Governance
This guide describes how to use Governance service.
The Governance allows users to create and apply policies for their cloud services in terms of cost, operation, security, and monitoring. It performs actions automatically by pre-determined policy if it detects abnormal activities.
Quick Start Guide
Step 1: Register Cloud Account
You must register your cloud account to use Governance service in Cloud Account from Service Portal.
Step 2: Create Governance Policy
Create necessary policies in Policy Management page from Governance.
Step 3: Execute Compliance Assessment
You can execute compliance assessment on policies that were created from Compliance Assessment.
Dashboard
Governance - Dashboard
The dashboard is designed to provide graphical displays of executed compliance tests. The graphical displays are assessment status and status trend by product and category, and it also shows a list of failed rules.
Summary
In Summary section, it displays the results of policies as percentage that were executed compliance test so far. The test results are labeled as critical, high, medium, and low, and it shows a number of failed or passed rules. There are two shortcut icons on the top-right to jump to Compliance Assessment and Compliance Logs.
Assessment Status
This section displays assessment status by product and category. It also allows you to check assessment status by cloud vendor, and failed or passed rules by product and category set by user.
Note: The score may exceed 100 as it can be determined for dividing number of passed or failed rules by total number of rules by product or category. Number of passed or failed rules can be greater than number of entire rules as multiple products or categories can be set to a single rule.
Assessment Status by Region
This sections allows users to check assessment status by region, and a pop-up window will be appeared, if you move your mouse over dots on the map, to show a number of failed or passed rules in that region. By clicking the toggle button, you can view the same data in the table chart.
Status Trend
This section displays trend of assessed polices by product or category. You can set a period to 14 days, 1 month, or 1 year to see the trend. For example, if you set the period as 1 month, at October 25, 2020, the trend will cover the data to September 25, 2019.
Failed Rules
This section displays a list of failed rules after executing compliance tests. The list contains assessment status such as when the compliance test was conducted and whether failed rules were resolved or not. There is a shortcut icon on the top to jump to Compliance Assessment menu to check the details of the failed rule.
Compliance Assessment
Governance - Compliance Assessment
Compliance Assessment allows you to conduct compliance tests against policies that were added in the compliance list. Also, the compliance provides filter feature to view policies by account, policy type or search text.
Execute Compliance Assessment
You can select policies from the list and click Assessment button to run the compliance test. Click Remove from Assessment List button to delete a selected policy.
You can set schedule and assessment scope by clicking Option button from the far-right corner of the selected policy.
Click Set Assessment Scope to select and apply accounts to be included for the compliance test.
![]()
Click Set Schedule to choose testing cycle as every day, every week or every month. It also allows you set the time to run the test.
![]()
Assessment Result
Click a policy to jump to detailed page of Compliance Assessment. In this page, you can view assessment scores and status from Assessment Result menu. It also shows failed and passed rules by cloud vendors in graphical displays. To edit and modify a selected policy, click Go to Policy Management on the top to jump to Policy Management page.
| Item | Description |
|---|---|
| Assessment Score | The score is converted into 100 point scale for number of passed rules against number of entire rules. Risk severity can be categorized as high, medium, and low. |
| Assessment Status | The status shows a number of passed or failed rules against entire rules by product or category. - The score may exceed 100 as it can be determined for dividing number of passed or failed rules by total number of rules by product or category. - Number of passed or failed rules can be greater than number of entire rules as multiple products or categories can be set to a single rule. |
| Last Assessed on | It indicates a date and time when the test was recently conducted. |
| Assessment Scope | It contains a list of accounts that were included in the latest compliance test. |
| Go to Policy Management | Jump to Policy Management page to modify the policy. |
Note: If you modify policies from Policy Management page, you need to add the modified policy to Compliance Assessment to run the test.
Applied Rules
This section shows a list of applied rules for the selected policy, and it also displays status and severity of rules. Click Next Action button to perform pre-defined actions if it fails to comply the rule.
| Item | Description |
|---|---|
| Category | Filter applied rules by category. |
| Product | Filter applied rules by product. |
| Input Field | Allow users find rules by entering search texts. |
| Assessment Status | Display the assessment status as Fail (Unsolved), Fail (Solved), Pass, Examining, Error, and Unexamined. |
| Rule Name | Display user-defined name and category of rules. |
| Severity | Display severity of rules as critical, high, medium, and low. |
| Next Action | If it fails to comply with the rule, it performs pre-defined actions by clicking Next Action button. |
- When you click a rule from the list, a new screen will be appeared showing status of the rule, accounts included in the rule, and detailed conditions. If it fails to comply with the compliance assessment, click Details from the menu to view reasons for failure.
Assessment Settings
Assessment Settings feature contains basic information about the rule, and allows users to set whether to conduct compliance test manually or automatically. You can also add and delete accounts that need to be tested from Assessment Scope.
Note: Click + Add to Whitelist button to add items to the whitelist that need to be excluded from the compliance test. Whitelist is a list of specified resources that are excluded from compliance assessment.
| Basic Information | Applied on | Date when a policy was added to the compliance test list. |
| Last Assessed on | Date when a policy was tested. | |
| Automatic Assessment | Choose to conduct compliance test automatically or manually by clicking toggle button. | |
| Assessment Scope | Show accounts that are included in the compliance assessment. | |
| Whitelist | Remove from List | Remove specified resources from the Whitelist. |
| Add to Whitelist | Add specified resources to the Whitelist. | |
| Details | Show accounts, products, regions, resource names, and resource IDs that are included in the Whitelist. |
Assessment Logs
Assessment Logs allows you to view all logs that are generated in the Governance service. The logs contain history of conducted compliance tests and changes of assessment scope. You can check more details of the log in the Compliance Logs.
| Select Duration | Choose a duration and view compliance logs for that duration |
| Status | Display status of logs as System, User, and Error |
| DateTime | Date and time when log was created |
| Details | Detailed information about logs generated in the policy |
Note: Currently, Governance does not support two AWS regions: Hong Kong and Bahrain. If you need help with these regions, please contact Support team.
Policy Management
Governance - Policy Management
Governance provides various Best Practice policies so that you can select one of the polices to use immediately. You can create a new policy by copying one of Best Practice polices from Policy Management.
Add Policy to Assessment List
You can add polices that are required for your IT environment. To perform compliance assessment, you need to add policies to assessment list first.
Add Best Practice Policy
To add Best Practice policies, click a Best Practice to move to the details page. In the details page, click Add Item button to add the policy to Compliance Assessment list for compliance test.
| Assessment Status | Display assessment status as pass, fail and error |
| Assessment Results | Move to Compliance Assessment by clicking Assessment Results |
| Created | Display a date and time when a policy was created |
| Last Updated | Display a date and time when a policy was updated |
| Applied Rules | Display a list of rules that are included in the policy |
| Input Field | Allow you to filter rules by category and product |
| Delete Rule | Delete unwanted rules from Assessment List |
- Click Add Item on the top-right corner of page. Then choose whether to conduct compliance test from a popup window or set a schedule to run compliance test.
Copy Policy to Assessment List
It allows you to copy a Best Practice policy and modify it for your IT environment.
Copy Best Practice
Governance provides multiple Best Practice polices for user convenience. You can copy one of Best Practice polices and create a new policy based on the copied policy, and run the compliance test against the new policy.
Move to Copy Policy page by clicking Copy from Options menu.
In Copy Policy page, you can modify applied rules.
| Edit | Modify basic information detailed conditions of the rule |
| Copy | Create a new rule by copy & edit an existing rule |
- You can create a new policy by clicking OK button after editing a policy for your environment.
Create Policy
It allows you to create user-defined policies.
Click Create Policy button on the top-right corner of the page to create a new policy.
![]()
A popup window of Create Policy appears. You can enter name and a brief description of the policy and then click OK to complete.
![]()
Go to the detailed page by selecting the created policy. In Policy Management page, add a rule by clicking + Add Rule button.
![]()
Enter basic items and preferences of a rule in Add Rule popup window.
![]()
Click Next button to set the details.
![]()
Available actions of Select Task
- Run Lambda Function
- Start Instance
- Stop Instance
- Reboot Instance
- Terminate Instance
- Delete Snapshots
- Delete Volumes
- Release Elastic IPs
Governance currently provides actions listed above and plan to add more actions in the future.
- In the created policy page, add a rule and click Add Item button to add it to the assessment list.
![]()
Compliance Logs
Governance - Compliance Logs
In Compliance Logs page, you can view all of compliance logs that were generated so far. You can also search for specified logs by selecting log type and duration, and entering search text.
Click Details button to view detailed information of the log such as rule name, applied rule, automatic assessment, assessment scope and whitelist.
Types of Compliance Logs: Policy, Rule, Whitelist, Account, Assessment scope, Assessed policy
Settings
Governance - Settings
In Settings page, you can create both whitelist and category.
Whitelist
Governance provides Whitelist Template to exclude specified resources from the assessment list. Click Create Template to create the list. In Create Whitelist Template page, you can add resources that you want to exclude from the assessment list.
Click Add Resource button to choose cloud vendor, product, tag, and tag for resources.
Click Filter button on the image below to select resources by cloud service, account, region, and product.
Category
You can assign a category to rule(s), and mange rules by category afterward.
