Add a Compliance Check
To add a new compliance check:
- In the left navigation menu, click Compliance > All Compliance Checks.
- Click Add New in the top right corner.
- Enter a Compliance Check Name to identify the compliance check throughout the application.
- Enter an optional Description. This will help users understand the purpose of the check should resources be found non-compliant. The Include a Link prompt explains how to format links in the description.
- Select the Check Severity from the dropdown menu. Checks can be marked as Critical, High, Medium, Low, or Informational. This will allow you to filter by severity on the compliance overview. It also contributes to the compliance score. Medium is selected by default. For more information, see Compliance Score.
- Select a Cloud Provider from the dropdown menu.
- In the Owners dropdown menus, select at least a user or a group. This is not the same as the Owner permission role; to learn more about ownership of compliance checks, read Ownership of Objects.
- Leave the Enable auto-archive field checked if you wish to allow auto-archiving of findings. When auto-archive is turned on and a finding is remediated, it won't continue to show as an active finding, and will instead be archived automatically. Uncheck this field to turn off auto-archive. The use of auto-archive requires an additional API call if you select External for Compliance Check Type below.
- Select a Compliance Check Type from the dropdown menu. You can choose Cloud Custodian to use Kion's built-in compliance engine, Azure Policy Check to use your Azure policies to check for compliance (for more information, see Writing Azure Policies for Compliance), or External if you use a different compliance engine that you wish to connect. External checks are managed outside of Kion, so the following options will no longer display. The Tenable.sc Integration compliance check type is used by the Tenable.sc middleware which creates its own compliance checks automatically.
- Select a Compliance Check Policy from the dropdown menu. For Cloud Custodian, this will be YAML. For Azure policy checks, this will be JSON. If you don't see the type you want, make sure you selected the right cloud provider, as these are provider-specific.
- Input the code for your compliance check policy. This will set the criteria that must be met for an item to be non-compliant and display as a finding. To learn more about writing compliance check policies for Kion, see our Writing Cloud Custodian Compliance Policies and Writing Azure Policies for Compliance articles. We recommend one policy per compliance check as a best practice.
- When you're done adding code, click Validate Policy to ensure the policy code is valid. Valid code will result in a green checkmark and will display Policy has been successfully validated. Invalid code will display a red error message.
- Click View Supported Parameters to show parameters that will return items you may wish to include in your code, such as the Check ID, authorization token, or callback URL.
- Set the Compliance Check Frequency. This will determine how often the system runs this compliance check. Enter a number in the first field and select Minutes, Hours, or Days from the dropdown menu. We recommend that items that are less likely to change frequently (such as password complexity violations) be checked less frequently, such as 1 time per day. Critical checks that need to be fixed immediately (such as unauthorized security group configuration changes) should be run more frequently, such as every 5 minutes.
- Leave the Apply to all regions field checked to apply the compliance check in all regions. Uncheck and select the Regions from the dropdown menu if you do not wish to apply the check to all regions. Most items, such as checking for the presence of unauthorized EC2 instances and AWS Lambda functions, should look in all regions. For items that are global in scope, such as IAM policies, you should uncheck this field and select a region, as running global checks in multiple regions will return results per region, resulting in duplicate findings. Kion will attempt to filter compliance check scan regions based on their service, preventing scans in regions where that service does not exist, and performs validation to prevent duplicate findings where possible.
- Click Create Compliance Check.
Compliance checks are applied to resources by compliance standards. For more information, see Add a Compliance Standard.