up scripts based on Recommendations

Below are the instructions on how to use the clean-up scripts found in the DigiUsher’s “Recommendations” section.

The script will attempt to delete all resources that are recommended for deletion (based on the downloadable json file) and will not fail on errors. Upon its completion, a summary will be generated containing a list of deleted resources, a list of non-existing (already deleted) resources and a list of resources that could not be deleted due to other reasons.

AWS

Requirements

• AWS cli v2. Official Amazon User Guide
• jq - the package allows executing json scripts with bash. Download page from the developer

Action plan

1. Install the requirements on a machine running Linux OS.
2. Configure the AWS Command Line Interface. (Run the aws configure command. For more info, please refer to the following section of the AWS User Guide
3. Download the script from the corresponding subsection of the “Recommendations” page.
4. From the same page, download the json file containing a list of all resources that are recommended for deletion.
5. Run the script as follows: bash

Azure

Requirements

• Azure cli. Official Microsoft User Guide
• jq - the package allows executing json scripts with bash. Download page

Action plan

1. Install the requirements on a machine running Linux OS.
2. Sign in with the Azure cli.
3. Download the script from the corresponding subsection of the “Recommendations” page.
4. From the same page, download the json file containing a list of all resources that are recommended for deletion.
5. Run the script as follows: bash

Action plan when using Azure Shell

• Open Azure shell
• Download the script and the json file from the corresponding subsection of the “Recommendations” page.
• Copy these files via the Upload/Download files button. The files will be placed in /usr/csuser/clouddrive.
• Run the script as follows: bash using absolute paths or navigate to the necessary folder before executing.