Cloud Asset Compliance Page
  • 26 May 2022
  • 12 Minutes to read
  • Dark
    Light
  • PDF

Cloud Asset Compliance Page

  • Dark
    Light
  • PDF

Use the Cloud Asset Compliance page to compare cloud configuration and asset data against industry benchmarks and frameworks.
The following compliances are supported:

  • CIS Amazon Web Services Foundations Benchmark v1.4
  • CIS Amazon Web Services Foundations Benchmark v1.3
  • CIS Amazon Web Services Foundations Benchmark v1.2
  • CIS Microsoft Azure Foundations Benchmark v1.1
  • CIS Oracle Cloud Infrastructure Foundations Benchmark v1.0
  • CIS Google Cloud Platform Foundations Benchmark v1.1

Cloud Asset Compliance calculations are done as part of your discovery cycle using the existing relevant adapter configuration.
The following adapters may need configuration of additional permissions or APIs:

To open the Cloud Asset Compliance page, click the image.png icon on the left navigation panel.

CloudCompliance1Nn.png

Viewing Benchmark Results

To view benchmark results, first select the relevant benchmark from the Compliance dropdown. The following versions are available. You can select a different version as relevant from Configure Benchmarks.
You can select between:

  • CIS Amazon Web Services Foundations Benchmark v1.4
  • CIS Amazon Web Services Foundations Benchmark v1.3
  • CIS Amazon Web Services Foundations Benchmark v1.2
  • CIS Microsoft Azure Foundations Benchmark v1.1
  • CIS Oracle Cloud Infrastructure Foundations benchmark v1.0
  • CIS Google Cloud Platform Foundations Benchmark v1.1

The total number of recommendation rules for the benchmark is displayed on the top left side of the table:
image.png

All benchmark rules are displayed for each account.
The following columns are displayed for each rule:

  • Status - contains the following values:

    • Passed image.png - The account passed this benchmark rule.

    • Excluded ExcludeColor.png - The account has an exclusion rule.

    • Failed image.png - The account failed this benchmark rule.

    • Error image.png - Unable to check the benchmark rule, usually due to lack of permissions. Error details are displayed in the Rule Details Drawer under the Error section.

    • Not Available grey_dot(1) - The rule didn't yet calculate.

  • Section - The number of the rule in the benchmark

  • Comments or Exclusions - If you exclude rules or make comments, an icon is displayed in this column. Mouse over the icon to see the details about the exclusion or comment.

Exclusion icon in compiance table.png

  • Rule - The name of the rule in the benchmark
  • Category - The category of the rule in the benchmark.
  • Account - The account for which this rule was checked.
  • Results (Failed/Checked) - The number of checked entities for this rule and the number of entities that failed this rule.
    • For example, in rule 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (part of the CIS AWS Foundations Benchmark v1.2). The AWS entity that is checked is Security Groups. If there are five Security Groups and two of them allow ingress from 0.0.0.0/0 to port 22, then this column will display 2/5.
  • Affected Devices/Users - The number of affected assets (Devices/Users) that are part of the failed entities that were checked in this rule.
    • For example, in rule 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (part of the CIS AWS Foundations Benchmark v1.2). If the rule found that 2 Security Groups (AWS entities) failed. The affected assets will show how many EC2 machines (Assets) are part of these failed security groups. This means that this column will display how many EC2 machines are part of security groups which allow ingress from 0.0.0.0/0 to port 22.
  • Last Updated - The time which the rule results were last updated. Note that the benchmark and all its rules are checked as part of the Discovery Cycle only.

Calculating a Different Benchmark Version

By default, a new system displays the most recent version of the benchmark version. You can choose to work with a previous version.

Note:

If you are upgrading from a previous Axonius version, the older existing compliance version is displayed by default when you upgrade to a new Axonius system. You can choose to work with a newer compliance version. When you move versions, any comments or exclusions you may have configured are not moved to the new version.

To work with a different version

  1. Select Actions

CloudActions.png

  1. Select Configure Benchmark; the Configure Benchmark dialog opens

BenchmarkDropdownN.png

  1. Choose the Benchmark version you want, for instance CIS AWS Foundations Benchmark v1.4. The system asks you to confirm your choice as comments or exclusions that you have configured for a specific benchmark version are not moved between benchmark versions and are only saved under the benchmark version where they were created.

  2. Select Change Benchmark Version to implement your choice.

Rule Details Drawer

Click a rule to open the Rule Details drawer, which displays more detailed information.
RulesDetailsDrawer.png

The Rule Details drawer contains all information in the table (mentioned above). In addition, it also contains the following detailed information:

  • Description - Detailed description on the rule, what it means, and why it matters.
  • Remediation - Full remediation instructions, which is useful if this rule has failed the compliance check.
  • Results (Relevant only for rules with Failed status) - Detailed results on the failed entities. For example, in rule 1.2 "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (part of the CIS AWS Foundations Benchmark v1.2)" - the Results section will present the IAM Users which don't have MFA enabled.
  • Exclusions and Comments - Exclusions and Comments that were added to this rule for the relevant accounts, and the capability to add, edit and delete Exclusions and Comments.
  • Error (Relevant only for rules with NoData status) - Detailed error message for why the rule was not checked.
  • CIS Controls - Matching CIS Controls for this benchmark rule.

Each detailed information can be expanded or collapsed.

Show Affected Assets

For certain failed rules the Show Affected Assets button will be visible.
When clicking on this button, you will be redirected to the Device/Users page and it will present all the Assets affected from this rule.

For example, in rule 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (part of the CIS AWS Foundations Benchmark v1.2) . If the rule found that 2 Security Groups (AWS entities) failed. When clicking on the Show Affected Devices button it will display in the Devices page all the EC2 machines (Assets) that are part of security groups which allow ingress from 0.0.0.0/0 to port 22.

  • For the CIS Amazon Web Services Foundations Benchmark v1.4:

    • The following rules (when failed) will contain Show Affected Users -
      • 1.4, 1.5, 1.6, 1.7, 1.10, 1.12, 1.13, 1.14, 1.15
      • The following rules (when failed) will contain Show Affected Devices -
      • 2.1.3, 2.1.5, 2.3.1, 3.3, 3.6, 3.10, 3.11, 5.2, 5.3
  • For the CIS Amazon Web Services Foundations Benchmark v1.3:

    • The following rules (when failed) will contain **Show Affected Users:
      1.4, 1.5, 1.6, 1.7, 1.10, 1.12, 1.13, 1.14, 1.15,

    • The following rules (when failed) will contain **Show Affected Devices:
      1.20, 3.3, 3.6, 3.11, 5.2, 5.3.

  • For the CIS Amazon Web Services Foundations Benchmark v1.2:

    • The following rules (when failed) will contain Show Affected Users - 1.1, 1.2, 1.3, 1.4, 1.12, 1.13, 1.14, 1.16, 1.22
    NOTE

    In order to show affect IAM Users, Fetch information about IAM Users needs to be enabled in the AWS Configuration in the Advanced Settings for the AWS adapter. See AWS Adapter Configuration for Cloud Asset Compliance.

    • The following rules (when failed) will contain Show Affected Devices - 2.3, 2.6, 4.1, 4.2, 4.3
    NOTE

    In order to show affect S3 Buckets, Fetch information about S3 needs to be enabled in the AWS Configuration in the Advanced Settings for the AWS adapter. See AWS Adapter Configuration for Cloud Asset Compliance.

  • For the CIS Google Cloud Platform Foundations Benchmark v1.1:

    • The following rules (when failed) will contain Show Affected Users - 1.1, 1.5, 1.6
    • The following rules (when failed) will contain Show Affected Devices - 3.1, 3.6, 3.7, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.9, 5.1, 5.2, 6.1.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.6, 6.2.7, 6.3.1, 6.3.2, 6.4, 6.5, 6.6, 6.7

  • For the CIS Microsoft Azure Foundations Benchmark v1.1:

    • The following rules (when failed) will contain Show Affected Users - 1.3
    • The following rules (when failed) will contain Show Affected Devices - 6.1, 6.2

  • For the CIS Oracle Cloud Infrastructure Foundations Benchmark v1.0:

    • The following rules (when failed) will contain Show Affected Users - 1.11, 1.13
    • The following rules (when failed) will contain Show Affected Devices - 2.1, 2.2, 2.5

Noncompliant CIS AWS Foundations field

All affected assets (Devices/Users) will contain a new complex field.

  • The field name for assets affected from the CIS Amazon Web Services Foundations Benchmark is named Noncompliant CIS AWS Foundations.
    This field will contain all failed benchmark rules for the specified asset.
    image.png

    This field can also be queried in the Query Wizard.
    image.png

Noncompliant CIS Google Cloud Platform Foundations field

All affected assets (Devices/Users) will contain a new complex field.

  • The field name for assets affected from the CIS Google Cloud Platform Foundations Benchmark is named Noncompliant CIS Google Cloud Platform Foundations.
    This field will contain all failed benchmark rules for the specified asset.
    image.png

    This field can also be queried in the Query Wizard.
    image.png

Noncompliant CIS Azure Foundations field

All affected assets (Devices/Users) will contain a new complex field.

  • The field name for assets affected from the CIS Microsoft Azure Foundations Benchmark is named Noncompliant CIS Azure Foundations.
    This field will contain all failed benchmark rules for the specified asset.
    image.png

    This field can also be queried in the Query Wizard.
    image.png

Noncompliant CIS Oracle Cloud Foundations field

All affected assets (Devices/Users) will contain a new complex field.

  • The field name for assets affected from the CIS Microsoft Oracle Cloud Foundations Benchmark is named Noncompliant CIS Oracle Cloud Foundations.
    This field will contain all failed benchmark rules for the specified asset.
    image.png

    This field can also be queried in the Query Wizard.
    image.png

Adding Comments and Excluding Rules

Use the Exclusions and Comments pane to add comments and exclude rules.

Excluding Rules
Adding Comments

Excluding Rules

You can exclude rules from being included when cloud compliance runs. You can exclude a rule on a single account, or on all accounts. Excluded rules will not be calculated on the selected accounts as part of the benchmark score.
To exclude a rule:

  1. Click on the rule. The rule drawer opens.

  2. In the Exclusion and Comments pane, select Exclusion.
    NewExlusionpane.png

  3. Specify a name or explanation for the exclusion.

  4. From the Select Account dropdown, select a specific account you want to exclude, or select All to exclude this rule from all accounts.

  5. Click Add. If prompted to confirm, click Yes. The rule is added to the Exclusion and Comments list in this section. Each row displays when the list was last updated and by whom.

    ExclusionsAdded.png

  • Editing an exclusion: Click image.png (Edit) to edit an existing exclusion. When done, click image.png to save the changes.
  • Deleting an exclusion: Click image.png (Delete) to delete an exclusion.

Adding Comments

Use the Comments section in the drawer to add comments on benchmark results so anybody looking at the results will be able to understand the full context. You can add a comment to a single account or to all accounts.

To add a comment:

  1. Click the rule. The rule pane opens.
  2. In the Exclusion and Comments section, select Comment.

AddingaComment.png

  1. Enter a comment.

  2. From the Select Account dropdown, select the accounts you want to add the comment to. Click All to add the comment to all accounts, making it a general comment for this rule. Comments are only visible for the relevant filtered accounts.

comment 2.png

  1. Click Add. The rule is added to the Exclusion and Comments list in this pane. The list shows who last updated this exclusion and when.
  • Editing a comment: Click image.png (Edit) to edit an existing comment. After making the required changes, click image.png to save the changes.
  • Deleting a comment: Click image.png (Delete) to delete a comment. If a Confirm prompt appears, click Yes.
    editing and deleting.png

CIS Benchmark Scoring

A benchmark score is displayed according to the results. The score can be for all connected cloud provider accounts, or for single/multiple accounts.

CISBenchmarkScore.png

The CIS Benchmark score is calculated as the percentage of passed rules out of all checked rules. The score is calculated and aggregated on all accounts currently filtered. Other filters will not affect the CIS benchmark score.

The score component also has an option to exclude rules from the benchmark score. Click on the menu button on the top right of the score component.
You can select/clear rules for the benchmark. These rules aren't subsequently shown in the table and aren't taken into account when calculating the benchmark score.
ConfigureBenchmark.png

The color of the score is defined as follows:

  • Score less than 50 - red
  • Score greater than 50 and less than 70 - orange
  • Score greater than 70 - green
  • No score - ‘Not Available’ in gray

Mouse over the clock icon to see the time last updated. This is displayed when the fetching stage is complete and all data from all the rules is calculated. This score is displayed until the next fetch cycle and calculation are complete.
When adapters are not connected, or the first fetch or calculation is in progress, the Benchmark score is shown as ‘Not Available’ in gray.

Filtering

  • You can filter on the values to be displayed in the table. All filters apply on the CSV when exporting or when sending compliance result by Email.
  • The following filters are available:
    • Accounts - When you have multiple AWS, GCP, Azure or Oracle accounts, you can filter and select one or more accounts. All rules will be displayed for each of the selected accounts.

      AccountsDropDown.png

    • Rule - Display only certain rules.

      CloudRules.png

    • Category - Display on certain categories

      CloudCat.png

    • Status - Display rules by Status: Excluded, Failed, Not Available or Passed. .

    • Display by Date - show the benchmark for a specific date.

Aggregated View

  • You can view all results in an aggregated view by enabling the Aggregated View switch.
  • When Aggregated View is enabled, it shows aggregates results and affected assets across all accounts currently filtered and displays the aggregated results per rule.
  • When Aggregated View is disabled, results and affected assets are shown per each account per rule.

By default, 50 rules are displayed in each table page. You can change the number of rules per page and choose between 20, 50 or 100, by clicking the appropriate icon on the bottom left side of the table: image.png

Moving between pages is done by the pagination bar on the bottom right side of the table: image.png

Exporting Benchmark Results to CSV

You can export the benchmark results table data to a CSV file.
To export the results to a CSV file:

  1. In the Cloud Asset Compliance page, click Export CSV on the right side of the page just above the table.
  2. The CSV file is automatically downloaded.
    • Name format: axonius-data_< date >T< time >UTC.csv
    • For example: axonius-data_2020-04-13T07-18-41UTC.csv

Enforce

The Enforce menu lets you take various actions on the benchmark results table data.
For more details on the various actions, see Cloud Asset Compliance - Enforcement Actions.

Note:

Axonius Security Policy Enforcement Center is required to enforce actions for cloud assets.



First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.