Flexera Policy Templates

This repository contains a library of open source Flexera Policy Templates. All contributions are shared under the MIT license.

Please contact [email protected] to learn more.

Released Policy Templates

Categories

• Optimization
• Compliance
• Cost
• Operational
• SaaS Management
• Security

Policy Templates for Optimization

These templates can generate savings estimates for your environment.

AWS

• AWS GP3 Upgradeable Volumes
• AWS Idle Compute Instances
• AWS Idle NAT Gateways
• AWS Old Snapshots
• AWS Reserved Instances Recommendations
• AWS Resources Under Extended Support
• AWS Rightsize EBS Volumes
• AWS Rightsize EC2 Instances
• AWS Rightsize ElastiCache
• AWS Rightsize RDS Instances
• AWS Rightsize Redshift
• AWS Savings Plan Recommendations
• AWS Superseded EBS Volumes
• AWS Superseded EC2 Instances
• AWS Untagged Resources
• AWS Unused Application Load Balancers
• AWS Unused Classic Load Balancers
• AWS Unused IP Addresses
• AWS Unused Network Load Balancers
• AWS Unused RDS Instances
• AWS Unused Volumes
• Turbonomic Allocate Virtual Machine Recommendations AWS
• Turbonomic Buy Reserved Instances Recommendations AWS
• Turbonomic Delete Unattached Volumes Recommendations AWS
• Turbonomic Rightsize Databases Recommendations AWS
• Turbonomic Rightsize Virtual Machines Recommendations AWS
• Turbonomic Rightsize Virtual Volumes Recommendations AWS

Azure

• Azure Databricks Rightsize Compute Instances
• Azure Hybrid Use Benefit for Windows Server
• Azure Idle Compute Instances
• Azure Old Snapshots
• Azure Reserved Instances Recommendations
• Azure Rightsize Compute Instances
• Azure Rightsize Managed Disks
• Azure Rightsize MySQL Flexible Servers
• Azure Rightsize MySQL Single Servers
• Azure Rightsize NetApp Resources
• Azure Rightsize SQL Database Storage
• Azure Rightsize SQL Databases
• Azure Rightsize SQL Managed Instance Storage
• Azure Rightsize SQL Managed Instances
• Azure Rightsize Synapse SQL Pools
• Azure Savings Plan Recommendations
• Azure Superseded Compute Instances
• Azure Unused App Service Plans
• Azure Unused Firewalls
• Azure Unused IP Addresses
• Azure Unused Load Balancers
• Azure Unused SQL Databases
• Azure Unused Volumes
• Turbonomic Allocate Virtual Machine Recommendations Azure
• Turbonomic Buy Reserved Instances Recommendations Azure
• Turbonomic Delete Unattached Volumes Recommendations Azure
• Turbonomic Rightsize Databases Recommendations Azure
• Turbonomic Rightsize Virtual Machines Recommendations Azure
• Turbonomic Rightsize Virtual Volumes Recommendations Azure

Flexera

• Email Cost Optimization Recommendations

Google

• Google Committed Use Discount Recommender
• Google Idle Cloud SQL Instance Recommender
• Google Idle IP Address Recommender
• Google Idle Persistent Disk Recommender
• Google Idle VM Recommender
• Google Old Snapshots
• Google Recommenders
• Google Rightsize Cloud SQL Recommender
• Google Rightsize VM Recommender
• Turbonomic Allocate Virtual Machine Recommendations Google
• Turbonomic Delete Unattached Volumes Recommendations Google
• Turbonomic Rightsize Virtual Machines Recommendations Google

Kubecost

• Kubecost Cluster Rightsizing Recommendation
• Kubecost Container Request Rightsizing Recommendations

Policy Templates for Compliance

AWS

• Compute

  • AWS Disallowed Regions
  • AWS EC2 Instances not running FlexNet Inventory Agent
  • AWS Long Stopped EC2 Instances
  • AWS Untagged Resources
  • AWS Unused ECS Clusters

• IAM

  • AWS IAM Role Audit

• Organization

  • AWS Accounts Missing Service Control Policies

• RDS

  • AWS RDS Instances With Unapproved Backup Settings

Azure

• Azure Regulatory Compliance

• All

  • Azure Advisor Carbon Reduction Recommendations

• Compute

  • Azure AHUB Utilization with Manual Entry
  • Azure Disallowed Regions
  • Azure Instances not running FlexNet Inventory Agent
  • Azure Long Stopped Compute Instances
  • Azure Untagged Resources
  • Azure Untagged Virtual Machines

• IAM

  • Azure Policy Audit
  • Azure Subscription Access

Flexera

• Cloud Cost Optimization

  • Billing Center Access Report

• IT Asset Management

  • ITAM Expiring Licenses
  • ITAM Ignored Recent Inventory Dates
  • ITAM Missing Active Machines
  • ITAM Overused Licenses
  • ITAM VMs Missing Host ID

• Identity & Access Management

  • Flexera Users With Explicit Roles

GitHub

• Git

  • GitHub Available Seats
  • GitHub Repositories Without Admin Team
  • GitHub Repository Branches Without Protection
  • GitHub Undersized Repositories
  • GitHub Unpermitted Outside Collaborators
  • GitHub Unpermitted Repository Names
  • GitHub Unpermitted Top-Level Teams

Google

• Compute

  • Google Long Stopped VM Instances
  • Google Unlabeled Resources

Policy Templates for Cost

AWS

• All

  • AWS Cheaper Regions
  • AWS Resources Under Extended Support

• CloudTrail

  • AWS CloudTrails With Read Logging Enabled

• Compute

  • AWS Burstable EC2 Instances
  • AWS EC2 Instances Time Stopped Report
  • AWS EKS Clusters Without Spot Instances
  • AWS Expiring Reserved Instances
  • AWS Expiring Savings Plans
  • AWS Idle Compute Instances
  • AWS Inefficient Instance Utilization using CloudWatch
  • AWS Reserved Instances Coverage
  • AWS Reserved Instances Recommendations
  • AWS Reserved Instances Utilization
  • AWS Rightsize EC2 Instances
  • AWS Savings Plan Recommendations
  • AWS Savings Plan Utilization
  • AWS Savings Realized From Rate Reduction Purchases
  • AWS Schedule Instance
  • AWS Superseded EBS Volumes
  • AWS Superseded EC2 Instances
  • AWS Unused IP Addresses
  • Reserved Instance Report by Billing Center
  • Turbonomic Allocate Virtual Machine Recommendations AWS
  • Turbonomic Rightsize Virtual Machines Recommendations AWS

• Database

  • AWS Rightsize ElastiCache
  • AWS Rightsize Redshift

• EBS

  • AWS GP3 Upgradeable Volumes
  • AWS Rightsize EBS Volumes
  • AWS Unused Volumes

• Marketplace

  • AWS New Marketplace Products

• Network

  • AWS Idle NAT Gateways
  • AWS Unused Application Load Balancers
  • AWS Unused Classic Load Balancers
  • AWS Unused Network Load Balancers

• RDS

  • AWS RDS Instances
  • AWS Rightsize RDS Instances
  • AWS Unused RDS Instances

• Storage

  • AWS Object Storage Optimization
  • AWS Old Snapshots
  • AWS Oversized S3 Buckets
  • AWS S3 Buckets Without Intelligent Tiering
  • AWS S3 Buckets Without Lifecycle Configuration
  • Turbonomic Delete Unattached Volumes Recommendations AWS

• Usage Discount

  • Turbonomic Buy Reserved Instances Recommendations AWS
  • Turbonomic Rightsize Databases Recommendations AWS
  • Turbonomic Rightsize Virtual Volumes Recommendations AWS

Azure

• All

  • Azure Cheaper Regions

• Compute

  • Azure Compute Instances Time Powered Off Report
  • Azure Expiring Reserved Instances
  • Azure Expiring Savings Plans
  • Azure Hybrid Use Benefit for Linux Server
  • Azure Hybrid Use Benefit for Windows Server
  • Azure Idle Compute Instances
  • Azure Inefficient Instance Utilization using Log Analytics
  • Azure Reserved Instances Recommendations
  • Azure Reserved Instances Utilization
  • Azure Reserved Instances Utilization MCA
  • Azure Rightsize Compute Instances
  • Azure Savings Plan Recommendations
  • Azure Savings Plan Utilization
  • Azure Savings Realized from Reservations
  • Azure Schedule Instance
  • Azure Superseded Compute Instances
  • Azure Unused IP Addresses
  • Turbonomic Allocate Virtual Machine Recommendations Azure
  • Turbonomic Rightsize Virtual Machines Recommendations Azure

• Databricks

  • Azure Databricks Rightsize Compute Instances

• Managed Disks

  • Azure Rightsize Managed Disks

• Marketplace

  • Azure New Marketplace Products

• MySQL

  • Azure Rightsize MySQL Flexible Servers
  • Azure Rightsize MySQL Single Servers

• NetApp Files

  • Azure Rightsize NetApp Resources

• Network

  • Azure Unused Firewalls
  • Azure Unused Load Balancers
  • Azure Unused Virtual Network Gateways

• PaaS

  • Azure Unused App Service Plans
  • Azure Web Apps With Unoptimized Scaling

• SQL

  • Azure Hybrid Use Benefit for SQL
  • Azure Rightsize SQL Database Storage
  • Azure Rightsize SQL Databases
  • Azure Rightsize SQL Managed Instance Storage
  • Azure Rightsize SQL Managed Instances
  • Azure Rightsize Synapse SQL Pools
  • Azure SQL Servers Without Elastic Pools
  • Azure Unused SQL Databases

• Storage

  • Azure Blob Storage Optimization
  • Azure Old Snapshots
  • Azure Unused Volumes
  • Turbonomic Delete Unattached Volumes Recommendations Azure

• Storage Accounts

  • Azure Storage Accounts without Lifecycle Management Policies

• Usage Discount

  • Turbonomic Buy Reserved Instances Recommendations Azure
  • Turbonomic Rightsize Databases Recommendations Azure
  • Turbonomic Rightsize Virtual Volumes Recommendations Azure

Azure China

• Common Bill Ingestion

  • Azure China Common Bill Ingestion

Flexera

• Cloud Cost Optimization

  • Budget Alerts
  • Budget Alerts by Cloud Account
  • Budget vs Actual Spend Report
  • Cheaper Regions
  • Cloud Cost Anomaly Alerts
  • Cloud Spend Forecast - Straight-Line
  • Cloud Spend Forecast - Straight-Line (Simple Model)
  • Cloud Spend Moving Average Report
  • Currency Conversion
  • Email Cost Optimization Recommendations
  • Flexera FOCUS Report
  • Low Service Usage
  • Low Usage Report
  • New Usage
  • Scheduled Report
  • Superseded Instances
  • Vendor Spend Commitment Forecast

• Common Bill Ingestion

  • Fixed Cost Common Bill Ingestion

Flexera Optima

• Scheduled Report for Unallocated Costs

GCE

• Compute

  • Google Idle Compute Instances

• SQL

  • Google Rightsize CloudSQL Instances

Google

• All

  • Google Cheaper Regions
  • Google Recommenders

• Compute

  • Google Committed Use Discount Recommender
  • Google Committed Use Discount Report
  • Google Expiring Committed Use Discounts (CUD)
  • Google Idle IP Address Recommender
  • Google Idle VM Recommender
  • Google Rightsize Cloud SQL Recommender
  • Google Rightsize VM Recommender
  • Google Schedule Instance
  • Turbonomic Allocate Virtual Machine Recommendations Google
  • Turbonomic Rightsize Virtual Machines Recommendations Google

• SQL

  • Google Idle Cloud SQL Instance Recommender

• Storage

  • Google Cloud Storage Without Lifecycle Configuration
  • Google Idle Persistent Disk Recommender
  • Google Object Storage Optimization
  • Google Old Snapshots
  • Turbonomic Delete Unattached Volumes Recommendations Google

Kubecost

• Kubernetes

  • Kubecost Cluster Rightsizing Recommendation
  • Kubecost Container Request Rightsizing Recommendations

Oracle

• Common Bill Ingestion

  • Oracle Cloud Common Bill Ingestion

Policy Templates for Operational

AWS

• Compute

  • AWS Long Running Instances
  • AWS Scheduled EC2 Events
  • AWS Usage Forecast - Instance Time Used
  • AWS Usage Forecast - Number of Instance Hours Used
  • AWS Usage Forecast - Number of Instance vCPUs Used
  • AWS Usage Report - Instance Time Used
  • AWS Usage Report - Number of Instance Hours Used
  • AWS Usage Report - Number of Instance vCPUs Used

• PaaS

  • AWS Lambda Functions With High Error Rate
  • AWS Lambda Functions Without Provisioned Concurrency

• Tags

  • AWS Tag Cardinality Report

Azure

• Azure Sync Tags with Optima

• AKS

  • AKS Node Pools Without Autoscaling
  • AKS Node Pools Without Zero Autoscaling

• Compute

  • Azure Bring-Your-Own-License (BYOL) Report
  • Azure Long Running Instances
  • Azure Usage Report - Amount of Instance Memory Used
  • Azure Usage Report - Instance Time Used
  • Azure Usage Report - Number of Instance Hours Used
  • Azure Usage Report - Number of Instance vCPUs Used
  • Azure VMs Not Using Managed Disks

• PaaS

  • Azure Expiring Certificates

• Tags

  • Azure Tag Cardinality Report

Flexera

• Flexera Billing Centers from Dimension Values

• Automation

  • Applied Policy Template Errors
  • Flexera Automation Outdated Applied Policies

• Cloud Cost Optimization

  • Cloud Bill Processing Error Notification

• FlexNet Manager

  • Schedule FlexNet Manager Report

• IT Asset Management

  • Schedule ITAM Report

• Identity & Access Management

  • Flexera One API Event Report
  • Flexera One User Access Report

Google

• Tags

  • Google Label Cardinality Report

Policy Templates for SaaS Management

Flexera

• SaaS Manager

  • SaaS Manager - Deactivated Users
  • SaaS Manager - Deactivated Users for Integrated Applications
  • SaaS Manager - Duplicate User Accounts
  • SaaS Manager - Redundant Apps
  • SaaS Manager - Renewal Reminder
  • SaaS Manager - Suspicious Users
  • SaaS Manager - Unsanctioned Applications with Existing Contract
  • SaaS Manager - Unsanctioned Spend

Microsoft

• Office 365

  • Office 365 Security Alerts

Okta

• Okta Inactive Users

ServiceNow

• ServiceNow Inactive Approvers

Policy Templates for Security

AWS

• CloudTrail

  • AWS CloudTrail Not Enabled In All Regions
  • AWS CloudTrail S3 Buckets Without Access Logging
  • AWS CloudTrails Not Integrated With CloudWatch
  • AWS CloudTrails Without Encrypted Logs
  • AWS CloudTrails Without Log File Validation Enabled
  • AWS CloudTrails Without Object-level Events Logging Enabled
  • AWS Publicly Accessible CloudTrail S3 Buckets

• Config

  • AWS Regions Without Config Fully Enabled

• DBS

  • AWS Regions Without Default EBS Encryption

• EBS

  • AWS Unencrypted EBS Volumes

• ELB

  • AWS Unencrypted ELB Listeners (CLB)

• IAM

  • AWS IAM Account Missing Support Role
  • AWS IAM Attached Admin Policies
  • AWS IAM Expired SSL/TLS Certificates
  • AWS IAM Insufficient Required Password Length
  • AWS IAM Password Policy Not Restricting Password Reuse
  • AWS IAM Root Account Access Keys
  • AWS IAM Root User Account Without Hardware MFA
  • AWS IAM Root User Account Without MFA
  • AWS IAM Root User Doing Everyday Tasks
  • AWS IAM User Accounts Without MFA
  • AWS IAM Users With Directly-Attached Policies
  • AWS IAM Users With Multiple Active Access Keys
  • AWS IAM Users With Old Access Keys
  • AWS Regions Without Access Analyzer Enabled
  • AWS Unused IAM Credentials

• KMS

  • AWS Customer Managed Keys (CMKs) Without Rotation Enabled

• Network

  • AWS Elastic Load Balancers With Unencrypted Listeners
  • AWS Internet-Accessible Elastic Load Balancers
  • AWS VPCs Without FlowLogs Enabled

• RDS

  • AWS Publicly Accessible RDS Instances
  • AWS Unencrypted RDS Instances

• S3

  • AWS Open S3 Buckets

• Storage

  • AWS S3 Buckets Accepting HTTP Requests
  • AWS S3 Buckets Without Default Encryption Configuration
  • AWS S3 Buckets Without MFA Delete Enabled
  • AWS S3 Buckets Without Public Access Blocked
  • AWS S3 Buckets Without Server Access Logging

Azure

• App Service

  • Azure Web Apps Without Secure TLS

• Compute

  • Azure Resources with public IP address

• IAM

  • Azure Guest Users
  • Azure Subscriptions Without Log Analytics Auto-Provisioning

• MySQL

  • Azure MySQL Flexible Servers Without Secure TLS
  • Azure MySQL Servers Without Enforced SSL

• Network Security Group

  • Azure Network Security Groups With Inbound RDP Open
  • Azure Network Security Groups With Inbound SSH Open

• PostgreSQL

  • Azure PostgreSQL Servers With Bad Log Settings
  • Azure PostgreSQL Servers With Insufficient Log Retention
  • Azure PostgreSQL Servers Without Connection Throttling
  • Azure PostgreSQL Servers Without Infrastructure Encryption

• SQL

  • Azure Publicly-Accessible SQL Managed Instances
  • Azure SQL Databases Without Encryption
  • Azure SQL Servers Vulnerability Assessment Does Not Notify Admins
  • Azure SQL Servers Vulnerability Assessment Without Email Notifications
  • Azure SQL Servers Vulnerability Assessment Without Periodic Scans
  • Azure SQL Servers With Insufficient Auditing Retention
  • Azure SQL Servers Without Active Directory Admin
  • Azure SQL Servers Without Advanced Threat Protection (ATP)
  • Azure SQL Servers Without Auditing Enabled
  • Azure SQL Servers Without Vulnerability Assessment (VA) Enabled

• Security

  • Azure Subscriptions Without High Severity Alerts
  • Azure Subscriptions Without Owner Security Alerts
  • Azure Subscriptions Without Security Contact Email

• Storage

  • Azure Blob Storage Accounts Without Logging Enabled
  • Azure Blob Storage Accounts Without Soft Delete Enabled
  • Azure Publicly-Accessible Blob Containers
  • Azure Queue Storage Accounts Without Logging Enabled
  • Azure Storage Accounts Allowing Default Network Access
  • Azure Storage Accounts Without Secure TLS
  • Azure Storage Accounts Without Secure Transfer
  • Azure Storage Accounts Without Trusted Microsoft Services Access
  • Azure Table Storage Accounts Without Logging Enabled

• Storage Accounts

  • Azure Storage Accounts Without HTTPs Enforced

Google

• Storage

  • Google Open Buckets

Tools

• Flexera Automation CloudFormation Template
• fpt Command Line Tool

Policy Data Sets

Some policies require external data sets to function. These data sets are stored in the data directory. The following data sets are available:

• AWS Regions
• AWS Instance Types
• Azure Instance Types
• Google Instance Types
• Currency Reference
• Azure SQL Service Tier Types
• Azure SQL Managed Instance Tier Types
• TZ database Timezone List

Instructions to upload policy templates to Flexera CMP Policies

• The policy templates in the repo are the files that have a .pt extension.
• Select the desired policy template, click on the “Raw” button, and then right-click and choose “Save As” to save the file to your computer.
• To upload the template to your account, navigate over to the Templates page in the left nav bar in Governance. Ensure you have the role to access policy management in RightScale. Learn More about Policy Access Control.
• Click the “Upload Policy Template” button in the account you wish to test the policy and follow the instructions to upload the template you just downloaded.

Policy Template Documentation

• Getting Started
• Reference Documentation
• Policy Template Language
• Markdown Editor - Use this to test Markdown Syntax
• README GUIDELINE

Getting Help

Support for these policy templates will be provided though GitHub Issues and the Flexera Community. Visit Flexera Community to join!

Opening an Issue

Github issues contain a template for three types of requests(Bugs, New Features to an existing Policy Template, New Policy Template Request)

• Bugs: Any issue you are having with an existing policy template not functioning correctly, this does not include missing features, or actions.
• New Feature Request: Any feature(Field, Action, Link, Output, etc) that are to be added to an existing policy template.
• New Policy Template Request: Request for a new policy template.

Troubleshooting Danger Locally

• You can test against a pull request via: bundle exec danger pr https://github.com/flexera-public/policy_templates/pull/73 --pry
• Danger Troubleshooting