Compliance Overview


Compliance Overview

Compliance > Compliance Overview

To run compliance scans on Google Cloud projects, you must configure your service account to have the correct permissions. For more information, see Configuring Google Cloud for Compliance.

Compliance in Kion is made up of three pieces: compliance standards, compliance checks, and compliance findings.

  • Standards group together related checks to meet larger compliance goals, guidelines, or requirements.
  • Checks contain definitions for compliance that findings are based on.
  • Findings identify specific resources that are not compliant. Findings cannot exist without checks, because checks define what is and isn't compliant. A check questions if a resource is compliant, and a findin+g is the answer to that question.

The compliance overview gives you a holistic view of all of the pieces of compliance in your environment. On this page, you can quickly check your compliance posture and find non-compliant resources that need your attention by drilling down into individual standards, checks, findings, and resources.

Compliance Standards

A compliance standard groups together compliance checks. Compliance standards can align with established security frameworks. For example, you could have a NIST compliance standard containing compliance checks reviewing resources for alignment with NIST security guidelines.

If you build standards based on specific compliance frameworks, it is easy to quickly see if you are meeting the framework's requirements.

For more information, see What is a Compliance Standard?

Compliance Standard Cards

ClosedNon-Compliant Standards

Compliance Checks

A compliance check performs an analysis on a cloud resource to see if it matches an undesirable configuration. For example, you could have a check for whether an S3 bucket is configured as publicly accessible.

For more information, see What is a Compliance Check?

Compliance Check Status

A check is considered compliant if it has been scanned recently, is not part of a failed scan, and has no active findings.

A check is considered non-compliant if it has at least one active finding. Non-compliant checks can also have states of current, pending, or failed to run (suspended).

  • A current, non-compliant check has been scanned recently and has at least one active finding. This is the default state of non-compliant checks and is not specifically marked with a badge in the Kion console.
  • A pending check has not been scanned recently or has never been scanned. In this case, the check is considered non-compliant, because we don't have recent data on it. This can result from a connection issue, the check may be in the queue, or it may be because the check is new and simply hasn't been run yet.
  • A failed or suspended check has failed to scan in at least one account/region 3 times. Checks that are failed/suspended are no longer scanned until a remediation action is taken.

Compliance Check Cards

ClosedNon-Compliant Checks

ClosedPending Checks

ClosedFailed/Suspended Checks

Compliance Findings

A compliance finding identifies cloud resources that are found non-compliant with an assigned compliance check. There are a few different types of findings:

  • Active Findings. Active findings have identified cloud resources that are non-compliant and have not had any action taken to bring them into compliance.
  • Suppressed Findings. Suppressed findings are excluded from future scans. For example, you might suppress a finding for a public S3 bucket if it should be public because it contains data that is designed for public consumption.
  • Archived Findings. Archived findings have been acknowledged and marked as remediated.

Compliance Findings Cards

ClosedItems with Active Findings

ClosedTotal Active Findings

ClosedFindings By Severity

Compliance Trends

The compliance trends graph shows the total number of findings over time. This visualization can be filtered to show daily active findings or cumulative active findings and can display up to six months of data.


What Next?

To run a compliance scan on a resource:

  1. Create a compliance check that defines what you want to scan for. For more information, see Add a Compliance Check.
  2. Add that compliance check to a compliance standard. For more information, see Add a Compliance Standard.
  3. Create or edit a cloud rule to apply that standard to resources. For more information, see Create a Cloud Rule.