Compliance Overview
Compliance > Compliance Overview
The compliance overview is part of our comprehensive compliance solution. Use it to view multiple measures of compliance at a glance and address findings.
To run compliance scans on Google Cloud projects, you must configure your service account to have the correct permissions. For more information, see Configuring Google Cloud for Compliance.
Compliance in Kion is made up of three pieces: compliance findings, compliance checks, and compliance standards.
- Findings identify specific resources that are not compliant. Findings cannot exist without checks, because checks define what is and isn't compliant. A check questions if a resource is compliant, and a finding is the answer to that question.
- Checks contain definitions for compliance that findings are based on.
- Standards group together related checks to meet larger compliance goals, guidelines, or requirements.
Compliance Checks
A compliance check performs an analysis on a cloud resource to see if it matches an undesirable configuration. You would typically use these checks to find resources with insecure configurations. For example, you could have a check for whether an S3 bucket is configured as publicly accessible.
To get you started, there are many pre-made Cloud Custodian compliance checks available in your environment. We also provide easy-to-import, pre-made collections of compliance checks for many compliance frameworks. For more information, see Managed Resources & Compliance Jumpstarts.
You can create your own compliance checks to fit your specific needs. To add a compliance check, click Create New. For more information, see Add a Compliance Check.
Compliance Check Status
A check is considered compliant if it has been scanned recently, has no active findings, and is not suspended anywhere.
A check is considered non-compliant if it has at least one active finding. Non-compliant checks can also have states of current, pending, or suspended.
- A current, non-compliant check has been scanned recently and has at least one active finding. This is the default state of non-compliant checks and is not specifically called with a badge in the Kion console.
- A pending check has not be scanned recently or has never been scanned. In this case, the check is considered non-compliant because we don't have recent data on it. This can result from a connection issue, the check may be in the queue, or it may be because the check is new and simply hasn't been run yet.
- A suspended check has failed in at least one account/region 3 times. Checks that are suspended are no longer scanned until a remediation action is taken.
Compliance Check Cards
Non-Compliant Checks
Click View all under Non-Compliant Checks to view an automatically filtered list of all non-compliant checks, including all non-compliant states. This lists includes the check name, the number of findings, the severity, and the date/time of the last scan. You can click on the check's name to go to the check's details page.
Next to each check, there is an ellipsis menu with remediation actions.
- Rescan. Immediately run the check again.
- View findings. Review specific compliance findings for the check. For more information, see Viewing Compliance Checks.
- Edit check. Edit the check. For more information, see Edit a Compliance Check.
- Clone. Create a new check using the current one as a template.
- Delete. Delete the check.
- View check details page. Go to the check's details page for information including the check details, activity feed, findings, standards it is a part of, and projects and accounts where it is applied. For more information, see Viewing Compliance Checks.
- Resume. If a check has been suspended, it means the check has failed multiple times and is no longer being scanned. Selecting Resume removes the suspended status, so that the check will resume scans.
Pending Checks
Compliance checks are considered pending if they have never been scanned or have not had a recent scan.
Click View all under Pending Checks to view an automatically filtered list of non-compliant checks with the pending state. This list includes the check name, the number of findings, the severity, and the date/time of the last scan. You can click on the check's name to go to the check's details page.
Next to each check, there is an ellipsis menu with remediation actions.
- Rescan. Immediately run the check again.
- Edit check. Edit the check. For more information, see Edit a Compliance Check.
- Clone. Create a new check using the current one as a template.
- Delete. Delete the check.
- View check details page. Go to the check's details page for information including the check details, activity feed, findings, standards it is a part of, and projects and accounts where it is applied. For more information, see Viewing Compliance Checks.
Suspended Checks
A suspended check has failed in at least one account/region 3 times. Checks that are suspended are no longer scanned until a remediation action is taken.
Click View all under Suspended Checks to view an automatically filtered list of non-compliant checks with the suspended state. This lists includes the check name, the number of findings, the severity, and the date/time of the last scan. You can click on the check's name to go to the check's details page, or View Impacted Accounts to view where the check has been suspended.
Next to each check, there is an ellipsis menu with remediation actions.
- Resume. If a check has been suspended, it means the check has failed multiple times and is no longer being scanned. Selecting Resume removes the suspended status, so that the check will resume scans.
- Rescan. Immediately run the check again.
- Edit check. Edit the check. For more information, see Edit a Compliance Check.
- Clone. Create a new check using the current one as a template.
- Delete. Delete the check.
- View check details page. Go to the check's details page for information including the check details, activity feed, findings, standards it is a part of, and projects and accounts where it is applied. For more information, see Viewing Compliance Checks.
Compliance Standards
A compliance standard groups together compliance checks. Compliance standards can align with established security guidelines, if desired. For example, you could have a NIST compliance standard containing compliance checks reviewing resources for alignment with NIST security guidelines.
Compliance standards are applied to cloud rules, which are applied to an OU or project. All resources within that OU or project are subject to the compliance checks included in the compliance standard.
You can create your own compliance standards to fit your specific needs. To add a compliance standard, click Create New. For more information, see Add a Compliance Standard.
We also provide easy-to-import, pre-made collections of compliance standards for many compliance frameworks. For more information, see Managed Resources & Compliance Jumpstarts.
A standard is considered non-compliant if it contains non-compliant checks one or more resources.
Compliance Standard Cards
Non-Compliant Standards
Click View all under Non-Compliant Standards to view an automatically filtered list of all compliance standards that contain non-compliant checks. This list includes the standard name, the number of active and suppressed findings, and the date/time of the last scan. You can click on the standard's name to go to the it's details page.
Next to each standard, there is an ellipsis menu with remediation actions.
- Rescan all checks. Immediately run all checks included in this standard.
- View standard details page. Go to the standards's details page for information including the standard details, activity feed, findings, included checks, and projects and accounts where it is applied. For more information, see Viewing Compliance Standards.
- View findings. Review specific compliance findings for the standard. For more information, see Viewing Compliance Standards.
- Edit standard. Edit the standard. For more information, see Edit a Compliance Standard.
- Delete standard. Delete the standard.
Compliance Findings
A compliance finding identifies cloud resources that are found non-compliant with an assigned compliance check. There are a few different types of findings:
- Active Findings. Active findings have identified cloud resources that are non-compliant and have not had any action taken to bring them into compliance.
- Suppressed Findings. Suppressed findings are excluded from future scans. For example, you might suppress a finding for a public S3 bucket if it should be public because it contains data that is designed for public consumption.
- Archived Findings. Archived findings have been acknowledged and marked as remediated.
Compliance Findings Cards
Items with Active Findings
Click View OUs, View Projects, or View Accounts under Items with Active Findings to view a list of the selected type of resources that contain non-compliant checks. This list includes the resource name, the number of active and suppressed findings, and the date/time of the last scan. Click on the resource's name or Manage to go to the resource's details page.
Total Active Findings
Click View all under Total Active Findings to view all findings across all compliance checks. Use the Active, Archived, and Suppressed tabs at the top of the screen to view different categories of findings. This list includes the finding ID, severity, the associated compliance standard name, the associated compliance check name, the affected project name, the affected account name, the individual non-compliant resource, the region the resource is in, and the date/time of the finding.
To prevent duplicate findings in the list, active findings from the same check that was applied to more than one standard will be shown on one row with Multiple listed as the standard name. Click the triangle next to the finding ID to expand and collapse the hidden rows that contain more details.
When you hover over a finding, there is an ellipsis menu with actions.
- Cloud access. Select a cloud access role to use to access the cloud account where this finding occurred. For more information, see Logging in to a Cloud Provider Console with a Cloud Access Role.
- Archive. Move the finding to the Archive tab.
- Suppress. Excludes this finding for this resource from future scans, and moves the finding to the Suppressed tab. When you suppress a finding, you can include a reason for the suppression for your reference. You can also set a time window for the suppression. After the selected amount of time has passed, the finding is automatically moved back to active.
- Unsuppress. If a finding has been suppressed, this action moves it back to an active state.
- Show reason. If you included a suppression reason when you marked a findings as suppressed, you can view it by clicking this action.
- View metadata. View metadata for the finding. The metadata field accepts JSON to allow you to send additional data not captured by Kion. For example, you can include resolution information for the finding as a URL.
Findings By Severity
Click on the count of findings for any severity to view an automatically filtered list of active findings with the selected Severity. Use the Active, Archived, and Suppressed tabs at the top of the screen to view different categories of findings. This list includes the finding ID, severity, the associated compliance standard name, the associated compliance check name, the affected project name, the affected account name, the individual non-compliant resource, the region the resource is in, and the date/time of the finding.
To prevent duplicate findings in the list, active findings from the same check that was applied to more than one standard will be shown on one row with Multiple listed as the standard name. Click the triangle next to the finding ID to expand and collapse the hidden rows that contain more details.
When you hover over a finding, there is an ellipsis menu with actions.
- Cloud access. Select a cloud access role to use to access the cloud account where this finding occurred. For more information, see Logging in to a Cloud Provider Console with a Cloud Access Role.
- Archive. Move the finding to the Archive tab.
- Suppress. Excludes this finding for this resource from future scans, and moves the finding to the Suppressed tab. When you suppress a finding, you can include a reason for the suppression for your reference. You can also set a time window for the suppression. After the selected amount of time has passed, the finding is automatically moved back to active.
- Unsuppress. If a finding has been suppressed, this action moves it back to an active state.
- Show reason. If you included a suppression reason when you marked a findings as suppressed, you can view it by clicking this action.
- View metadata. View metadata for the finding. The metadata field accepts JSON to allow you to send additional data not captured by Kion. For example, you can include resolution information for the finding as a URL.
Compliance Trends
The compliance trends graph shows the total number of findings over time. This visualization can be filtered to show daily active findings or cumulative active findings and can display up to six months of data.
What Next?
To run a compliance scan on a resource:
- Create a compliance check that defines what you want to scan for. For more information, see Add a Compliance Check.
- Add that compliance check to a compliance standard. For more information, see Add a Compliance Standard.
- Create or edit a cloud rule to apply that standard to resources. For more information, see Add a Cloud Rule.
