Release News: What We’re Shipping with 2.13

three icons representing three pillars of cloudtamer governance

Our latest – version 2.13 – is now available. This release includes new options for restructuring your organizational hierarchy, additional budget enforcement features, account management enhancements, and new functionality for Azure subscriptions. Read on to learn what’s new in our solution and our Support Center.

Move Your OUs

Organizational change is a fact of life across all organizations, whether public or private. We’ve made it even easier to accommodate these reorgs within the hierarchy. Building on our last release, 2.12,  which allowed customers to more easily move projects, you can now move entire Organizational Units (OUs) in

To move an OU to a new spot in your hierarchy, go to the OU card or OU page and select Move OU from the menu to specify a new parent OU.

screen capture of Move OU dialog

All projects and financials attached to the OU will move with the OU to the new destination. The moved OU will gain all the inherited cloud rules from the new parent OU; the inherited cloud rules from the earlier parent OU will no longer apply.

Govern More in Azure

Numerous recent stories and surveys make it clear that the majority of organizations are in more than one cloud. We continue to add capabilities to our support for Microsoft Azure to help customers running in a multi-cloud environment. In this release, you can:

  • Add Azure role definitions and include these role definitions in Cloud Rules and Cloud Access Roles.  Here are a few of the benefits with this new functionality:
    • Because you can add IAM policies and Azure Roles onto Cloud Rules, you can create one Cloud Rule that applies the same enforcements across both AWS and Azure.
    • gathers together all of your subscriptions into a single project, even across multiple Azure tenants. Create an Azure custom role definition once in, and don’t worry about forgetting to apply the same access restrictions in additional tenants.
    • You don’t need to manage the applicable scopes for your custom Azure role definitions – does this for you. Just set the permissions you want, and will automatically update the scopes so the definitions always apply where you want them.

add Azure role definition window

  • Easily add multiple Commercial Azure CSPs and their associated subscriptions.
  • Get a unified view of cloud spend data across both Azure subscriptions and AWS accounts.

Enforce OU Budgets allows you to set alerts and enforce budgets on your projects and funding sources, giving you both specific and very broad enforcement capabilities. However, funding source enforcement can be too broad in some instances (if you have only one funding source) and not broad enough in others (if your unit is using multiple funding sources). The new OU financial enforcement capability helps bridge the gap between project and funding source enforcements.

OU financial enforcements are determined by the combined spend and planned spend for all projects below the OU. From an OU page, select the Enforcements tab to create the desired trigger, and specify the events and notifications that should occur upon action trigger. For example, you can set an action specifying that when combined planned spend is greater than 90% for all projects below the OU, a freeze rule will stop new resources from being spun up and a notification will be sent to one or more specified users or user groups.

Simplify Management of Accounts in Other AWS Partitions

Many organizations have workloads running in more than one AWS partition. Now, via the Settings->AWS regions menu, you can add GovCloud accounts to your instance running in AWS Commercial and vice versa. This also makes configuration easier because you no longer need to generate new AWS access keys every time you add a GovCloud account to a Commercial or add a Commercial account to a GovCloud

For more information on the upgrade steps required if you are managing a separate partition, customers should review the Migration to 2.13 Guide on our Support Center.

Discover Best Practices

Lastly, we’ve recently added Community forums to our Support Center. Customers can use the forums to discuss best practices with fellow users and take advantage of shared content like templates and libraries. From the Support Center home page, select Join the conversation to access the General Discussion and Shared Content, Templates, and Libraries forums.

Interested in starting your journey with our latest release? Let’s talk!

Marianna leads marketing at

Release News: What We’re Shipping with 2.12

three icons representing three pillars of cloudtamer governance

Our latest major release, 2.12, provides a plethora of new features and updates. As always, the full list of updates is available to customers at our Support Center. If you want the short-and-sweet version on the biggest updates, read on.

Operate Across AWS Regions

If you’re operating across multiple AWS regions, we’ve got you covered. You can now federate and manage commercial AWS accounts from an instance of installed in GovCloud. Now you won’t miss out on services only available in commercial regions if you have to operate within GovCloud.

Specify Account-Specific Cloud Access Roles

You can now specify which account(s) a cloud access role applies to. A great use case for this is if you have multiple lifecycle accounts in a project (for example, Dev, Test, and Prod) and you need to specify different access roles across the accounts. For example, with account-specific cloud access roles, you can give Joe access to Dev, but not to Prod.

create cloud access role in 2.12

Move Your Projects

Organizational changes happen. If you’ve had such a change after setting up your org structure and mapping cloud accounts in, you’ll appreciate the new ability to move a project. As part of the project move, you’ll specify a destination OU and how you’d like to handle inherited cloud rules and financial transaction history. You’ll also be able to create your spend plan for the project at this time.

move a project in 2.12

Get Improved Diagnostics

From the Project Diagnostics page, you can now view issues with deploying Cloud Rules and even re-trigger pre- and post-rule webhooks if they fail or re-attempt a CloudFormation Template if it fails.

Deploy Using Native AWS Services

For our deployment, we moved away from Kubernetes on the backend in favor of a lightweight CloudFormation template (CFT)-based approach. Reliability increases since there is less software between the user and the application, and we simplified disaster recovery by enabling the creation of a database from a snapshot. In addition, this new model makes it easy to use your own custom Amazon Machine Images (AMIs) if you need any type of hardening or corporate security applied to the nodes. Finally, we moved away from requiring a deployment server and removed the need for any management nodes, which effectively cuts the number of nodes in half. This switch to CloudFormation, a native AWS service, reduces the learning curve and management overhead for your team. You can find all the details and instructions for migrating to this new deployment method in our Deployment Guide on our Support Center.

  • IMPORTANT: The Kubernetes deployment model will only be available for the remainder of the 2.12.x series of releases. You’ll need to migrate to the new deployment beginning with 2.13.0 if you wish to receive new application updates.

These are some of the big highlights of our latest release. Customers can click the Support link on the User menu within to visit our Support Center and get the complete list of additions and changes in 2.12.

Interested in starting your journey with our latest release?  Let’s talk!

Marianna leads marketing at

Release News: What We’re Shipping with 2.11

three icons representing three pillars of cloudtamer governance

Our latest release, 2.11, is now available. Here’s a summary of the highlights.

Enhanced integration and automation with public API

In the biggest release news, we officially support programmatic access to using our versioned, public API. Using our API you can do things like create accounts, projects, and OUs from outside of For example, if you’re using ServiceNow for your business and financial workflows, users can request a new cloud account via ServiceNow and, once approved by the right people within your organization, the API can be called from within ServiceNow to create the project within Another example use case would be calling the API from another program to automatically apply one cloud rule across all projects within*

You can enable/disable the ability to generate API keys and specify the key lifespan via the Settings page.

screen capture depicting how to enable API key generation

Customized project forecasting via user-defined categories

We’ve expanded our linear forecasting model to allow customers to add custom cloud spending forecasts to projects. This helps customers have a more accurate forward-looking view of how much funding will be required for projects. Forecasting is available by navigating to the desired project and selecting the Financials tab. You can create categories (for example, Labor or AWS Services) within the Settings page and then apply these categories and enter forecasted spend within the category. Forecasting can be particularly handy when you need to predict seasonal or other types of spikes that are outside your normal past spend rate.

screen capture depicting custom forecasting interface

Increased flexibility with account move

You can now move an account to a different project. Go to the Account detail page and select Move Account from the More Options menu. Note that spend from past months will remain attributed to the former project.

screen capture of move account dialog

Additional UI enhancements

From a UI perspective, we’ve made tweaks in a few areas:

  • You’ll notice the left navigation has new fly-out functionality to make it quicker to select options.  You can also collapse or expand the navigation pane now.

screen capture of new left nav

  • We’ve renamed the Policies menu on the left nav to Cloud Management to better reflect the breadth of functionality available.
  • When viewing the Cloud Management tab for projects and OUs you’ll now see  a sub-tab display that provides a snapshot view of key data and easier navigation.

screen capture of new cloud management interface


*For those of you, like myself, who might want a guide to translating the developer’s language of APIs, here is WTF is an API.

Marianna leads marketing at

Release News: What We’re Shipping with 2.10

three icons representing three pillars of cloudtamer governance

Since our last major release, we’ve rolled out several iterations with some minor additions and changes. Now, for 2.10, we’re introducing some significant changes to our UI. We shared a preview of the new interface with visitors to our booth at AWS re:Invent, and the new look got a great reception.

Here are the major new things in 2.10.

Streamlined navigation within projects, organization units, and more

As product functionality has grown, we found that a single-page approach to our features was becoming a bit unwieldy. So, we’ve introduced a new tabbed display to the organization units, projects, users, user groups, and funding sources areas.

The tab options vary based on area, but generally include overview information, financial data, user and permission data, and enforcement options.

screen capture of new tabbed display

Another change on the UI side is a more consolidated display of filtering options via a new drop-down menu.

screen capture of filters drop-down menu

More visibility into users and permissions

The new Permissions tab provides additional details and new viewing options to see access lists by user or by permissions.

screen capture of users and permissions display

With this new view, we have tried to make it very easy to answer questions like:

  • What permissions does [John Doe] have on my project?
  • Who can modify spend plans on my project?
  • How was [John Doe] given permission to apply policies to my project?

Retain history for completed projects

You can now archive a project to support decommissioning. This is a useful option when projects are completed, but you still want to retain data to view past spending.

The Archive Project option is available from the ellipsis menu on the project card. After archiving, the project no longer displays on the project page. You can use the filter drop-down menu to view Archived projects.

These are some of the big highlights of our latest release. Customers can click the Support link on the User menu within to visit our Support Center and get the complete list of additions and changes in 2.10.

Interested in starting your journey with our latest release?  Let’s talk!

Marianna leads marketing at

Release News: What We’re Shipping with 2.9.0

three icons representing three pillars of cloudtamer governance

In our cloud-taming laboratory, we continue to develop new features to help customers govern their workloads in the cloud. Here’s what’s new in our just-released version 2.9.0.

Webhooks to integrate with your existing DevOps tools

We’ve added webhooks, which can be applied before and after the Cloud Formations in our Cloud Rules. Webhooks allow you to extend functionality beyond IAM policies and Cloud Formation templates by integrating with your own services. Webhooks also make testing much easier because you can build a full CI/CD process around your services and then have reach out to them.

A great example of a webhooks use case is a service that deletes all default VPCs in all regions in preparation for setting up your own VPCs. This is not easily achievable with a Cloud Formation, but easy to do with a service that interacts with the AWS CLI or AWS SDK.

Flexible budget enforcement actions for projects and funding sources

We’ve added more budget enforcement options at the project and funding source levels, as well as the ability to specify users and groups to receive notifications. For example, you can now elect to send a notification when:

    • A project’s monthly spend exceeds a percentage of remaining budget
    • The amount remaining in the project budget drops below a percentage
    • The amount spent from a funding source exceeds a percentage of total amount
    • The amount unused within a funding source drops below a specified dollar amount

screen showing budget enforcement actions

Cloud Rule exemptions for OUs

You can now request exemptions for Cloud Rules that are inherited by OUs. This provides more control over how policies are managed across your organization.

Increased financial visibility and flexibility

We’ve added a few new views for project spend across our application. In addition to lifetime spend and current month spend, you can now view spend by current funding sources. We’ve also added the ability to download the financials for a project for offline use.

screen showing cloud spend by funding source


These are the big highlights of our latest release. Customers can click the Support link on the User menu within to visit our Support Center and get the complete list of additions and changes in 2.9.0.

Marianna leads marketing at

Release News: More Ways to Save Time with 2.8.1

three icons representing three pillars of cloudtamer governance

Our team of cloud tamers has spent the past several weeks on our latest release. Here are just a few of the new features in Release 2.8.1, available now for customers.

Automate AMI distribution using Cloud Rules

We’ve made it easier for you to share Amazon Machine Images (AMIs) via Cloud Rules. Now you can include an AMI within a Cloud Rule and take advantage of the inheritance properties of other components we share to AWS accounts via these Rules, like Identify and Access Management (IAM) policies and CloudFormation templates (CFTs). So, you get the ‘set once/use many’ benefits when you want to apply AMIs across your organization.

Increase security by enforcing a lifespan for AWS keys

Access keys shouldn’t live forever. However, the keys created in AWS live forever by default. We’ve added a lifespan setting in so you can specify the number of days before AWS access keys created from will expire. After you set the lifespan, will automatically expire the access keys once the specified time has elapsed.

access key lifespan field highlighted in cloudtamer

Facilitate forensics via enhanced audit log

We now include an entry in the audit log when a user accesses the AWS console. This is a new addition to the existing actions audited, which contains every user login attempt and change to any object within the system. You can filter the audit log to view these actions to determine who accessed the console and when access occurred. Coupled with enabling services like AWS CloudTrail, this level of audit detail provides enhanced reporting capability for determining provenance of user activities in the event of a security compromise.

Save time with inherited Cloud Access Roles

You can now create and apply a Cloud Access Role at the OU level and have this role applied to all projects that are descendants of that OU. So, for example, if you want an auditor role to be available everywhere within an organization, you can apply it once at the top-level OU, and the role, IAM policies, and user mappings will be added to all projects.

Simplify end user cloud access using AWS Service Catalog

In our biggest release news, now supports sharing AWS Service Catalog portfolios and products across your organization. AWS Service Catalog helps you package together IT services that are approved for use on AWS and helps less experienced AWS users by providing an easy-to-use list of products they can deploy in their accounts. AWS Service Catalog products are very flexible and can encompass almost anything…from marketplace applications to custom CloudFormation templates to setup a LAMP stack. Cloud PMOs can use AWS Service Catalog to help standardize deployments of key architectural components of their AWS architecture to help automate setup and reduce errors that result from manual processes.

inherited cloud rule and service catalog portfolio in cloudtamer

Because the AWS Service Catalog portfolio lives in a Cloud Rule you can share the portfolio across OUs and projects directly or via inheritance. For example, within your Marketing OU, you may designate an inherited Rule that includes a Service Catalog product that enables creation of campaign websites. This can then be deployed 1, 10, or even 100+ times depending on the use case.

For a high-level overview of how and AWS Service Catalog work together, view our short video Governance@Scale with AWS Service Catalog and


Marianna is the Product Marketing Manager.