Note: Compliance reports are a feature of Premium Plan accounts. Please ensure you are on this plan before following the steps below.

Custom Compliance Program

As of August, 2019, CloudSploit supports the creation of custom compliance programs. Many of our users have asked for the ability to map internal corporate controls to CloudSploit's existing library of plugins in order to produce reports in a format familiar to their developers. This new feature enables this capability by allowing you to create a custom compliance program with custom controls and custom plugin mappings.

Key Terms

Before getting started, it's important to understand the terminology CloudSploit uses when referencing the various pieces of its compliance programs:

  • Program - The top-level categorization used for compliance reports. A "program" could refer to a public program such as HIPAA or PCI, or an internal program such as "Acme's Custom Controls."

  • Control - A requirement mandated by the compliance program. For example, PCI has a "control" called "Requirement 1 - Firewalls". Each control has a description providing more details about the requirement, such as "Install and maintain a firewall configuration to protect cardholder data.".

  • Plugin Mapping - Each control has a series of plugins associated to it. These "mappings" allow CloudSploit to associate a subset of its plugins with the control. For example, the "Firewall" control could have a mapping to the "Default Security Group" plugin because this plugin helps satisfy the requirement to maintain a secure firewall.

Default Compliance Reports

By default, CloudSploit provides compliance reports for popular compliance programs such as PCI and HIPAA with more programs coming soon. These reports are available in the scan report "Compliance" tab and cannot be modified. CloudSploit routinely updates the controls and plugin mappings associated with these programs.

Creating Custom Compliance Programs

To create a custom program, follow these steps:

  1. Log into the CloudSploit console as an account administrator (only account admins can create custom programs at this time because the reports will be made available across all your cloud connections).
  2. Navigate to "Tools & Reports" > "Compliance".
  3. Click the "+ Create Compliance Program" button.
  4. In the popup, provide a program name and description and then save.
  5. Click the "Details" button to go to the program details and begin adding new controls.
  6. Click the "+ Add Compliance Control" button at the top right.
  7. Provide a name and description for the control and click "Save".
  8. Click the "View Plugins" button to begin creating plugin mapping associations.
  9. Search for the plugins you'd like to include and click the checkbox next to each.
  10. Continue creating controls and plugin mappings until all controls have been covered.

Accessing Custom Compliance Reports

Once you've created a custom report, it can be viewed from the Scan Results page for each account:

  1. Click "Scans" > "Scan Results"
  2. Select an account from the list and click "View Report".
  3. Click the "Compliance" tab.
  4. Click your new program to view the report.