Compliance is a primary focus of DivvyCloud, giving customers greater visibility into and understanding of their security and compliance issues across multiple cloud providers.
Compliance packs are collections of related insights focused on industry requirements and standards for all of your resources. Compliance packs may focus on security, costs, governance, or combinations of these across a variety of frameworks, e.g., HIPAA, PCI DSS, etc.
A complete list of DivvyCloud's prepackaged compliance packs is in the table below.
Center for Internet Security (CIS) - Amazon Web Services
Center for Internet Security (CIS) - Microsoft Azure
Center for Internet Security (CIS) - Google Cloud Platform
FedRAMP CCM 3.0.1
NIST Cyber Security Framework (CSF)
CSA Cloud Controls Matrix (CCM)
Center for Internet Security (CIS) - Kubernetes
In DivvyCloud, these compliance packs are shown on the Insights page:
DivvyCloud-Provided Compliance Packs as Seen on the Insights Page
Selecting Compliance on the main menu opens the Compliance Dashboard, giving you quick visibility into your compliance with different frameworks. This provides a straightforward, top-level view into individual cloud account's failed checks against a particular compliance pack.
The Compliance Dashboard will open to display compliance results for the last framework viewed. To select a different framework, click Packs on the upper right of the page, then select Compliance Packs or Custom Packs and choose a pack from the appropriate drop-down list.
Your cloud accounts' compliance with the selected pack is displayed in card format, one card per cloud account:
Viewing a Cloud's Compliance Against HIPAA, GDPR, and a Custom Compliance Packs
You can use the search field, as well as badges, to tailor your view to specific risk profiles, environments, owners, and other factors. (Learn more about badges here.)
Using the Search Field and Badges to Tailor Your Compliance View
In the example below, the Compliance Dashboard displays the Center for Internet Security (CIS) Benchmark for AWS, and shows the user's two AWS clouds: Marketing, which failed 10 of the 31 checks; and Operations, which failed 11 of 31 checks.
Example Compliance Dashboard for CIS-AWS
From the Compliance Dashboard, you can now select individual clouds (in the example, the Marketing or Operations clouds) to see details of the specific failures, including:
- Insight - the name of the insight against which resources failed
- Bots - the number of bots taking action or set to take action on the specific insight
- Severity - the severity level of the insight
- Compliance Rule - the specific rule from the compliance regulation to which this insight relates
- Impacted Resources - the number of resources that failing to match this insight (compliance rule)
- Exemptions - The number of exemptions for this cloud account (see Exemptions).
Viewing Details of a Cloud's Specific Compliance Failures
Accessible by clicking on an account card in the Cloud Compliance view, the Pack Compliance page displays number of relevant information regarding the selected pack and the cloud account such as: Compliance timeseries graph, Compliance per every pack rule, and Breakdown of noncompliance by resource type.
Sorting Your Compliance List
The insights in the above list can be sorted by column. Click on a column header to sort the list by values in that column. Click on the header again to toggle the sort between increasing and decreasing order.
Once you understand specific compliance failures, you can use bots to notify about or remediate the issue.
You can determine whether any existing bots match the failed insight. In the example below, two such bots exist. You can investigate these bots to see what specific actions they are taking as a result of the failed insight, and then possibly modify your bot--or create a new one--accordingly.
Checking for Existing Bots to Address Compliance Failures
Modifying Existing Bots
You can also modify existing bots by clicking on the (non-zero) number in the 'Existing Bots' column. This takes you to the BotFactory where you can reconfigure your bot (from the Admin action hamburger).
You may wish to create a bot to notify of---or remediate---the failed insight. In the example below, clicking the next to a specific insight, allows you to create a bot directly from that insight. You can learn more here about creating bots in the BotFactory.
Creating a Bot Directly from a Failed Insight
In understanding your compliance report, you will
- Identify generally which insights/resources failed
- Further investigate your impacted resources
- Modify existing bots or create new bots to take action where insights have failed.
You can view details of impacted resources by clicking on the (non-zero) number in the 'Impacted Resources' column, then selecting either the number under the 'Resources' column, or the "View Resources" tab on the slide-in dialog window. Either of these selections take you to the Resources page. See also Resources.
Investigating Impacted Resources
You can select resources or Resource Groups to exclude from your report. While DivvyCloud still harvests for these resources or groups against the given insights, 'failures' found for excluded resources will not count against the compliance 'score'.
See also Exemptions in the Insights article.
Excluding Resource Groups From Insight Totals
You can create a csv download reporting the results for the compliance pack as shown below. Click on a compliance pack from the Compliance page. This will take you to the Insights main page where you can then select the download arrow.
Downloading Insight Results From the Insights Page
The downloaded results appear in tabular form, which include the number of impacted resources aligned with the particular insights from the compliance pack along with the compliance rules. This is basically a document reflecting the same results you would see above.
Downloaded Insight Results
Updated a day ago