Compliance Quickstart Guide
To provide an advantage in the challenge of continuous compliance, Kion offers jumpstart compliance packages filled with customizable resources. Jumpstarts are meant to be tailored for your specific organizational needs. Every organization has a unique security posture and specific policy requirements, and our jumpstarts offer the perfect place to start when crafting your policies. Let’s talk about how to get started when implementing compliance standards.
We can get you started, but, in many cases, you will need other processes, procedures, or documentation in addition to the jumpstart resources to fully satisfy your control requirements. After getting your policies in place, be sure to review your control framework to ensure you have met every requirement.
To run compliance scans on Google Cloud projects, you must configure your service account to have the correct permissions. For more information, see Configuring Google Cloud for Compliance.
Choosing a Compliance Framework and Jumpstart
There are many common compliance frameworks, so it is important to pick one that best suits your unique organizational needs and requirements. Review the contents of the jumpstart controls and the associated assets (IAM policies, AWS CloudFormation templates, ARM templates, compliance checks, etc.) to ensure they meet all of your needs before implementation.
Control matrices for each jumpstart can be found in the Compliance Programs section. Within each jumpstart control matrix, the family, title, control number, description, and level of support for the control is broken down by resource. Using the control matrix, you can determine if the control can be supported by Kion, your cloud service provider, or through organizational processes.
Jumpstarts can contain resources that can alter your environments in ways that may affect your current operations. Do not deploy anything to production until you have reviewed and tested the resources and policies in non-production environments. For instance, the Kion NIST 800-53 jumpstart has incident response AWS CloudFormation and ARM templates that are meant to be used in the event of an information system incident. These templates completely lockdown accounts they are applied to, including connectivity to and from all running resources. For a list of all Kion jumpstarts, see Compliance Jumpstarts.
Setting Up Your Initial Compliance Scan
Your first compliance scan helps determine what you have to do to become compliant with your compliance framework of choice. After importing one of our compliance jumpstarts, select where and when you would like to run the scan, then create and assign a cloud rule to perform the scan on your resources.
Compliance in Kion is made up of three pieces: compliance standards, compliance checks, and compliance findings.
- Standards group together related checks to meet larger compliance goals, guidelines, or requirements.
- Checks contain definitions for compliance that findings are based on.
- Findings identify specific resources that are not compliant. Findings cannot exist without checks, because checks define what is and isn't compliant. A check questions if a resource is compliant, and a finding is the answer to that question.
In addition to following the steps below, you may want to watch this video that quickly shows the process and an overview of what is included in one of our jumpstarts.
Importing the Jumpstart for Your Compliance Framework
- Navigate to Settings > System Settings > Application Settings > Kion Managed Resources.
- Select the framework you want to implement.
- Click Load Managed Resources.
Importing the resources typically takes 2-3 minutes. You will receive a notification when this is complete.
Configuring When and Where to Scan
- Navigate to Compliance > All Compliance Checks.
- In the search bar, enter the name of the compliance framework you are using.
- Select all of the checks related to the compliance framework.
- Click Bulk Actions > Edit Attributes.
- In the Frequency section, configure how often you would like to scan for the selected checks. Setting this to 1 day is a good starting point.
- If you are using AWS, in the AWS Regions section, select which regions the scans should be run in.
- Click Review Edits.
- Click Apply.
Creating and Assigning a Cloud Rule to Run the Scans
- Navigate to Cloud Management > Cloud Rules.
- Click Add New.
- Name the cloud rule [JUMPSTART] Read-Only (for example: NIST 800-53 Read-Only).
- In the Compliance Settings section, select the compliance standard(s) for your framework. Compliance standards group together related compliance checks. These compliance standards were imported from the Kion Managed Resources and have been pre-configured to contain the relevant checks for you.
- Click Create Cloud Rule.
- Navigate to a project or OU that contains accounts you wish to scan.
- Select Cloud Management > Cloud Rules.
- Click the ellipsis menu in the top right of the Cloud Rules panel, and select Add existing cloud rule.
- Select the rule you created above.
- Click Confirm selection.
Kion will begin scanning any resources that are attached to the project/OU. The same cloud rule can be applied to multiple projects and OUs. We recommend applying the cloud rule at the highest point in your hierarchy that makes sense and allowing inheritance to take care of most of the work. This makes management a little easier and more consistent. For more information, see Cloud Rule Inheritance and Exemption.
Reviewing Compliance Scan Findings
You can review findings for any of your compliance scans in the Compliance Overview or on the Compliance tab on individual projects or OUs.
After reviewing your findings, consider these next steps:
- Increase or decrease severity levels of the compliance checks for a compliance score that better fits your compliance goals and standards. Out of the box, all checks are provided at medium severity. For more information, see Compliance Score.
- Enable remediation actions on your compliance checks. We talk about this more in the next section of this article.
Configuring Automatic Remediation Actions
Kion can automatically remediate some of the findings discovered in your compliance scans using the assets included in the jumpstart’s cloud rule. Before making changes to remediation within your compliance check policies, ensure you have reviewed the jumpstart's assets and understand their impact.
We strongly recommend creating clones of cloud rules to test enforcement actions, so that you can easily revert your changes, and testing in non-production environments.
After deploying a cloud rule with a remediation action, you can check to see if the remediation action is working by looking at your compliance findings. For example, if you deploy the NIST 800-53 cloud rule (which already has a remediation action configured) into an AWS account, AWS GuardDuty is enabled. As a result, you should no longer have compliance findings for the nist-800-53-account-with-guardduty-disabled check. (This is assuming GuardDuty was not previously enabled in the account.)
Many of the cloud rules in our jumpstarts already have remediation actions configured. You can configure your own remediation actions if there is something we have not covered for you. For more information about adding remediation actions to compliance check policies, see Compliance Policies.