New FinOps Capabilities Kion Strengthens Multicloud Capabilities with New Support for FOCUS and Oracle Cloud Infrastructure Read the press release

Blog Continuous Compliance Financial Management Release News

New in Release 3.2: In-Depth Compliance and Early Access to New Features

Emily Wayman

6 min read

Last updated on February 1st, 2023 at 3:01pm

When it comes to security, being proactive is essential. The only thing better than a quickly resolved incident is not having an incident at all. In this Kion release, we’ve added new features to help prevent incidents before they happen. We help you build guardrails around your essential policies, identify compliance risks, and achieve compliance out of the box.

We do realize that sometimes even the best laid plans can be compromised, however, so we’ve also included resources for rapid incident recovery and faster time to resolution. Our goal is to help you avoid incidents, but we’ve also got your back when they do happen.

Compliance with Confidence

Protect Your Most Powerful Policies

Set AWS IAM policies, Azure role definitions, and Google Cloud IAM roles as restricted to limit their use to select users. Since cloud access roles carry cloud rules and policies with them, they can be used to control access in a very powerful way. If someone can create cloud access roles, they can manipulate roles to apply permissions in unintended ways. By restricting your most sensitive policies, you can create safeguards, so only specific users can add them to cloud access roles.

For more information, see our articles Add an AWS IAM Policy, Add an Azure Role Definition, and Create a Google Cloud IAM Role.

Always Be Up to Date with Pending Compliance Checks

Compliance checks in Kion are used to find resources that are improperly configured within your environment. As a simple example, you could have a check for whether an AWS S3 bucket is configured as publicly accessible. Kion keeps an eye on your resources for you, so that you can address risky situations before they become an issue. If a non-compliant resource is found, Kion lets you know so you can quickly federate into the account and take remediation actions.

Compliance check states have been added to give you more insight into when checks run and how recent your findings are. Maybe a check was compliant the last time you scanned it, but what if that scan was over a week ago? How do you know if a compliant check is showing results from yesterday’s or today’s scan? The pending compliance check badge shows you when checks are waiting to run, and pending check filters help you find out-of-date findings. You can always be sure that when a check says it’s compliant, it is.

For more information, see our article Compliance Overview.

Rapid Incident Recovery with CMMC 2.0

Kion comes with many pre-created compliance checks and cloud rules for common security standards in the form of compliance jumpstarts. These curated collections of checks and policies make it easy to ensure compliance right out of the box.

Our newest compliance jumpstart for the Cybersecurity Maturity Model Certification (CMMC) adds an Incident Response cloud rule for AWS and Azure. This cloud rule is meant to be applied when an incident has, or is suspected to have, happened.

When this cloud rule is applied, the account is locked down. All internal and external traffic is immediately blocked, permissions are removed from all principals, snapshots are taken of all EBS volumes and RDS instances, and a resource lock is put in place. This gives you time to investigate the incident and take recovery measures without risk of the incident escalating. When you are ready to bring the account back online, all you have to do is remove the cloud rule and all connectivity and unedited permissions are restored.

For more information, customers and partners can check out our new compliance jumpstart for CMMC 2.0.

Have a Voice in Kion Development

Feature Previews

We love to build features that continue to make using the cloud easier, and the best way to do that is to build features that are relevant to you! In this release, we are including two feature previews: event driven architecture and an AWS ECS Fargate deployment method. Now is your chance to try out these upcoming features and give us your feedback. Let us know what you think and what you want to see!

Streamlined IAM Sync with Event Driven Architecture

Enabling event driven architecture can increase performance by reducing the number of queries Kion makes and reducing the time to resolution when changes are made.

Event driven architecture is an alternative to polling architecture that is much better suited for environments at scale. With event driven architecture, service providers report events to us as they happen. Reported events indicate specific accounts that have had changes, so we can update only those specific resources instead of each and every resource. This also means that instead of checking for changes every five minutes, changes are reported right away.

In this release, we implemented event driven architecture for AWS IAM sync, one of the most heavily used microservices. Every time you add an account or role, you increase the number of checks that have to occur with each sync. Listening for changes instead of periodically checking every resource provides a large performance increase and a decrease in resource utilization, allowing IAM sync to scale extremely well.

For more information, see our article Event Driven Architecture. To share your thoughts on the feature, email us at support[at] or join our Slack community and provide your input in the #feature-preview-feedback channel. Let us know where you would like to see event driven architecture implemented next!

Serverless AWS Deployments

We are developing a new deployment method using AWS ECS Fargate to deploy Kion to multiple AWS partitions, including C2S and SC2S environments.

This deployment method offers the benefits that come with containerized deployments, like freeing your infrastructure team from having to manage more server software updates. Isolated workloads, dedicated runtime environments, and built-in monitoring integrations bring security front and center. AWS ECS Fargate is architected to meet many compliance standards, including PCI DSS, ISO, SOC, and HIPAA. This is a great deployment option to choose if you are looking to streamline future security audits.

We recommend only using this method for non-production workloads, while we gather feedback for a GA release.

For more information about the deployment, customers and partners can check out our ECS Deployment Guide. To share your thoughts on the feature, email us at support[at] or join our Slack community and provide your input in the #feature-preview-feedback channel.

That’s Not All! 

These are just the highlights! For details on all of our new features, changes, and bug fixes, visit our Support Center. 

If you're new to Kion, welcome! You can schedule a free demo to learn more about our comprehensive cloud enablement software. You can also follow us on Twitter  and LinkedIn for more cloud enablement news.

About the Author

Emily Wayman

Emily is the technical writer at Kion.

Start your cloud operations journey.

Request a demo today,