To run compliance scans on Google Cloud projects, you must configure your service account to have the correct permissions. For more information, see Configuring Google Cloud for Compliance.
Compliance in Kion is made up of three pieces: compliance standards, compliance checks, and compliance findings.
Standards group together related checks to meet larger compliance goals, guidelines, or requirements.
Checks contain definitions for compliance that findings are based on.
Findings identify specific resources that are not compliant. Findings cannot exist without checks, because checks define what is and isn't compliant. A check questions if a resource is compliant, and a findin+g is the answer to that question.
The compliance overview gives you a holistic view of all of the pieces of compliance in your environment. On this page, you can quickly check your compliance posture and find non-compliant resources that need your attention by drilling down into individual standards, checks, findings, and resources.
Compliance Standards
A compliance standard groups together compliance checks. Compliance standards can align with established security frameworks. For example, you could have a NIST compliance standard containing compliance checks reviewing resources for alignment with NIST security guidelines.
If you build standards based on specific compliance frameworks, it is easy to quickly see if you are meeting the framework's requirements.
Click View all under Non-Compliant Standards to view a list of all compliance standards that contain checks with non-compliant findings. This list includes the standard name, the number of active and suppressed findings, and the date/time of the last scan. You can click on the standard's name to go to its details page.
The ellipsis menu next to each standard includes the options:
Rescan all checks. Immediately runs all checks in the standard again.
View standard details page. Takes you to the standard's details page. For more information, see Compliance Standard Details.
View findings. Brings up a list of findings for the selected standard. For more information, see What is a Finding?
Edit standard. Allows you to edit standard details, owners, and included checks. For more information, see Managing Compliance Standards.
Delete standard. Deletes the standard. This does not delete checks included in the standard, but they will no longer be applied to resources through this standard and may become inactive.
Compliance Checks
A compliance check performs an analysis on a cloud resource to see if it matches an undesirable configuration. For example, you could have a check for whether an S3 bucket is configured as publicly accessible.
A check is considered compliant if it has been scanned recently, is not part of a failed scan, and has no active findings.
A check is considered non-compliant if it has at least one active finding. Non-compliant checks can also have states of current, pending, or failed to run (suspended).
A current, non-compliant check has been scanned recently and has at least one active finding. This is the default state of non-compliant checks and is not specifically marked with a badge in the Kion console.
A pending check has not been scanned recently or has never been scanned. In this case, the check is considered non-compliant, because we don't have recent data on it. This can result from a connection issue, the check may be in the queue, or it may be because the check is new and simply hasn't been run yet.
A failed or suspended check has failed to scan in at least one account/region 3 times. Checks that are failed/suspended are no longer scanned until a remediation action is taken.
Click View all under Non-Compliant Checks to view an automatically filtered list of all non-compliant checks, including all non-compliant states. This list includes the check name, the number of findings, the severity, and the date/time of the last scan. You can click on the check's name to go to the check's details page.
The ellipsis menu next to each check includes the options:
Rescan. Immediately runs the check again.
View findings. Brings up a list of findings for the selected check. For more information, see What is a Finding?
Clone. Create a new check using the current one as a template. For more information, see Add a Compliance Check.
Delete. Delete the check. This does not delete the policies contained within the check, but they will no longer be applied to resources through this check.
Reattempt Failed Scans. If a check has failed (or been suspended), it means the check is no longer being scanned. Selecting this option removes the failed status, so that the check will resume scans.
View check details page. Takes you to the check's details page. For more information, see Compliance Check Details.
Compliance checks are considered pending if they have never been scanned or have not had a recent scan.
Click View all under Pending Checks to view an automatically filtered list of non-compliant checks with the pending state. This list includes the check name, the number of findings, the severity, and the date/time of the last scan. You can click on the check's name to go to the check's details page.
The ellipsis menu next to each check includes the options:
Clone. Create a new check using the current one as a template. For more information, see Add a Compliance Check.
Delete. Delete the check. This does not delete the policies contained within the check, but they will no longer be applied to resources through this check.
View check details page. Takes you to the check's details page. For more information, see Compliance Check Details.
Depending on the version of Kion you are using, these checks will either be called failed or suspended. The following documentation will refer to them as failed, as it is the most current term.
A failed check has failed to scan in at least one account/region 3 times. Checks that are failed are no longer scanned until remediation action is taken.
Click View all under Failed Checks to view an automatically filtered list of non-compliant checks with the failed state. This lists includes the check name, the number of findings, the severity, and the date/time of the last scan.
You can click on the check's name to go to the check's details page or View Impacted Accounts to view where the check has failed.
The ellipsis menu next to each check includes the options:
Reattempt Failed Scans. If a check has failed (or been suspended), it means the check is no longer being scanned. Selecting this option removes the failed status, so that the check will resume scans.
Clone. Create a new check using the current one as a template. For more information, see Add a Compliance Check.
Delete. Delete the check. This does not delete the policies contained within the check, but they will no longer be applied to resources through this check.
View check details page. Takes you to the check's details page. For more information, see Compliance Check Details.
Compliance Findings
A compliance finding identifies cloud resources that are found non-compliant with an assigned compliance check. There are a few different types of findings:
Active Findings. Active findings have identified cloud resources that are non-compliant and have not had any action taken to bring them into compliance.
Suppressed Findings. Suppressed findings are excluded from future scans. For example, you might suppress a finding for a public S3 bucket if it should be public because it contains data that is designed for public consumption.
Archived Findings. Archived findings have been acknowledged and marked as remediated.
Click View OUs, View Projects, or View Accounts under Items with Active Findings to view a list of the selected type of resources that contain non-compliant checks. This list includes the resource name, the number of active and suppressed findings, and the date/time of the last scan.
Click on the resource's name or Manage to go to the resource's details page.
Click View all under Total Active Findings to view all findings across all compliance checks. Use the Active, Archived, and Suppressed tabs at the top of the screen to view different categories of findings.
To prevent duplicate findings in the list, active findings from the same check that was applied to more than one standard will be shown on one row with Multiple listed as the standard name. Click the triangle next to the finding ID to expand and collapse the hidden rows that contain more details.
Hovering over a finding reveals an ellipsis menu with the options:
Cloud access. Use a cloud access role to quickly access the cloud account
where this finding occurred.
For more information, see What is a Cloud Access Role?
Archive. Archive the finding.
Archived findings are marked as remediated.
Suppress. Suppress the finding.
Suppressed findings are excluded from future scans. For example, you might suppress a finding for a public S3 bucket if it should be public, because it contains data that is designed for public consumption.
Unsuppress. If a finding has been suppressed, this action moves it back to an active state.
Show reason. If you included a suppression reason when you marked a findings as suppressed, you can view it by clicking this action.
View metadata. View metadata for the finding. Metadata is information that is not typically captured by Kion.
If this option is not displayed, there is no metadata.
For information about including metadata in your policies, see Writing Cloud Custodian Compliance Policies.
Click on the count of findings for any severity to view an automatically filtered list of active findings with the selected Severity. Use the Active, Archived, and Suppressed tabs at the top of the screen to view different categories of findings.
To prevent duplicate findings in the list, active findings from the same check that was applied to more than one standard will be shown on one row with Multiple listed as the standard name. Click the triangle next to the finding ID to expand and collapse the hidden rows that contain more details.
Hovering over a finding reveals an ellipsis menu with the options:
Cloud access. Use a cloud access role to quickly access the cloud account
where this finding occurred.
For more information, see What is a Cloud Access Role?
Archive. Archive the finding.
Archived findings are marked as remediated.
Suppress. Suppress the finding.
Suppressed findings are excluded from future scans. For example, you might suppress a finding for a public S3 bucket if it should be public, because it contains data that is designed for public consumption.
Unsuppress. If a finding has been suppressed, this action moves it back to an active state.
Show reason. If you included a suppression reason when you marked a findings as suppressed, you can view it by clicking this action.
View metadata. View metadata for the finding. Metadata is information that is not typically captured by Kion.
If this option is not displayed, there is no metadata.
For information about including metadata in your policies, see Writing Cloud Custodian Compliance Policies.
Compliance Trends
The compliance trends graph shows the total number of findings over time. This visualization can be filtered to show daily active findings or cumulative active findings and can display up to six months of data.
What Next?
To run a compliance scan on a resource:
Create a compliance check that defines what you want to scan for. For more information, see Add a Compliance Check.
Add that compliance check to a compliance standard. For more information, see Add a Compliance Standard.
Create or edit a cloud rule to apply that standard to resources. For more information, see Create a Cloud Rule.