FinOps: The Future of FinOps is CloudOps Learn why

Blog Continuous Compliance Release News

New in Release 2.27: Color-Coded Compliance, Security, and Ease-of-Use Features

6 min read

Shields and shapes background pattern

Last updated on February 2nd, 2023 at 3:09pm

Our newest release is now live! This month, we went big on compliance features, like viewing your compliance in new ways across objects and letting scans run longer.

But if compliance isn't your top priority, don't worry! There's plenty more to love in 2.27 for security, ease-of-use, and more! Plus, if you're an AWS user, we've added new ways to automate account categorization for AWS Organizations and automatic AWS support enrollment that will make your life easier.

Read on to learn what we've added in this release.

For everyone: visualize compliance in more ways, let your scans run longer, and more

Compliance Visualizations

Severity Breakdowns and Trends

The compliance tabs for these objects now provide:

  • The object's compliance score (learn how we calculate the compliance score in this blog article). A lower score is better, and a score of 0 means no compliance issues for this object.
  • A doughnut chart showing compliant and non-compliant checks and the severity of the non-compliant checks. This lets you determine which objects have the highest proportion of urgent non-compliant checks at a glance.
  • The number of total checks for this object.
  • A compliance trend graph that shows the number of findings over time for this object. The graph can be filtered to show daily active findings or cumulative active findings, and it can display up to six months of data.
cloud compliance visualization

Severity Indicators on Badges

We also applied the color-coded severity indicators to the findings badges across many pages. These findings badges indicate the highest level of severity recorded for their compliance checks with active findings. For example, if you see the following badge, it means there are 62 active findings and at least one of the findings is high severity:

color-coded compliance severity indicators

Using the score and chart colors as an easy indicator of urgency, you can determine which items need attention first. The colors show you:

Indicators of positive states:

  • Green (for checks): compliant checks.
  • Gray (for findings): no findings/all checks are compliant.

Indicators of negative states:

(For findings, these mean at least one finding's check is this severity level)

  • Maroon: non-compliant checks of critical severity.
  • Red: non-compliant checks of high severity.
  • Orange: non-compliant checks of medium severity.
  • Yellow: non-compliant checks of low severity.
  • Blue: non-compliant checks of informational severity.

You can click on the findings badges to see a list of the findings, including their severity information.

Finally, as of 2.27, these visualizations are also available on the overview tab for compliance checks and compliance standards, so you can visualize compliance for a check or a standard as a whole across all associated accounts, projects, and OUs.

Customize the compliance token lifespan

Another compliance improvement in 2.27 is our new compliance settings page, which allows you to extend the POST token life to increase the amount of time allowed for Cloud Custodian webhooks to execute. The default value for the compliance token life is one hour, which is sufficient for most customers and follows best practices by limiting the token life. But if you have compliance scans that take longer than an hour, a token set to one hour would expire before the scan completes, and the results wouldn't successfully POST within the API. To ensure these long-running scans are captured, you can now increase the compliance POST token life to a maximum value of four hours.

SAML single logout allows users to authenticate using SAML 2.0 identity providers, including Azure AD, Okta, OneLogin, PingFederate, Google, and more. While logging out from a session always invalidated your existing connection to the application, we added extra security this release by allowing you to enable single logout for your identity provider. Choosing the enable single logout option means that we will automatically invalidate and end the SAML session when a user logs out of

We want to make it easy to troubleshoot when something is amiss. This release, we changed some terminology to give you a clearer indication of an object's status, including:

  • We now mark Compliance checks with errors as "Suspended" instead of "Failing." We also added menu options to "Resume" a suspended check.
  • We now mark projects with expired funding sources as "Funding Expired" instead of "Expired."
Additionally, we added more details to our logs, which makes error resolution and debugging easier. This includes the logs for:
  • The cost savings microservice. We include the task ID, request ID, and definition ID.
  • The CloudFormation microservice. We include more info on what accounts, cloud rules, and CFTs were involved in changes.
  • The roles in AWS IAM sync. We show whether the role check found changes to the role.
  • The audit log. We added usernames to audit log entries.

For AWS users: easily add new accounts to an AWS Organizations OU, auto-enroll in AWS support, and more

Choose your AWS Organizations OU

We've made integration with AWS Organizations even easier by allowing you to choose an AWS Organizations OU--or even create a brand new one--from the account creation screen in Simply place a check by the "Add to AWS Organizational Unit" option, then either choose an existing AWS Organizations OU from the drop-down menu or create a new OU using the form. It's that simple!

AWS Organizations integration

Enroll new accounts in AWS support automatically

You can now auto-enroll new AWS accounts created in in your AWS support plan by checking a box during billing source creation. This automatically requests AWS support enrollment for all accounts created under the billing source, so you don't have to create requests manually for every account that you add. Please note: you must already have an AWS Business or Enterprise Support plan to use this feature.

Validate GovCloud accounts easily

We just made it even easier to validate your AWS GovCloud accounts--even if partition keys are not yet configured. Our new process can use the billing source key and secret to get a list of unlinked accounts if no partition keys are set up. So no matter how far along you are in the account config process, we've got you covered.

I could go on. I won't, but I could.

If you're an existing customer, you can find the full list of new features from 2.27 in our Support Center.

If you're new to, you can request a demo to learn more about our comprehensive cloud management software.

Start your cloud operations journey.

Request a demo today,