Compliance and Governance

In this topic:


    The Dome9 Compliance Engine tests your cloud environments for compliance against industry standards and best practices, or your organization's own security policies, using policies and rules that you define, or using policies developed by Dome9 that are available out-of-the-box . Dome9 provides a comprehensive set of policies covering many of the common standards, such as PCI-DSS and HIPAA, for cloud security, which you can run immediately on your cloud accounts. In addition, you can build and test new rules and policies, or modify existing rules, using an intuitive graphical rule builder, to tailor policies to your organization's specific needs and compliance goals.

    The Compliance Engine works with all cloud providers, and can check compliance in for an organization with a multi-cloud presence.

    You can also use the Compliance Engine to test your cloud accounts continuously, and receive notifications when issues are detected.

    You can see detailed results of tests, or view summary reports.

    The Compliance Engine accesses your cloud accounts directly, using cloud provider APIs and the Dome9 policies you set up on these accounts (see Onboard an AWS Account) to assess compliance. It works on all cloud providers, and you can test compliance even when your cloud presence is distributed over multiple cloud providers.


    Compliance & Governance

    The Dome9 Compliance Engine evaluates your cloud environment using compliance policies and rules.

    Policies & Rules

    The Compliance Engine uses a set of policies to test your cloud accounts. Policies contain rules, which are individual tests of a capability in your account. For example, a rule could test whether an account has a 'root' user, or whether a password policy is enforced.

    The Compliance Engine includes a set of predefined policies, developed by Dome9, which test for common cloud security standards and best practices. These also include recommendations for remediation. These policies cannot be changed, but you can clone them, to make a copy, and modify the copy.


    Dome9 GSL (Governance Specification Language)

    Rules used by the Compliance Engine are defined using \the Dome9 Governance Specification Language (GSL). This is a user-readable, intuitive language that describes the test. For example, the rule

    S3Bucket should have logging.enabled=true

    checks that logging is enabled for AWS S3Buckets.

    See The Dome9 GSL Core Language for details and examples of the GSL syntax, and how to build rules.


    Built-in Policies

    The Compliance Engine comes with a set of predefined policies, developed by Dome9, that cover common cloud security standards such as PCI-DSS, HIPAA, and CIS for AWS Foundations.


    What you need to get started

    You must have the Compliance & Governance module as part of your Dome9 plan. Check the Account page of the user admin menu to see the modules included in your plan, and contact Dome9 if you need to add modules. See User admin menu.



    • At-a-glance dashboard view of organizational compliance across entire cloud presence, on all providers

    • Check compliance with cloud security standards

    • Clear reports indicate non-compliant issues

    • Easily build custom policies using graphical rule builder (GSL)

    • Predefined (built-in) policies built by Dome9 cover a wide range of standards and best practices


    • Enforce cloud accounts compliance with standards

    • Enforce compliance with organizational policies across the estate

    • Review the security and compliance posture across the entire estate using a unified dashboard

    • Evaluate compliance of a proposed cloud design (CloudFormation Template), before actual deployment

    • Customize the compliance engine dashboard according to your needs, allowing you to focus on the more sensitive and interesting environments

    • Review latest assessment results and apply remediation

    • Review assessments on specific environment from specific point in time

    • Create customized compliance or organizational policy rules



    The Compliance and Governance module has the following views.


    The Dashboard view is a summary view. It shows the following:

    • summary status of all policies, on all your cloud accounts, including results of the most recent assessment

    • click-to-run or re-run an assessment on an account, from the Dashboard

    • click-to-show detailed results or statistics for an assessment


    Assessment statistics

    Results for assessments are shown as the percentage of passed tests from the total number of tests run. A test is the application of a policy rule on a cloud entity. For example, applying a rule on an ES2 instance or S3 bucket is a test. The same rule applied to many entities results in many tests, each with its own result.

    So, for example, the result

    shows that 68% of the tests passed on the entities on which they were tested, while 32%, or 444 in total, failed.  

    The result also shows that the bundle has 933 rules, of which 666 passed on all entities on which they were tested.


    Compliance Engine

    This view shows your policies and rules, including predefined policies and custom ones that you define.

    • filter or search for specific rules in a policy

    • view details for each rule
    • show GSL details for a rule (toggle)

    • show/edit JSON format for rules 




    This view lets you build and test rules, before including them in a policy.

    • test rules before applying them to a policy

    • build rules using a text or graphical editor input format


    Assessment History

    This view shows a list of the assessments that were run, with summary details for each.



    Add a Policy

    Add a new policy. Once you have a policy, you can add rules to it. These can then be applied to a VPC in one of your cloud accounts, or to a CloudFormation Template.

    1. Navigate to the Compliance Engine main page in the Compliance & Governance menu. The list of policies is shown on the left of the screen. The center of the screen shows the rules for the policy selected..

    2. Click +NEW BUNDLE to create a new policy. Enter a name for the policy and, optionally, a description, and select the cloud provider on which it will be applied. The center of the screen shows the rules for the new policy (initially there are none).


    Add Rules to a Policy

    Add rules to a policy. You can add rules to custom policies (new policies that you add), but not to predefined policies.

    1. Click +NEW RULE to add a rule to the policy. This opens the online GSL rule builder (see The Dome9 GSL Core Language

    2. Enter a name for the rule and, optionally, a description, remediation (corrective steps), compliance sections that the rule covers, and a severity level (that is, the severity or impact of non-compliance with this rule).

    3. Enter the rule in the Rule GSL box, using the GSL syntax. then press SAVE. The rule appears in the list of rules for the policy. You can enter the rule as text, in the Text Editor mode, or graphically, in the Rule Builder mode.

    4. Add additional rules for the policy, as needed.


    Modify Rules

    You can modify existing rules in a custom policy. You can modify them using the graphical Rule Builder, in the same way that new rules are created. The Compliance Engine stores rules as in JSON format, so you can also edit rules for a policy by editing the JSON block.

    1. Navigate to the Compliance Engine.

    2. Select the policy from the list on the left. The rules for the policy are shown on the right.

    3. Click on the rule you wish to edit. This will open the Rule Builder. From there you can change the rule, either by changing the text, or using the graphical Rule Builder.

    4. Alternatively, press </>EDIT JSON. This will open the JSON Editor. Make changes to the rules directly in the JSON block.

    5. Modify the text of the rules, as necessary, and then click SAVE.


    Run an assessment

    Run a policy assessment on an selected cloud account.

    1. Navigate to the Compliance Engine main page.

    2. Click on the policy to be run (in the list on the left).

    3. Click .

    4. Select the Environment tab.

    5. Select the Cloud account, region, and VPC on which the policy will be run, and then click RUN. The assessment will take from a few seconds to a few minutes (depending on the complexity of the policy and the number of rules). When completed, the results will be displayed.

      Details for each rule are shown. This shows that number entities tested (Tests), the number that were included in the scope of the rule (Relevant), the number of entities that were excluded (if SHOW EXCLUSIONS is selected), and the number of failed tests (Failed tests)

      Click Expand to show more detail, including details for the rule, and a list of the failed entities.

    Note: you can also run an assessment from the Dashboard view. Click next to the results for a specific bundle and account, or CLICK TO RUN for an account and bundle without results, to run (or re-run an assessment).


    View Assessment History

    You can view a summary of previous assessments, and then see details for a specific assessment.

    1. Navigate to the Compliance Engine.

    2. Select Assessment History from the menu. A list of previous assessments is shown. This list can be filtered and sorted. 
      The list shows, for each assessment, the date the assessment was run, the bundle and account, the score, the number of failed tests, the number of excluded tests, and the event that triggered the assessment. The event could be Manual, for assessments run from the Compliance Dashboard, Continuous Compliance, for assessments run continuously, or System, for assessments defined on the Dome9 Dashboard (which are run hourly).

    3. Click next to an assessment to show details for it.


    Clone a Policy

    You can copy an existing policy. The copy will contain the same rules. This is useful if you wish to modify or extend rules in predefined policy (which cannot be edited).

    1. Navigate to the Compliance Engine page.

    2. Select the policy to be cloned, and click CLONE BUNDLE.

    3. Enter a name for the new policy, and select the cloud provider on which the policy will run.