Add a Compliance Check


Add a Compliance Check

A compliance check performs an analysis on a cloud resource to see if it matches an undesirable configuration.

You can create a new check using an existing one as a template by cloning a check. To clone a check, navigate to All Compliance Checks, click the ellipsis menu next to the check you want to clone, and select Clone.

To add a new compliance check:

  1. Navigate to Compliance > All Compliance Checks.
  2. Click Add New.
  3. Enter a name for the compliance check.
  4. (Optional) Enter a Description. We suggest including information about the purpose of the check.
  5. Select the Check Severity. Checks can be marked as CriticalHigh, Medium, Low, or Informational. Check severity can be used to filter compliance findings and is used to calculate your compliance score. For more information, see Compliance Score.
  6. Select a Cloud Provider. This check can be applied to resources from the selected cloud provider.
  7. Select at least one user or user group as the owner.
  8. Select whether you want findings to be auto-archived after remediation action is taken.
  9. Select a Compliance Check Type from the dropdown menu.
    • Cloud Custodian. Kion includes the open-source Cloud Custodian rules engine, which allows you to easily write and run YAML policies against your cloud resources.
    • Azure Policy Check. You can add Azure policy definitions to Kion to check for compliance in your Azure resources.
    • External. Kion also supports ingesting data from external tools. Compliance checks serve as metadata for those external checks as well.
  10. Enter or select a policy. For information about writing policies, see Writing Cloud Custodian Compliance Policies and Using Azure Policies to Monitor Compliance . We recommend one policy per compliance check.
  11. Click Validate Policy to ensure the policy code is valid.
  12. Set the Compliance Check Frequency. This will determine how often the system runs this compliance check.
    We recommend selecting a frequency that reflects the severity of the check. For example, critical checks that would require immediate action, such as unauthorized security group configuration changes, should be run frequently (every 5 minutes).
  13. (AWS only) Select whether you want to apply the compliance check in all regions or a specific region.
    • Most checks, such as checking for the presence of unauthorized EC2 instances and AWS Lambda functions, should look in all regions.
    • Checks that are global in scope, such as IAM policies, should look in specific regions. Running global checks in multiple regions returns results per region, potentially producing duplicate findings.
  14. Click Create Compliance Check.

What Next?

Compliance checks are applied to resources by compliance standards.