Continuous Compliance

In this topic:


    Dome9 Continuous Compliance extends the capabilities of the Compliance Engine by evaluating your cloud environments continuously, and notifying you of any changes in the security posture of any of them. You can apply the same policies that you use with the Compliance Engine, with rules built using the GSL language. Receive notification of findings or of changes by email, on the Dome9 Console, or through AWS SNS.

    The Dome9 Compliance Engine applies the bundles you selected to the cloud environments you select approximately every hour, and updates the compliance results that are shown in the Compliance Dashboard. Notifications are sent out according to the Notification Policy configured for each bundle/account

    You set up Continuous Compliance by associating compliance rules bundles with your cloud accounts, and then associating them with Notification Policies, which indicate how the results are to be sent to you. This is a continuous compliance policy. You can easily associate several bundles with a single account, or associate a single bundle to a number of accounts, across different cloud platforms. Different Notification Policies can be associated with each cloud account or bundle, so you can direct specific findings to target audiences, at the time and in the way most effective for them.

    You can also perform bulk operations, to remove a number of policies in one step.


    Value to customers

    • automatic continuous evaluation of your cloud environments with policy bundles that you select

    • automatic notification of results or changes by email or SNS, or on Dome9 Console

    • granular notifications to relevant individuals or teams

    • evaluate cross-account and cross-platform


    • Security/Compliance managers receive a weekly high-level report.

    • Relevant security/compliance teams receive immediate email notification of any entity that failed compliance test

    • Relevant security/compliance teams receive daily aggregated email report of all entities that failed compliance test

    • Relevant security/compliance teams receive daily aggregated email report of all new entities that failed compliance test since the last report

    • Receive SNS notification of new entities that failed compliance test. Notification can be consumed by any integrated system.



    Set up a Notification Policy

    Notification Policies indicate what compliance results findings are sent out, when and how they are sent out, and to whom. You can create any number of policies, and associate them with any bundle or cloud account, to customize the notification of compliance issues according to your needs.

    1. Navigate to the Continuous Compliance main page, in the Compliance & Governance menu.

    2. Click Manage notification, in the upper right. A list of your notification policies is shown on the left. 

    3. Click Add new policy.


    4. Enter a name and description for policy, and select the type of notifications from the list. 

    5. For email notifications, enter a list of emails for the recipients, and select the an email option. There are two email notifications options:
      • Scheduled - these are sent at specific, scheduled times (regardless of whether there are changes in the findings)
      • Changes - sends an email of the changes found in the most recent assessment (no email will be sent if there are no changes).
    6. For notification through AWS SNS, enter the SRN for the AWS SNS Topic, and select the format of the notification. 

      Note: Click PUBLISH FINDINGS to send any unsent SNS notifications, for all accounts and bundles that are associated with this Notification Policy. This could occur, for example, if there were findings before the Notification Policy was set up, of if the connection to the SNS Topic was interrupted.

    7. Click Create. The new policy will appear in the list of policies.
    8. To add another policy, click +Add new policy. This will clear all the fields, after which you can enter details for a new policy.

    Switch between Cloud Account and Bundle views

    The Continuous Compliance page shows your Continuous Compliance Policies. There are two views of the policiies - the Cloud Account view (default view) shows policies organized by your cloud accounts, and the Bundle view, which shows policies organized by bundles.

    To select a view, click in the upper right, and then select one of the views.


    Set up a Continuous Compliance Policy

    A continuous compliance policy is a compliance bundle, associated with a cloud account and a notification policy. Dome9 continuously assesses the accounts in your compliance policies, with the bundles you have selected, and notifies you with the notification policy you have selected.

    You can set up a compliance policy in the Cloud Accounts tab or the Bundles tab. In the Cloud Accounts tab you can associate bundles with accounts, while in the Bundles tab you associate accounts to bundles. In both, you associate notification policies to create continuous compliance policies.

    1. Navigate to the Continuous Compliance main page, in the Compliance & Governance menu. The page opens by default in the Cloud Accounts view. This shows a list of your cloud accounts and, for each, the continuous compliance policies that have been defined for each.

    2. Click +Attach Compliance Bundles to the right of the account to which you wish to add a policy.

    3. Select Bundles from the Unattached Bundles box (upper left) that you wish to attach to the policy, and then click ATTACH. The bundles will appear in the Attached Bundles box (upper right).Bundles that are already attached to the account are not shown.

    4. Select Notification Policies from the Unattached Notification Policies box (lower left) that you wish to attach to the policy, and click ATTACH. The policies appear in the Attached Notification Policies box (lower right).

    5. Click APPLY and then CLOSE. The new policy will appear in the list of policies for the selected account.

      Note: Click at the right of a policy to change the notification policies associated with it, or to delete it. Click on the name of the bundle (in the Cloud Account view) or account (in the Bundles view) to edit details for the item (in the corresponding page in the Dome9 console).

      Similarly, create policies in the Bundles view in the same way, but in this case, select a Bundle, and then associate accounts and notification policies with it. The same policies will appear in both the Cloud Accounts and the Bundles tabs (but organized according to accounts or bundles, respectively).


    Remove notification policies with bulk operations

    You can perform bulk operations on a group of policies, either in the Cloud Accounts or Bundles tabs. Currently, you can detach the policies with a bulk operation.


    Note: future versions of the Dome9 Console will have additional bulk operations.

    1. Check the boxes next to the bundles or accounts that you wish to delete (depending on the view), and then click

      in the pop-up box to delete them.

    2. Click Yes to confirm the deletion.