Compliance Quickstart Guide
To provide an advantage in the challenge of continuous compliance, Kion offers jumpstart compliance packages filled with customizable resources. Jumpstarts are meant to be tailored for your specific organizational needs. Every organization has a unique security posture and specific policy requirements, and our jumpstarts offer the perfect place to start when crafting your policies.
We can get you started, but, in many cases, you will need other processes, procedures, or documentation in addition to the jumpstart resources to fully satisfy your control requirements. After getting your policies in place, be sure to review your control framework to ensure you have met every requirement.
To run compliance scans on Google Cloud projects, you must configure your service account to have the correct permissions. For more information, see Configuring Google Cloud for Compliance.
Choosing a Compliance Framework and Jumpstart
There are many common compliance frameworks, so it is important to follow one that best suits your unique organizational needs and requirements. Review the contents of the jumpstart controls and the associated assets (IAM policies, AWS CloudFormation templates, ARM templates, compliance checks, etc.) to ensure they meet all of your needs before implementation.
Control matrices for each jumpstart can be found in the Compliance Programs section or by in-app under Compliance > Compliance Programs. Within each control matrix, the family, title, control number, description, and level of support for the control is broken down by resource. Using the control matrix, you can determine if the control can be supported by Kion, your cloud service provider, or through organizational processes.
Jumpstarts can contain resources that can alter your environments in ways that may affect your current operations. Do not deploy anything to production until you have reviewed and tested the resources and policies in non-production environments. For instance, the Kion NIST 800-53 jumpstart has incident response AWS CloudFormation and ARM templates that are meant to be used in the event of an information system incident. These templates completely lockdown accounts they are applied to, including connectivity to and from all running resources. For a list of all Kion jumpstarts, see Compliance Jumpstarts.
Setting Up Your Initial Compliance Scan
Your first compliance scan helps determine what you have to do to become compliant with your compliance framework of choice. After importing one of our compliance jumpstarts, select where and when you would like to run the scan, then create and assign a cloud rule to perform the scan on your resources.
Compliance in Kion is made up of three pieces: compliance standards, compliance checks, and compliance findings.
- Standards group together related checks to meet larger compliance goals, guidelines, or requirements.
- Checks contain definitions for compliance that findings are based on.
- Findings identify specific resources that are not compliant. Findings cannot exist without checks, because checks define what is and isn't compliant. A check questions if a resource is compliant, and a finding is the answer to that question.
In addition to following the steps below, you may want to watch this video that quickly shows the process and an overview of what is included in one of our jumpstarts.
Importing the Jumpstart for Your Compliance Framework
Configuring When and Where to Scan
Creating and Assigning a Cloud Rule to Run the Scans
Reviewing Compliance Scan Findings
You can review findings for any of your compliance scans in the Compliance Overview or on the Compliance tab on individual projects or OUs.
After reviewing your findings, consider these next steps:
- Increase or decrease severity levels of the compliance checks for a compliance score that better fits your compliance goals and standards. Out of the box, all checks are provided at medium severity. For more information, see Compliance Score.
- Enable remediation actions on your compliance checks. We talk about this more in the next section of this article.
- Further customize the resources. All compliance standards and checks included in our jumpstarts can be cloned and edited to further suit your specific needs. For more information, see Managing Compliance Standards or Managing Compliance Checks.
Configuring Automatic Remediation Actions
Kion can automatically remediate some of the findings discovered in your compliance scans using the assets included in the jumpstart’s cloud rule. Before making changes to remediation within your compliance check policies, ensure you have reviewed the jumpstart's assets and understand their impact.
We strongly recommend creating clones of cloud rules to test enforcement actions, so that you can easily revert your changes, and testing in non-production environments.
After deploying a cloud rule with a remediation action, you can check to see if the remediation action is working by looking at your compliance findings. For example, if you deploy the NIST 800-53 cloud rule (which already has a remediation action configured) into an AWS account, AWS GuardDuty is enabled. As a result, you should no longer have compliance findings for the nist-800-53-account-with-guardduty-disabled check. (This is assuming GuardDuty was not previously enabled in the account.)
Many of the cloud rules in our jumpstarts already have remediation actions configured. You can configure your own remediation actions if there is something we have not covered for you. For more information about adding remediation actions to compliance check policies, see Compliance Policies.