Feature Friday Continuous Compliance

Feature Friday: What's in a Kion Compliance Check?

Matt Duda

3 min read

Last updated on September 20th, 2023 at 10:25am

What Is a Compliance Check?

A compliance check analyzes a cloud resource to see if it matches an undesirable configuration. Compliance checks allow you to monitor your cloud environment for vulnerabilities continually and return findings to the compliance dashboard. These findings can be triaged by severity and aggregated into a compliance score that enables you to prioritize the findings that present the most risk or adversely affect your security and compliance posture. Kion offers over 8,000 compliance checks out of the box and allows you to write custom checks to ensure you can have holistic coverage and visibility into the security of your cloud environment.

Types of Compliance Checks

  • Cloud Custodian Checks
  • Native Azure Policy Checks
  • External Checks

Cloud Custodian Checks

Kion includes the open-source Cloud Custodian rules engine that allows you to easily write and run YAML policies against your AWS, Azure, and Google Cloud resources.

Native Azure Policy Checks

Native Azure policy checks can be added to Kion with JSON policy code specifically configured to check for compliance in your Azure resources.

External Checks

Kion can support ingesting data from external tools via external checks. These compliance checks can also serve as metadata for those external tools.

The majority of Kion’s out-of-the-box checks are Cloud Custodian checks and also comprise the bulk of the checks in our compliance jumpstarts.

A cloud custodian policy has at least four unique elements:

  1. Unique name
  2. Type of resource
  3. Filters
  4. Actions

Unique Name

This is the label of the check. The taxonomy of the name can be used to arrange or categorize the checks. For example, when used in a compliance jumpstart the checks pertaining to the specific compliance standard – NIST 800-53, HIPAA, etc., are found in the name.

Type of Resource

This is the type of cloud resource the policy is applied to SS3, EC2, etc.


Further narrow the resource that the check targets and can include things like tag, key, type, value, and more, including “AND,” “OR,” and “NOT” logic operators.


The actions include the action that posts the finding(s) in Kion via webhook, as well as actions to remediate the findings automatically if desired.

Uncommenting a single line of code can initiate automatic remediation of compliance findings

Compliance checks are only one facet of our continuous compliance features that help shift security and compliance to the left in your cloud platform development.

Kion is the best way to establish and scale a well-governed, multi-cloud environment and can assist you with much more than compliance. As a cloud enablement platform, we want to help you go farther, faster in the cloud by helping you to accomplish meaningful work across every facet of developing and managing your cloud platforms.

Automation & Orchestration tools make configuring financial, security, and compliance guardrails across multiple accounts easy and reduce what usually takes weeks of manual configuration to hours.

Financial Management features help you visualize your spend across cloud providers and understand where and why money is being spent. Also, you can receive recommendations for rightsizing resources and identifying zombie instances to stop wasting your cloud spend.

If you would like to see the best single platform for establishing and scaling a well-governed, multi-cloud environment or understand how Kion would work for your specific use case, you can request a demo by registering here.

Request a Demo

About the Author

Matt Duda

Matt is the brand experience manager at Kion.

Start your cloud operations journey.

Request a demo today,