Cloud Asset Compliance Page

Use the Cloud Asset Compliance page to compare cloud configuration and asset data against industry benchmarks and frameworks.
The following compliances are supported:

• CIS Amazon Web Services Foundations Benchmark v1.4
• CIS Amazon Web Services Foundations Benchmark v1.3
• CIS Amazon Web Services Foundations Benchmark v1.2
• CIS Microsoft Azure Foundations Benchmark v1.1
• CIS Oracle Cloud Infrastructure Foundations Benchmark v1.0
• CIS Google Cloud Platform Foundations Benchmark v1.1

Cloud Asset Compliance calculations are done as part of your discovery cycle using the existing relevant adapter configuration.
The following adapters may need configuration of additional permissions or APIs

* Amazon Web Services
* Google Cloud Platform

To open the Cloud Asset Compliance page, click icon on the left navigation panel.

Viewing Benchmark Results

To view benchmark results, first select the relevant benchmark from the Compliance drop-down. The following versions are available. You can select a different version as relevant from Configure Benchmarks.
You can select between:

• CIS Amazon Web Services Foundations Benchmark v1.4
• CIS Amazon Web Services Foundations Benchmark v1.3
• CIS Amazon Web Services Foundations Benchmark v1.2
• CIS Microsoft Azure Foundations Benchmark v1.1
• CIS Oracle Cloud Infrastructure Foundations benchmark v1.0
• CIS Google Cloud Platform Foundations Benchmark v1.1

The total number of recommendation rules for the benchmark is displayed on the top left side of the table:

All benchmark rules are displayed for each account.
The following columns are displayed for each rule:

• Status - contains the following values:

  • Passed - The account passed this benchmark rule.

  • Excluded - The account has an exclusion rule.

  • Failed - The account failed this benchmark rule.

  • No Data - Unable to check the benchmark rule, usually due to lack of permissions. Error details are displayed in the Rule Details Drawer under the Error section.

• Section - The number of the rule in the benchmark
• Comments or Exclusions - If you exclude rules or make comments, an icon is displayed in this column. Mouse over the icon to see the details about the exclusion or comment.

• Rule - The name of the rule in the benchmark
• Category - The category of the rule in the benchmark.
• Account - The account for which this rule was checked.
• Results (Failed/Checked) - The number of checked entities for this rule and the number of entities that failed this rule.
  • For example, in rule 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (part of the CIS AWS Foundations Benchmark v1.2). The AWS entity that is checked is Security Groups. If there are five Security Groups and two of them allow ingress from 0.0.0.0/0 to port 22, then this column will display 2/5.
• Affected Devices/Users - The number of affected assets (Devices/Users) that are part of the failed entities that were checked in this rule.
  • For example, in rule 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (part of the CIS AWS Foundations Benchmark v1.2). If the rule found that 2 Security Groups (AWS entities) failed. The affected assets will show how many EC2 machines (Assets) are part of these failed security groups. This means that this column will display how many EC2 machines are part of security groups which allow ingress from 0.0.0.0/0 to port 22.
• Last Updated - The time which the rule results were last updated. Note that the benchmark and all its rules are checked as part of the Discovery Cycle only.

Calculating a Different Benchmark Version

By default, a new system displays the most recent version of the benchmark version. You can choose to work with a previous version.

To work with a different version

1. Select Actions

2. Select Configure Benchmark; the Configure Benchmark dialog opens

3. Choose the Benchmark version you want, for instance CIS AWS Foundations Benchmark v1.4. The system asks you to confirm your choice as comments or exclusions that you have configured for a specific benchmark version are not moved between benchmark versions and are only saved under the benchmark version where they were created.

4. Select Change Benchmark Version to implement your choice.

Rule Details Drawer

Click on a rule to open the Rule Details drawer which displays more detailed information.

The Rule Details drawer contains all the information in the table (mentioned above) and in addition it also contains the following detailed information:

• Description - Detailed description on the rule, what it means, and why it matters.
• Remediation - Full remediation instructions, which is useful if this rule has failed the compliance check.
• Results (Relevant only for rules with Failed status) - Detailed results on the failed entities. For example, in rule 1.2 "Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (part of the CIS AWS Foundations Benchmark v1.2)" - the Results section will present the IAM Users which don't have MFA enabled.
• Exclusions and Comments - Exclusions and Comments that were added to this rule for the relevant accounts, and the capability to add, edit and delete Exclusions and Comments.
• Error (Relevant only for rules with NoData status) - Detailed error message for why the rule was not checked.
• CIS Controls - Matching CIS Controls for this benchmark rule.

Each detailed information can be expanded or collapsed.

Show Affected Assets

For certain failed rules the Show Affected Assets button will be visible.
When clicking on this button, you will be redirected to the Device/Users page and it will present all the Assets affected from this rule.

For example, in rule 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (part of the CIS AWS Foundations Benchmark v1.2) . If the rule found that 2 Security Groups (AWS entities) failed. When clicking on the Show Affected Devices button it will display in the Devices page all the EC2 machines (Assets) that are part of security groups which allow ingress from 0.0.0.0/0 to port 22.

• For the CIS Amazon Web Services Foundations Benchmark v1.4:

  • The following rules (when failed) will contain Show Affected Users -
    • 1.4, 1.5, 1.6, 1.7, 1.10, 1.12, 1.13, 1.14, 1.15
  • • The following rules (when failed) will contain Show Affected Devices -
    • 2.1.3, 2.1.5, 2.3.1, 3.3, 3.6, 3.10, 3.11, 5.2, 5.3

• For the CIS Amazon Web Services Foundations Benchmark v1.3:

  • The following rules (when failed) will contain **Show Affected Users:
    1.4, 1.5, 1.6, 1.7, 1.10, 1.12, 1.13, 1.14, 1.15,

  • The following rules (when failed) will contain **Show Affected Devices:
    1.20, 3.3, 3.6, 3.11, 5.2, 5.3.

• For the CIS Amazon Web Services Foundations Benchmark v1.2:

  • The following rules (when failed) will contain Show Affected Users - 1.1, 1.2, 1.3, 1.4, 1.12, 1.13, 1.14, 1.16, 1.22
  NOTE

  In order to show affect IAM Users, Fetch information about IAM Users needs to be enabled in the AWS Configuration in the Advanced Settings for the AWS adapter. See AWS Adapter Configuration for Cloud Asset Compliance.

  • The following rules (when failed) will contain Show Affected Devices - 2.3, 2.6, 4.1, 4.2, 4.3
  NOTE

  In order to show affect S3 Buckets, Fetch information about S3 needs to be enabled in the AWS Configuration in the Advanced Settings for the AWS adapter. See AWS Adapter Configuration for Cloud Asset Compliance.

• For the CIS Google Cloud Platform Foundations Benchmark v1.1:

  • The following rules (when failed) will contain Show Affected Users - 1.1, 1.5, 1.6
  • The following rules (when failed) will contain Show Affected Devices - 3.1, 3.6, 3.7, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.9, 5.1, 5.2, 6.1.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.6, 6.2.7, 6.3.1, 6.3.2, 6.4, 6.5, 6.6, 6.7
    
    

• For the CIS Microsoft Azure Foundations Benchmark v1.1:

  • The following rules (when failed) will contain Show Affected Users - 1.3
  • The following rules (when failed) will contain Show Affected Devices - 6.1, 6.2
    
    

• For the CIS Oracle Cloud Infrastructure Foundations Benchmark v1.0:

  • The following rules (when failed) will contain Show Affected Users - 1.11, 1.13
  • The following rules (when failed) will contain Show Affected Devices - 2.1, 2.2, 2.5

Noncompliant CIS AWS Foundations field

All affected assets (Devices/Users) will contain a new complex field.

• The field name for assets affected from the CIS Amazon Web Services Foundations Benchmark is named Noncompliant CIS AWS Foundations.
  This field will contain all failed benchmark rules for the specified asset.
  

  This field can also be queried in the Query Wizard.
  

Noncompliant CIS Google Cloud Platform Foundations field

All affected assets (Devices/Users) will contain a new complex field.

• The field name for assets affected from the CIS Google Cloud Platform Foundations Benchmark is named Noncompliant CIS Google Cloud Platform Foundations.
  This field will contain all failed benchmark rules for the specified asset.
  

  This field can also be queried in the Query Wizard.
  

Noncompliant CIS Azure Foundations field

All affected assets (Devices/Users) will contain a new complex field.

• The field name for assets affected from the CIS Microsoft Azure Foundations Benchmark is named Noncompliant CIS Azure Foundations.
  This field will contain all failed benchmark rules for the specified asset.
  

  This field can also be queried in the Query Wizard.
  

Noncompliant CIS Oracle Cloud Foundations field

All affected assets (Devices/Users) will contain a new complex field.

• The field name for assets affected from the CIS Microsoft Oracle Cloud Foundations Benchmark is named Noncompliant CIS Oracle Cloud Foundations.
  This field will contain all failed benchmark rules for the specified asset.
  

  This field can also be queried in the Query Wizard.
  

Adding Comments and Excluding Rules

Use the Exclusions and Comments pane to add comments and exclude rules.

Excluding Rules
Adding Comments

Excluding Rules

You can exclude rules from being included when cloud compliance runs. You can exclude a rule on a single account, or on all accounts. Excluded rules will not be calculated on the selected accounts as part of the benchmark score.
To exclude a rule:

1. Click on the rule; the rule drawer opens.

2. In the Exclusion and Comments pane, select Exclusion.
   

3. Type a name or explanation for the exclusion

4. From the Select Account drop-down list choose the accounts you wish to exclude. Click All to exclude this rule from all accounts.

5. Click Add; the rule is now added to the Exclusion and Comments list in this pane. The list shows you who last updated this exclusion and when.

   

• Editing an exclusion - Click on the edit icon to edit an existing exclusion. Once you perform your required changes click the icon to save the changes.
• Deleting an exclusion - Click the Delete icon to delete an exclusion.

Adding Comments

Use the comments section in the drawer to add comments on benchmark results so anybody looking at the results will be able to understand the full context. You can add a comment to a single account or to all accounts.
To add a comment:

1. Click on the rule; the rule drawer opens.
2. In the Exclusion and Comments pane, select Comment.

4. Type the comment

5. From the Select Account drop-down list choose the accounts you wish to add the comment to. Click All to add the comment to all accounts making it a general comment for this rule. Comments will be visible only for the relevant filtered accounts.

6. Click Add; the rule is now added to the Exclusion and Comments list in this pane. The list shows you who last updated this exclusion and when.

• Editing a comment - Click the edit icon to edit an existing comment. Once you perform your required changes click the icon to save the changes.
• Deleting a comment - Click the delete icon to delete a comment.
  

CIS Benchmark Scoring

A benchmark score is displayed according to the results. The score can be for all connected cloud provider accounts, or for single/multiple accounts.

The CIS Benchmark score is calculated as the percentage of passed rules out of all checked rules. The score is calculated and aggregated on all accounts currently filtered. Other filters will not affect the CIS benchmark score.

The score component also has an option to exclude rules from the benchmark score. Click on the menu button on the top right of the score component.
You can select/unselect rules for the benchmark. These rules will not be shown in the table and will not be taken into account when calculating the benchmark score.

The color of the score is defined as follows:

• A score is less than 50 - red
• A score greater than 50 and less than 70 - orange
• A score is greater than 70 - green
• No score - ‘Not Available’ in grey

Mouse over the clock icon to see the time last updated. This is displayed when the fetching stage is complete and all data from all the rules is calculated. This score is displayed until the next fetch cycle and calculation are complete.
When adapters are not connected, or the first fetch or calculation are in progress, the Benchmark score is shown as ‘Not Available’ in grey.

Filtering

• You can filter on the values to be displayed in the table. All filters apply on the CSV when exporting or when sending compliance result by Email.
• The following filters are available:

  • Accounts - When you have multiple AWS, GCP, Azure or Oracle accounts, you can filter and select one or more accounts. All rules will be displayed for each of the selected accounts.

    

  • Rule - Display only certain rules.

    

  • Category - Display on certain categories

    

  • Failed rules only - Display only rules which have failed Status.
    

Aggregated View

• You can view all results in an aggregated view by enabling the Aggregated View switch.
• When Aggregated View is enabled, it shows aggregates results and affected assets across all accounts currently filtered and displays the aggregated results per rule.
• When Aggregated View is disabled, results and affected assets are shown per each account per rule.

Navigating between Table Result Pages

By default, 50 rules are displayed in each table page. You can change the number of rules per page and choose between 20, 50 or 100, by clicking the appropriate icon on the bottom left side of the table:

Moving between pages is done by the pagination bar on the bottom right side of the table:

Exporting Benchmark Results to CSV

You can export the benchmark results table data to a CSV file.
To export the results to a CSV file:

1. In the Cloud Asset Compliance page, click the Export CSV on the right side of the page just above the table.
2. The CSV file is automatically downloaded.
   • Name format: axonius-data_< date >T< time >UTC.csv
   • For example: axonius-data_2020-04-13T07-18-41UTC.csv

Enforce

The Enforce menu lets you take various actions on the benchmark results table data.
For more details on the various actions, see Cloud Asset Compliance - Enforcement Actions.