Blog Continuous Compliance Financial Management Release News

New in Release 2.32: Expanded Access Control and New Billing Sources

Emily Wayman

4 min read

Shields and shapes background pattern

Last updated on February 2nd, 2023 at 3:13pm

For Version 2.32, we focused on consistency and usability enhancements. We bring you new API endpoints, expanded data logs, and 25 squashed bugs. Little changes can make all the difference, but that doesn’t mean we don’t have a few big additions for you too! I’m excited to tell you about our new features on both the AWS and Azure side of things.

Enable Attribute-Based Access Control with AWS Session Tags

Add AWS Session Tags to Cloud Access Roles

Attribute-based access control (ABAC) is an additional strategy for managing access to your AWS resources at scale. With this strategy, you define permissions for attributes instead of roles. When you add a new resource, simply tag it with the relevant attributes and any users or roles with the matching attributes automatically have the correct levels of access. You rarely have to update your policies, and adding new users and resources is easy.

Session tags are the key to attribute-based access control. Session tags pass in attributes when you federate into an AWS account from using a cloud access role. Specific permissions can be assigned to these attributes in AWS, enabling granular permission control that isn’t reliant on granular roles.

For example, let’s say you have a developer with permission to start, stop, and terminate EC2 instances. If you were to tag the cloud access role they use with Department:Engineering, they would only be able to start, stop, and terminate EC2 instances with that same tag. This means that in a shared services account, they couldn’t accidentally shut down a DevOps instance (assuming that this resource would be tagged with Department:DevOps).

In addition to the tags on your cloud access roles, if your SAML identity provider supports session tags, automatically includes any attributes defined in your user directory as well.

If you add user attributes from your identity provider to the above example, you could add the Department:Engineering tag directly to the user instead of the cloud access role. In this case, no matter what cloud access role they use in this user will always have that session tag and will always only have access to resources with a matching tag.

attribute-based cloud access control

For more information about using session tags with cloud access roles, see our articles: Add a Cloud Access Role to a Project or Add a Cloud Access Role to an OU.

A More Flexible Azure Billing Source

Add Azure MCA Billing Sources

Microsoft has introduced Microsoft Customer Agreements (MCA) to take over for Enterprise Agreements (EA). Next time your direct EA enrollment is about to expire, you will likely be prompted to sign an MCA instead of renewing your EA. MCAs offer better scaling and simplify your billing management. And already supports them! So why not make the switch?

Next time you navigate to Accounts > Billing Sources > Add New in, you will see we’ve added Azure MCA Commercial and Azure MCA Government options. Adding an MCA billing source requires two things, your tenant credentials and your Azure storage information. The storage information requirement is different from what we’ve done before, so let’s go over it.

When you set up an Azure MCA billing account to be used with, we ask you to create a recurring export that places your billing data in an Azure storage account. We do this for two primary reasons: It enables us to work with any billing profile hierarchy, and it extends our support to all MCA billing account types. You can set up your MCA enrollment any way you like, and will always be able to take in your data, as long as we can reach your storage.

Azure MCA Billing Sources

For information about setting up your Azure storage account and adding an MCA billing source to, see our article: Azure MCA Billing Sources.

Tell Us What You Think!

Preview New Features and Send Feedback

We have added a feature preview badge that displays next to new features when they first release. Hovering over the badge gives you the option to send feedback on the feature directly to our team. We love to build features that continue to make using the cloud easier – and we can only do that with great feedback! Look for this badge popping up in more places in upcoming releases!

preview new features

That’s Not All!

These are just the highlights! For details on all of our new features, changes, and bug fixes, visit our Support Center.

If you're new to, welcome! You can request a demo to learn more about our comprehensive cloud management software.

About the Author

Emily Wayman

Emily is the technical writer at Kion.

Start your cloud operations journey.

Request a demo today,