Governance
This guide describes how to use Governance service.
The Governance allows users to create and apply policies for their cloud services in terms of cost, operation, security, and monitoring. It performs automatic remediations by pre-determined policy if it detects abnormal activities.
Quick Start Guide
📑 Step 1: Register Cloud Account
Register your cloud account in Cloud Account from Service Portal to use Governance.
📑 Step 2: Create Governance Policy
Create necessary policies for your IT needs in Policy Management of Governance.
📑 Step 3: Execute Compliance Scan
Execute compliance scan on policies that were created from Compliance Scan.
Dashboard
Governance > Dashboard
The dashboard shows key values and trending indicators such as compliance scan results, scan sores, scan status, and status trend. The charts and graphs on the dashboard help you to view compliant or non-compliant rules at a glance.
Summary
The Summary shows the compliance scan results as percentage. The scan results are labeled as critical, high, medium, and low, and it shows a number of failed or passed rules. There are two shortcut icons on the top-right to jump to Compliance Scan and Compliance Logs.
Scan Status
This section displays scan status by product and category. It also allows you to check scan status by cloud vendor, and compliant or non-compliant rules by product and category set by user.
Note: The score may exceed 100 as it can be determined by dividing the number of compliant or non-compliant rules by the total number of rules by product or category. Number of compliant or non-compliant rules can be greater than the number of entire rules as multiple products or categories can be set to a single rule.
Scan Status by Region
This section allows users to check scan status by region, and a pop-up window will appear, if you move your mouse over dots on the map, to show a number of compliant or non-compliant rules in that region. By clicking the toggle button, you can view the same data in the table chart.
Status Trend
This section displays trends of scanned policies by product or category. You can set a period to 14 days, 1 month, or 1 year to see the trend. For example, if you set the period as 1 month, at October 25, 2020, the trend will cover the data to September 25, 2020.
Non-Compliant Rules
This section displays a list of non-compliant rules after executing compliance tests. The list shows when compliance tests were conducted and whether non-compliant rules were resolved or not. To check the details of the non-compliant rules, click Compliance Scan on the top.
Compliance Scan
Governance > Compliance Scan
Compliance Scan allows you to conduct compliance tests against policies that were added in the scan list. Also, the compliance scan provides the filters to view policies by account, policy type or search text.
Execute Compliance Scan
You can select policies from the list and click the [Scan] button to run the compliance test. Click the [Remove from Scan List] button to delete the selected policy.
You can set schedule and scan scope by clicking [Option] from the far-right corner of the selected policy.
Click [Set Scan Scope] to select and apply accounts to be included in the compliance test.
![]()
Click [Set Schedule] to choose a testing cycle as every day, every week or every month. It also allows you to set the time to run the test.
![]()
Scan Result
Click a policy to jump to the detailed page of Compliance Scan. In this page, you can view scan scores and status from Scan Result. It also shows compliant and non-compliant rules by cloud service providers in graphical displays. To edit and modify a selected policy, click [Go to Policy Management] on the top.
| Item | Description |
|---|---|
| Scan Score | The score is converted into a 100 point scale for the number of compliant rules against the number of entire rules. Risk severity can be categorized as high, medium, and low. |
| Scan Status | The status shows a number of compliant or non-compliant rules against entire rules by product or category. - The score may exceed 100 as it can be determined by dividing the number of compliant or non-compliant rules by the total number of rules by product or category. - The number of compliant or non-compliant rules can be greater than the number of entire rules as multiple products or categories can be set to a single rule. |
| Last Scan | It indicates a date and time when the test was recently conducted. |
| Scan Scope | It contains a list of accounts that were included in the latest compliance test. |
| Go to Policy Management | Jump to the Policy Management to modify the policy. |
Note: If you modify policies from the Policy Management page, you need to add the modified policy to the Compliance Scan to run the test.
Applied Rules
This section shows a list of applied rules for the selected policy, and it also displays status and severity of rules. Click the [Next Action] button to perform predefined actions if it fails to comply with the rule.
| Item | Description |
|---|---|
| Category | Filter applied rules by category. |
| Product | Filter applied rules by product. |
| Input Field | Allow users to find rules by entering search texts. |
| Scan Status | Display the scan status as Non-Compliant (Unsolved), Non-Compliant (Solved), Compliant, Scanning, Error, and Unscanned. |
| Rule Name | Display user-defined name and category of rules. |
| Severity | Display severity of rules as critical, high, medium, and low. |
| Next Action | If it fails to comply with the rule, it performs predefined actions by clicking the [Next Action] button. |
- When you click a rule from the list, a new screen will appear showing status of the rule, accounts included in the rule, and detailed conditions. For non-compliant rules, click [Details] from the menu to view reasons for compliance failure.
Scan Settings
Scan Settings shows basic information about the rule, and allows users to set whether to conduct compliance tests manually or automatically. You can also add and delete accounts that need to be tested from Scan Scope.
Note: Click the [+ Add to Exception List] button to add items to the exception list that need to be excluded from the compliance scan. The Exception List is a list of specified resources that are excluded from compliance scan.
| Category | Item | Description |
|---|---|---|
| Basic Information | Applied on | Date when a policy was added to the compliance test list. |
| Last Scanned Date | Date when a policy was tested. | |
| Automatic Scan | Choose to conduct compliance tests automatically or manually by clicking the toggle button. | |
| Scan Scope | Show accounts that are included in the compliance scan. | |
| Exception List | Remove from List | Remove specified resources from the Exception List. |
| Add to Exception List | Add specified resources to the Exception List. | |
| Details | Show accounts, products, regions, resource names, and resource IDs that are included in the Exception List. |
Scan Logs
Scan Logs allows you to view all logs that are generated in the Governance service. The logs contain history of conducted compliance tests and changes of scan scope. You can check more about the log in the Compliance Logs.
| Item | Description |
|---|---|
| Select Duration | Choose a duration and view compliance logs for that duration |
| Status | Display status of logs as System, User, and Error |
| DateTime | Date and time when log was created |
| Details | Detailed information about logs generated in the policy |
Policy Management
Governance > Policy Management
Governance provides various Best Practice policies for users to select one of the policies to use immediately. Users can create a new policy by copying one of the Best Practice policies from Policy Management.
Add Policy to Scan List
You can add policies that are required for your IT and business environments. To perform compliance scan, you need to add policies to the scan list first.
Add Best Practice Policy
① To add Best Practice policies, click a Best Practice to move to the details page. In the details page, click the [Add Item] button to add the policy to Compliance Scan list for compliance test.
| Item | Description |
|---|---|
| Scan Status | Display scan status as compliant, non-compliant and error |
| Scan Results | Move to Compliance Scan by clicking [Scan Results] |
| Created | Display a date and time when a policy was created |
| Last Updated | Display a date and time when a policy was updated |
| Applied Rules | Display a list of rules that are included in the policy |
| Input Field | Allow you to filter rules by category and product |
| Delete Rule | Delete unwanted rules from Scan List |
② Click [Add Item] on the top-right corner of the page. Then choose whether to conduct compliance tests from a popup window or set a schedule to run compliance tests.
Copy Policy to Scan List
It allows users to copy a Best Practice policy and modify it for their IT environment.
Copy Best Practice
① Governance provides multiple Best Practice policies for user convenience. Users create a new policy based on the copied policy, and run the compliance test against the new policy.
② Move to the [Copy Policy] page by clicking the [Copy] from Options menu.
③ In the [Copy Policy] page, users can modify applied rules.
| Item | Description |
|---|---|
| Edit | Modify basic information and detailed conditions of the rule |
| Copy | Create a new rule by copy and edit the existing rule |
④ Users can create a new policy by clicking the [OK] button after editing a policy for your environment.
Create Policy
It allows users to create user-defined policies.
Click the Create Policy button on the top-right corner of the page to create a new policy.
![]()
A popup window of Create Policy appears. You can enter name and a brief description of the policy and then click [OK] to complete.
![]()
Go to the detailed page by selecting the created policy. In Policy Management page, add a rule by clicking [+ Add Rule] button.
![]()
Enter basic items and preferences of a rule in the Add Rule popup window.
![]()
Click the [Next] button to set the details.
![]()
Available actions of [Select Task]
Governance currently provides actions listed above and plans to add more actions in the future.
- Run Lambda Function
- Start Instance
- Stop Instance
- Reboot Instance
- Terminate Instance
- Delete Snapshots
- Delete Volumes
- Release Elastic IPs
- In the created policy page, add a rule and click the [Add Item] button to add it to the scan list.
![]()
Compliance Logs
Governance > Compliance Logs
- In the Compliance Logs page, you can view all of compliance logs that were generated so far. You can also search for specific logs by selecting log type and duration, and entering search text.
- Click [Details] to view detailed information of the log such as rule name, applied rule, automatic scan, scan scope and exception list.
- Types of Compliance Logs are policy, rule, exception list, account, scan scope, and scanned policy.
Settings
Governance > Settings
In the Settings page, you can create an Exception list that can exclude resources from the compliance scan, and Category to set and manage rules as category, and Region to exclude or include regions when running compliance scans.
Exception List
① Governance provides the Exception List to exclude specific resources from the scan list. Click [Create Template] to create a list and add resources that you want to exclude from the scan list in the [Create Exception List Template] page.
② Click [Add Resource] to choose resources that need to be excluded from the compliance test. Users can check detailed information such as cloud service, account name (alias), product, region, and resource ID.
③ Click the [Filter] button to choose resources you want to view by cloud service, account, region, and product.
④ You can check the applied resources by selecting the details button located on the right side of the exception list. You can check cloud service, account name (alias), product, tag, region, and resource ID as detailed resource information. If you want to add a resource from the exception list, select the checkbox of that resource and click the [Remove resource] button.
Category
① You can set and manage a category to rule(s), and manage rules by category. When you create cost or resource category and assign it to rule(s), it can be used as tags.
Region
① You can choose regions to be excluded from the compliance scan. Choose a region from the All Regions and click the enabled arrow in the middle to move the selected region to the regions excluded from the compliance scan.
