Cloud Asset Compliance Page
  • 8 Minutes To Read
  • Print
  • Share
  • Dark
    Light

Cloud Asset Compliance Page

  • Print
  • Share
  • Dark
    Light

The Cloud Asset Compliance page lets you compare cloud configuration and asset data against industry benchmarks and frameworks.
The following compliances are supported:

To open the Cloud Asset Compliance page, click image.png icon on the left navigation panel.
image.png

Viewing Benchmark Results

To view benchmark results, first select the relevant benchmark from the Compliance drop-down.
You can select between:

The total number of recommendation rules for the benchmark is displayed on the top left side of the table:
image.png

All benchmark rules are displayed for each account.
For each rule, you can see multiple columns:

  • Status - contains three values
    • Passed image.png - The account passed this benchmark rule.
    • Failed image.png - The account failed this benchmark rule.
    • NoData image.png - Unable to check the benchmark rule, usually due to lack of permissions. Error details are displayed in the Rule Details Drawer under the Error section.
  • Section - The number of the rule in the benchmark
  • Rule - The name of the rule in the benchmark
  • Category - The category of the rule in the benchmark.
  • Account - The account for which this rule was checked.
  • Results (Failed/Checked) - The number of checked entities for this rule and the number of entities that failed this rule.
    • For example, in rule 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (part of the CIS AWS Foundations Benchmark v1.2). The AWS entity that is checked is Security Groups. If there are five Security Groups and two of them allow ingress from 0.0.0.0/0 to port 22, then this column will display 2/5.
  • Affected Devices/Users - The number of affected assets (Devices/Users) that are part of the failed entities that were checked in this rule.
    • For example, in rule 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (part of the CIS AWS Foundations Benchmark v1.2). If the rule found that 2 Security Groups (AWS entities) failed. The affected assets will show how many EC2 machines (Assets) are part of these failed security groups. This means that this column will display how many EC2 machines are part of security groups which allow ingress from 0.0.0.0/0 to port 22.
  • Last Updated - The time which the rule results where last updated. Note that the benchmark and all its rules are checked as part of the Discovery Cycle only.

Rule Details Drawer

If you click on a rule, it will open the Rule Details drawer which will display more detailed information.
image.png

The Rule Details drawer contains all the information in the table (mentioned above) and in addition it contains also the following detailed information:

  • Description - Detailed description on the rule, what it means, and why it matters.
  • Remediation - Full remediation instructions, which is useful if this rule has failed the compliance check.
  • Results (Relevant only for rules with Failed status) - Detailed results on the failed entities. For example, in rule 1.2 "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (part of the CIS AWS Foundations Benchmark v1.2)" - the Results section will present the IAM Users which don't have MFA enabled.
  • Comments - Comments details that were added on this rule for the relevant accounts.
  • Error (Relevant only for rules with NoData status) - Detailed error message for why the rule was not checked.
  • CIS Controls - Matching CIS Controls for this benchmark rule.

Each detailed information can be expanded or collapsed.

Show Affected Assets

For certain failed rules the Show Affected Assets button will be visible.
When clicking on this button, you will be redirected to the Device/Users page and it will present all the Assets affected from this rule.

For example, in rule 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (part of the CIS AWS Foundations Benchmark v1.2) . If the rule found that 2 Security Groups (AWS entities) failed. When clicking on the Show Affected Devices button it will display in the Devices page all the EC2 machines (Assets) that are part of security groups which allow ingress from 0.0.0.0/0 to port 22.

  • For the CIS Amazon Web Services Foundations Benchmark v1.2:

    • The following rules (when failed) will contain Show Affected Users - 1.1, 1.2, 1.3, 1.4, 1.12, 1.13, 1.14, 1.16, 1.22
    NOTE

    In order to show affect IAM Users, Fetch information about IAM Users needs to be enabled in the AWS Configuration in the Advanced Settings for the AWS adapter. See AWS Adapter Configuration for Cloud Asset Compliance.

    • The following rules (when failed) will contain Show Affected Devices - 2.3, 2.6, 4.1, 4.2, 4.3
    NOTE

    In order to show affect S3 Buckets, Fetch information about S3 needs to be enabled in the AWS Configuration in the Advanced Settings for the AWS adapter. See AWS Adapter Configuration for Cloud Asset Compliance.

  • For the CIS Microsoft Azure Foundations Benchmark v1.1:

    • The following rules (when failed) will contain Show Affected Users - 1.3
    • The following rules (when failed) will contain Show Affected Devices - 6.1, 6.2

  • For the CIS Oracle Cloud Infrastructure Foundations Benchmark v1.0:

    • The following rules (when failed) will contain Show Affected Users - 1.11, 1.13
    • The following rules (when failed) will contain Show Affected Devices - 2.1, 2.2, 2.5

Noncompliant CIS AWS Foundations field

All affected assets (Devices/Users) will contain a new complex field.

  • The field name for assets affected from the CIS Amazon Web Services Foundations Benchmark is named Noncompliant CIS AWS Foundations.
    This field will contain all failed benchmark rules for the specified asset.
    image.png

    This field can also be queried in the Query Wizard.
    image.png

Noncompliant CIS Azure Foundations field

All affected assets (Devices/Users) will contain a new complex field.

  • The field name for assets affected from the CIS Microsoft Azure Foundations Benchmark is named Noncompliant CIS Azure Foundations.
    This field will contain all failed benchmark rules for the specified asset.
    image.png

    This field can also be queried in the Query Wizard.
    image.png

Noncompliant CIS Oracle Cloud Foundations field

All affected assets (Devices/Users) will contain a new complex field.

  • The field name for assets affected from the CIS Microsoft Oracle Cloud Foundations Benchmark is named Noncompliant CIS Oracle Cloud Foundations.
    This field will contain all failed benchmark rules for the specified asset.
    image.png

    This field can also be queried in the Query Wizard.
    image.png

Managing Comments

The comments section in the drawer provides the capability of adding comments on benchmark results so anybody looking at the results would have the benefit of understanding the full context.

  • Adding a comment - Just fill in the comment text and select the account for which the comment will be added. Select All to add this comment to add this comment to all accounts, making it a general comment for this rule. Comments will be visible only for the relevant filtered accounts.
  • Editing a comment - Click the image.png icon to edit an existing comment. Once you perform you required changes click the image.png icon to save the changes.
  • Deleting a comment - Click the image.png icon to delete a comment.
    image.png

CIS Benchmark scoring

According to the results, a benchmark score will be displayed. The score can be for all connected cloud provider accounts, or for single/multiple accounts.

image.png

The CIS Benchmark score is calculated as the percentage of passed rules out of all checked rules. The score is calculated and aggregated on all accounts currently filtered. Other filters will not affect the CIS benchmark score.

The score component also has an option to exclude rules from the benchmark score. Click on the menu button on the top right of the score component.
You can select/unselect rules for the benchmark. These rules will not be shown in the table and will not be taken into account when calculating the benchmark score.
image.png

Filtering

  • You can filter on the values to be displayed in the table. All filters apply on the CSV when exporting or when sending compliance result by Email.
  • The following filters are available:
    • Accounts - When you have multiple AWS, Azure or Oracle accounts, you can filter and select one or more accounts. All rules will be displayed for each of the selected accounts.
      image.png
    • Rule - Display only certain rules.
      image.png
    • Category - Display on certain categories
      image.png
    • Failed rules only - Display only rules which have failed Status.
      image.png

Aggregated View

  • You can view all results in an aggregated view by enabling the Aggregated View switch.
  • When Aggregated View is enabled, it shows aggregates results and affected assets across all accounts currently filtered and displays the aggregated results per rule.
  • When Aggregated View is disabled, results and affected assets are shown per each account per rule.

Navigating between Table Result Pages

By default, 50 rules are displayed in each table page. You can change the number of rules per page and choose between 20, 50 or 100, by clicking the appropriate icon on the bottom left side of the table: image.png

Moving between pages is done by the pagination bar on the bottom right side of the table: image.png

Exporting Benchmark Results to CSV

You can export the benchmark results table data to a CSV file.
To export the results to a CSV file:

  1. In the Cloud Asset Compliance page, click the Export CSV on the right side of the page just above the table.
  2. The CSV file is automatically downloaded.
    • Name format: axonius-data_< date >T< time >UTC.csv
    • For example: axonius-data_2020-04-13T07-18-41UTC.csv

Enforce

The Enforce menu lets you take various actions on the benchmark results table data.
For more details on the various actions, see Cloud Asset Compliance - Enforcement Actions.

NOTE

Axonius Security Policy Enforcement Center is required to enforce actions for cloud assets.

Was This Article Helpful?