Banner Image: hero image background with security icon

New in Release 2.32: Expanded Access Control and New Billing Sources

For Version 2.32, we focused on consistency and usability enhancements. We bring you new API endpoints, expanded data logs, and 25 squashed bugs. Little changes can make all the difference, but that doesn’t mean we don’t have a few big additions for you too! I’m excited to tell you about our new features on both the AWS and Azure side of things.

Enable Attribute-Based Access Control with AWS Session Tags

Add AWS Session Tags to Cloud Access Roles

Attribute-based access control (ABAC) is an additional strategy for managing access to your AWS resources at scale. With this strategy, you define permissions for attributes instead of roles. When you add a new resource, simply tag it with the relevant attributes and any users or roles with the matching attributes automatically have the correct levels of access. You rarely have to update your policies, and adding new users and resources is easy.

Session tags are the key to attribute-based access control. Session tags pass in attributes when you federate into an AWS account from cloudtamer.io using a cloud access role. Specific permissions can be assigned to these attributes in AWS, enabling granular permission control that isn’t reliant on granular roles.

For example, let’s say you have a developer with permission to start, stop, and terminate EC2 instances. If you were to tag the cloud access role they use with Department:Engineering, they would only be able to start, stop, and terminate EC2 instances with that same tag. This means that in a shared services account, they couldn’t accidentally shut down a DevOps instance (assuming that this resource would be tagged with Department:DevOps).

In addition to the tags on your cloud access roles, if your SAML identity provider supports session tags, cloudtamer.io automatically includes any attributes defined in your user directory as well.

If you add user attributes from your identity provider to the above example, you could add the Department:Engineering tag directly to the user instead of the cloud access role. In this case, no matter what cloud access role they use in cloudtamer.io, this user will always have that session tag and will always only have access to resources with a matching tag.

attribute-based cloud access control
For more information about using session tags with cloud access roles, see our articles: Add a Cloud Access Role to a Project or Add a Cloud Access Role to an OU.

A More Flexible Azure Billing Source

Add Azure MCA Billing Sources

Microsoft has introduced Microsoft Customer Agreements (MCA) to take over for Enterprise Agreements (EA). Next time your direct EA enrollment is about to expire, you will likely be prompted to sign an MCA instead of renewing your EA. MCAs offer better scaling and simplify your billing management. And cloudtamer.io already supports them! So why not make the switch?

Next time you navigate to Accounts > Billing Sources > Add New in cloudtamer.io, you will see we’ve added Azure MCA Commercial and Azure MCA Government options. Adding an MCA billing source requires two things, your tenant credentials and your Azure storage information. The storage information requirement is different from what we’ve done before, so let’s go over it.

When you set up an Azure MCA billing account to be used with cloudtamer.io, we ask you to create a recurring export that places your billing data in an Azure storage account. We do this for two primary reasons: It enables us to work with any billing profile hierarchy, and it extends our support to all MCA billing account types. You can set up your MCA enrollment any way you like, and cloudtamer.io will always be able to take in your data, as long as we can reach your storage.

Azure MCA Billing Sources

For information about setting up your Azure storage account and adding an MCA billing source to cloudtamer.io, see our article: Azure MCA Billing Sources.

Tell Us What You Think!

Preview New Features and Send Feedback

We have added a feature preview badge that displays next to new features when they first release. Hovering over the badge gives you the option to send feedback on the feature directly to our team. We love to build features that continue to make using the cloud easier – and we can only do that with great feedback! Look for this badge popping up in more places in upcoming releases!

preview new cloudtamer.io features

That’s Not All!

These are just the highlights! For details on all of our new features, changes, and bug fixes, visit our Support Center.

If you're new to cloudtamer.io, welcome! You can schedule a free demo to learn more about our comprehensive cloud management software. You can also follow us on Twitter and LinkedIn for more cloud governance news.


About the author: Emily is the technical writer at cloudtamer.io.