/
Compliance

Compliance

Compliance (Security/Governance)

Provides resource change history and compliance status based on recorded data from the AWS Config service.

 1. Overview

Provides an inquiry service on changes to cloud resources and compliance status.

Among the three CSPs, only AWS is supported, and resource change history and compliance status are provided based on recorded data from the AWS Config service.

Please refer to the link below for information on setting up AWS Config recording and how to integrate it with CloudXper.

  • AWS Config Recording Settings: https://docs.aws.amazon.com/ko_kr/config/latest/developerguide/gs-console.html

  • How to link CloudXper Config: AWS Config Integration Guide
    CloudXper collects Config record data from your customer account.
    1) Receive change events using EventBridge, a method of event linkage between AWS accounts.
    2) Collects authenticated/authorized access to recorded data in the Delivery Channel (S3 bucket) of the customer cloud account using the S3 API.
    Customer accounts registered in CXP have been granted inventory collection authority, so step 2) can be skipped if the account is an existing account.
    3) To send events to another account, cloudxper, using the event bridge service provided by AWS for event linking of the recorder, you only need to set up linking rules for two snapshots and history events.

Only AWS services/resources are being searched, and for Managed Inventory resources, we are currently reviewing collection methods and improvements to the search screen.

Delivery events that occur in AWS are recorded at the time of snpashot (1, 3, 6, 12, 24 hour cycle or manually).
For history, there may be a difference of up to 6 hours because the accumulated change history is transmitted at 6-hour intervals.

2. Dashboard

It consists of a dashboard where you can view the overall resource and compliance status and a screen where you can view the status by CSP. 
Status by CSP is currently only available for AWS.

The dashboard is divided into three main areas.

image-20240909-102534.png

1) Trend inquiry on daily and monthly compliance status
2) Check the Config recording settings for each account
3) Check the number of resources and non-compliant resources by resource type and regulation / Check the status of non-compliant resources

2.1 Compliance Status Trends

Shows daily and monthly compliance rates and resource count trends. Hovering over the graph displays the compliance/noncompliance/non-implementation rates.
You can filter trend results by resource type by clicking the settings button on the right.

image-20240910-020812.png

2.2 Config Registration Status

It shows Config records (Record) and whether periodic snapshots are recorded by account, and the number of compliances by regulation/resource.

  • Normal Registration: Records changed resources and periodic snapshots of all resources, allowing you to view resource/compliance status.

  • Snapshot not set: Only changed resources are recorded, so resource/compliance status may be missing or inconsistent.

  • Unregistered: The Config record is not set up, so the resource/compliance status cannot be viewed.

    image-20240910-021424.png

     

2.3 Compliance Status

The Compliance Status by Resource Type/Rule widget is sorted by the number of noncompliant resources, showing the total number vs. compliant number and the compliance rate.

Please look at the compliance count and compliance rate together, as compliance is determined by checking resource changes, creation, and cycles.
Low compliance rates may be due to a narrow range of resource types to which the regulations apply.

 

In general, you want to see the regulations applied to a resource and their compliance status, or conversely, you want to see the resources to which the set regulations are applied and their compliance status.

  • Compliance status by resource type and compliance status by regulation are linked and searchable.
    Compliance status by resource typeWhen you select a resource type on the right, Compliance status by regulationYou can view the regulations applied to the selected resource type and the status of noncompliance.
    Conversely, if you select a regulation in the compliance status by regulation, the compliance status by resource type on the left will display the status of resources to which the selected regulation is applied and the status of non-compliance.

  • The bottom widget displays a list of non-compliant resources based on the criteria selected for compliance status.

    image-20240910-031205.png

3. Config Resource

Resources is a screen where you can view changes to resources being recorded in Config.

The first screen displays a list of resources that have changed from the previous day to the time of inquiry.
By search condition Resource Typeclass Compliance Conditions, the latest in resources Date of changeSupports period search, etc.
You can search by resource ID or Name. Deleted ResourcesIt also supports word search. 

Since compliance/noncompliance is detected only when the rule is executed, if no rule is applied or before the rule is executed, 
The total number of resources is greater than the sum because non-compliant and compliant cases are not included.

AWS Config records related resource information and resource properties/values, and provides a schema for each type of property information that is different for each resource type.
Extended Search The domain is a searchable feature that allows you to search by relationship information and by Configuration properties/values defined in the schema for each resource type.
If you know the resource id, you can query the related resource and search for properties such as configuration.instanceType.

The screen below is an example of an extended search, showing search results where the resource type is "AWS::EC2::SecurityGroup" and the value of the Production tags is PRD.

image-20240910-024936.png

  • Lookup deleted resources Conditions include whether or not deletion is included, and only deleted items can be retrieved.

  • Date of change The condition selects a start date and an end date to search the period for the most recent change date.

  • Extended Searchat Relationship SearchRetrieves resources related to a specific resource ID (ConfigurationItems.relationships recorded in AWS Config).

  • Extended Searchat Property SearchSupports searching for the existence (exist) or value (is or isnot) of a specific resource property (ConfigurationItems.configuration recorded in AWS Config).

  • Resources excluded from regulationOnly viewable.


Note that, CloudXper retains the history of resource changes that occurred for one year after collection registration.The collection period is applied from the time of account registration.
Separately If you tell us the starting point when you need history management, we can collect it as long as a Config change record exists in your customer account.

Click on a resource in the list to view its configuration and compliance details. 

3.1 Handling exceptions to regulations

AWS Config can only limit the resource types to which a rule applies, and cannot exclude resources.
If you want to exclude a specific resource from the non-compliance statistics of the compliance status, you can exclude it from the resource list screen as shown below.

image-20240910-025531.png

  1. When you select multiple cases to handle exceptions, the more button on the right becomes active.

  2. Click the more button and select the exclude or include menu.

Excluded resources are listed and the user action is displayed in the Audit Log as shown in the screen below.
Hovering over or clicking on a User Action will display the history of who set it and when.

3.2 Resource Details

DETAILS The tab displays basic information by type and tag information and compliance information at the bottom, similar to the details screen of the AWS Config console, with current details for the selected resource.

image-20240728-062720.png

3.3 Config Json

CONFIG JSON The tab displays the original JSON content recorded in the S3 bucket, which is the Delivery Channel in the AWS Config service, in an easy-to-view tree format.

 

3.4 Timeline

TIMELINE The tab displays events in reverse chronological order, starting with the most recent date, such as changes to settings or regulatory checks for the selected resource.

Change settings, check regulations, etc. Event Typeor periodYou can search by ,
When you enter an event period, the change date is displayed in a carousel format on the calendar or at the bottom, allowing you to easily check the change period and date and search by condition. 

image-20240728-062809.png

You can select an event to view its details.

  • Change Config Events are compared against the changed settings or relationships before and after they were made.
    If you click the FULL SCREEN button on the right side of the event name, you can view the changed parts of the entire content. (You can drag the pop-up window.)

  • Compliance Events are checked for compliance with the rules that were followed.

4. Config Rules

A list of set rules is displayed, along with the number of noncompliant resources and the number of applied policy resources for each rule.

Compliance Conditions You can search by and query by rule id and name.

image-20240910-030618.png

4.1 Rule Detail

DETAIL The tab displays basic information such as the resource type range to which the rule is applied, as well as parameter setting information, in the rule details page.

image-20240910-030758.png

4.2 Rule Application Resources

 

RESOURCES The tab displays a list of resources to which the rule applies.
Resource ID, resource type, resource status and compliance are displayed.
Subject to compliance conditionsYou can filter resources by selecting Compliant/Non-Compliant.

image-20240910-030859.png

 

Resource Status Classification Table

Status

explanation

Status

explanation

OK 

change

ResourceDiscovered 

New creation

ResourceNotRecorded 

New creation

ResourceDeleted 

delete

ResourceDeletedNotRecorded 

delete