The compliance overview is part of our comprehensive compliance solution. It allows you to view multiple measures of compliance at a glance and lets you address findings easily.
To view the compliance overview: in the left navigation menu, click Compliance > Compliance Overview.
We use the following terms to describe items in the compliance overview:
- Compliance Check: an item in Kion that performs an analysis on a cloud resource to see if it matches an undesirable configuration. You would typically use these checks to find resources with insecure configurations, so an example would be a check for whether an S3 bucket is configured as publicly accessible. There are three different types of checks available: "Cloud Custodian," "Azure Policy," and "External."
- Cloud Custodian: Kion includes the open-source Cloud Custodian rules engine, which allows you to easily write and run YAML policies against your cloud resources like EC2 instances, VPCs, root users, etc.
- Azure Policy Check: you can add Azure policy definitions to Kion with JSON policy code specifically configured to check for compliance in your Azure resources.
- External: Kion also supports ingesting data from external tools, so compliance checks serve as metadata for those external checks as well.
- Compliance Standard: an item in Kion that groups together compliance checks. These can align with established security guidelines, if desired. For example, you could name the compliance standard "NIST" if its compliance checks are reviewing resources for alignment with NIST security guidelines. Compliance standards are applied to cloud rules, which are, in turn, applied to an OU or project, and all resources within that OU or project will be subject to the compliance checks included in that compliance standard.
- Finding: a cloud resource that is found non-compliant with an assigned compliance check during a scan. A compliance check can have none or more findings against a resource. There are a few different types of findings:
- Active Finding: a cloud resource that is non-compliant and not yet addressed or remediated.
- Suppressed Finding: a cloud resource that is excluded from future scans. An example is a public S3 bucket that should be public because it contains data that is designed for public consumption. You would mark a finding as "Suppressed" so that it doesn't continue showing up as "Active" in the scans.
- Archived Finding: a cloud resource that has been acknowledged and marked as remediated by the security team. Any cloud resources that are not remediated will show up as "Active" on the next scan.
From this page, you can click All Compliance Standards to view all compliance standards, All Compliance Checks to view all compliance checks, or Create New to add a new compliance check or compliance standard.
The compliance summary displays the following:
- Total Active Findings: the number of instances of non-compliance found across all resources. This will only include active findings. It will also show changes since yesterday, if applicable.
- Non-Compliant Checks: the number of compliance checks that found non-compliance for one or more resources. This will only include checks with active findings. It will also show changes since yesterday, if applicable.
- Non-Compliant Standards: the number of compliance standards that contain checks that found non-compliance for one or more resources. This will only include standards with active findings. It will also show changes since yesterday, if applicable.
- Findings by Severity: the number of findings grouped by severity of the check. The severity of a compliance check can be set when creating it or editing it.
- Items with Active Findings: the number of projects, OUs, and accounts with active findings. This includes the objects associated with a cloud rule that includes a compliance standard that contains checks that found non-compliance for one or more resources.
You can drill down on the following for more information within the compliance summary:
Total Active Findings
Click View all under Total Active Findings to display all active findings, including the finding ID, the check severity, the compliance standard name, the compliance check name, the project name, the account name, the individual non-compliant resource, the region, and the date/time of the finding. Only active findings display by default; use the Archived and Suppressed tabs at the top of the screen to change the view to the pages for archived findings or suppressed findings. You can also filter by severity, check name, or standard name. Use the arrow buttons on the top right to navigate through the pages of results. You can click on the standard name, check name, project name, or account name to visit the detail pages for those objects.
When you hover over a result, the ellipsis will appear as a floating menu card on the right of a finding. Clicking the ellipsis menu gives you the option to:
- Cloud access - quickly access the cloud account where this finding occurred.
- Archive all for the finding ID.
- Suppress all for the finding ID
- View metadata for the finding. The metadata field accepts JSON to allow you to send additional data not captured by Kion. For example, you can include resolution information for the finding as a URL.
To prevent duplicate findings in the list, active findings from the same check that was applied to more than one standard will be shown on one row by default, with Multiple listed as the standard name. Click the triangle next to the finding ID to expand and collapse the hidden rows that contain more details.
Click View all under Non-Compliant Checks to display all non-compliant checks, including the check name, the number of findings (both active and suppressed), and the date/time of the last scan. Use the arrow buttons on the top right to navigate through the pages of results. You can click on the check name to visit the detail page for the check.
Clicking the ellipsis menu on the right of a check gives you the options to:
- Clear Failed State. If a check displays a Failing tag, it means the check has failed three times and is no longer being scanned. Selecting Clear Failed State from the menu will remove the Failing status so that the check will resume scans. This option will only display if the check if failing.
- Rescan (run the check again on demand).
- View findings for the check.
- Edit check.
- Clone (create a new check using the current one as a template).
- Delete the check.
- View check details page.
The non-compliant standards section displays all non-compliant standards, which are compliance standards that contain checks that found non-compliance for one or more resources. This will only display standards with active findings.
The section includes the standard name, the number of findings (both active and suppressed), and the date/time of the last scan. Use the arrow buttons on the top right to navigate through the pages of results. You can click on the standard name to visit the detail page for the standard.
Clicking the ellipsis menu on the right of a standard gives you the options to:
- Rescan all checks (run the checks associated with this standard again on demand).
- View standard details page.
- View findings for the standard(within the compliance standard detail view).
- Edit standard.
- Delete standard.
Findings By Severity
Click on the count of findings for any severity to display a list of active findings with the Severity filter pre-applied to show the relevant results. This list includes the same information and options as the findings page, which is detailed under the "Total Active Findings" heading above.
Items With Active Findings
Click View non-compliant OUs to display all OUs with active findings, including the OU name, the number of active and suppressed findings, and the date/time of the last scan. Use the arrow buttons on the top right to navigate through the pages of results. You can click on the OU name or click Manage on the right of an OU to view the project's detail page. Click the active/suppressed finding badges for a list of findings.
Click View non-compliant projects to display all projects with active findings, including the project name, the number of active and suppressed findings, and the date/time of the last scan. Use the arrow buttons on the top right to navigate through the pages of results. You can click on the project name or click Manage on the right of a project to view the project's detail page.
The compliance trends graph shows the total number of findings over time. This visualization can be filtered to show daily active findings or cumulative active findings and can display up to six months of data.