Non-Compliant Checks
A compliance check performs an analysis on a cloud resource to see if it matches an undesirable configuration. For example, you could have a check for whether an S3 bucket is configured as publicly accessible.
A check is considered non-compliant if it has at least one active finding. Non-compliant checks can also have states of current, pending, or failed to run (suspended).
Finding non-compliant resources is only half the battle. Common remediation paths include automated actions, federating into non-compliant accounts, and troubleshooting connectivity.
Automating Remediation Actions
Many of the compliance checks in our compliance jumpstarts include suggested remediation actions. For example, our compliance checks that look for unencrypted S3 buckets include automation to turn on encryption when non-compliant resources are found. These types of automated actions are commented out in the check policy by default. To enable them you can clone the check, edit the policy body and apply the new compliance check to the compliance standard.
- For information on editing compliance checks to enable automated remediation actions, see Managing Compliance Checks.
- For information about writing your own automated remediation actions, see Cloud Custodian's documentation.
Federating into Accounts
If the path to remediation requires more investigation or a more hands-on approach, you may want to federate directly into the affected account. In this situation, the quickest path to federation is to:
- Navigate to Compliance > Overview.
- Click the Non-Compliant Checks card.
- Click the ellipsis menu next to the check you are investigating and select View Findings.
- Hovering over a finding shows an ellipsis menu. Click this menu and select Cloud Access.
- Select a cloud access role to federate into the account.
Troubleshooting Connectivity
Connectivity issues may lead to compliance checks being marked as pending or failed (suspended). If this is the case, we suggest ensuring the Kion Service Role has the appropriate permissions to access the account and its resources.
- For information on granting the Kion Service Role permissions, see AWS Deployment Guide, Azure Deployment Guide, or Configuring Google Cloud for Compliance.
Pending Checks
A pending check has not been scanned recently or has never been scanned. In this case, the check is considered non-compliant, because we don't have recent data on it. This can result from a connection issue, the check may be in the queue, or it may be because the check is new and simply hasn't been run yet.
Failed/Suspended Checks
A failed/suspended check has failed to scan in at least one account/region 3 times. Checks that have failed are no longer scanned until a remediation action is taken and they are told to resume scans. You can resume scanning for all failed checks by clicking Reattempt Failed Scans on Compliance > All Compliance Checks. You can resume an individual check from the check's ellipsis menu on the same page.
To see why a check has failed:
- Navigate to Compliance > Overview.
- Click the Scans Failed to Run card.
- Under the check, click X scan failed to run to view impacted accounts.
This brings up information on the check, the accounts and regions in which it failed, and the error messages associated with the failure.