Compliance Overview

Follow

Compliance Overview

Compliance > Compliance Overview

The compliance overview is part of our comprehensive compliance solution. Use it to view multiple measures of compliance at a glance and address findings.

To run compliance scans on Google Cloud projects, you must configure your service account to have the correct permissions. For more information, see Configuring Google Cloud for Compliance.

Compliance in Kion is made up of three pieces: compliance findings, compliance checks, and compliance standards.

  • Findings identify specific resources that are not compliant. Findings cannot exist without checks, because checks define what is and isn't compliant. A check questions if a resource is compliant, and a finding is the answer to that question.
  • Checks contain definitions for compliance that findings are based on.
  • Standards group together related checks to meet larger compliance goals, guidelines, or requirements.

Compliance Checks

A compliance check performs an analysis on a cloud resource to see if it matches an undesirable configuration. You would typically use these checks to find resources with insecure configurations. For example, you could have a check for whether an S3 bucket is configured as publicly accessible.

To get you started, there are many pre-made Cloud Custodian compliance checks available in your environment. We also provide easy-to-import, pre-made collections of compliance checks for many compliance frameworks. For more information, see Managed Resources & Compliance Jumpstarts.

You can create your own compliance checks to fit your specific needs. To add a compliance check, click Create New. For more information, see Add a Compliance Check.

Compliance Check Status

A check is considered compliant if it has been scanned recently, has no active findings, and is not suspended anywhere.

A check is considered non-compliant if it has at least one active finding. Non-compliant checks can also have states of current, pending, or suspended.

  • A current, non-compliant check has been scanned recently and has at least one active finding. This is the default state of non-compliant checks and is not specifically called with a badge in the Kion console.
  • A pending check has not be scanned recently or has never been scanned. In this case, the check is considered non-compliant because we don't have recent data on it. This can result from a connection issue, the check may be in the queue, or it may be because the check is new and simply hasn't been run yet.
  • A suspended check has failed in at least one account/region 3 times. Checks that are suspended are no longer scanned until a remediation action is taken.

Compliance Check Cards

ClosedNon-Compliant Checks

ClosedPending Checks

ClosedSuspended Checks

Compliance Standards

A compliance standard groups together compliance checks. Compliance standards can align with established security guidelines, if desired. For example, you could have a NIST compliance standard containing compliance checks reviewing resources for alignment with NIST security guidelines.

Compliance standards are applied to cloud rules, which are applied to an OU or project. All resources within that OU or project are subject to the compliance checks included in the compliance standard.

You can create your own compliance standards to fit your specific needs. To add a compliance standard, click Create New. For more information, see Add a Compliance Standard.

We also provide easy-to-import, pre-made collections of compliance standards for many compliance frameworks. For more information, see Managed Resources & Compliance Jumpstarts.

A standard is considered non-compliant if it contains non-compliant checks one or more resources.

Compliance Standard Cards

ClosedNon-Compliant Standards

Compliance Findings

A compliance finding identifies cloud resources that are found non-compliant with an assigned compliance check. There are a few different types of findings:

  • Active Findings. Active findings have identified cloud resources that are non-compliant and have not had any action taken to bring them into compliance.
  • Suppressed Findings. Suppressed findings are excluded from future scans. For example, you might suppress a finding for a public S3 bucket if it should be public because it contains data that is designed for public consumption.
  • Archived Findings. Archived findings have been acknowledged and marked as remediated.

Compliance Findings Cards

ClosedItems with Active Findings

ClosedTotal Active Findings

ClosedFindings By Severity

Compliance Trends

The compliance trends graph shows the total number of findings over time. This visualization can be filtered to show daily active findings or cumulative active findings and can display up to six months of data.

Compliance-Overview-cloudtamer-io.png

What Next?

To run a compliance scan on a resource:

  1. Create a compliance check that defines what you want to scan for. For more information, see Add a Compliance Check.
  2. Add that compliance check to a compliance standard. For more information, see Add a Compliance Standard.
  3. Create or edit a cloud rule to apply that standard to resources. For more information, see Create a Cloud Rule.

 

Was this article helpful?
0 out of 0 found this helpful