Compliance¶
Cloud Custodian policy enforcement and compliance standard scanning across all connected clouds.
Overview¶
RosettaHub integrates Cloud Custodian -- the open-source cloud security rules engine -- to enforce compliance policies and standards across AWS, Azure, GCP, Alibaba Cloud, OVH, and OpenStack. Policies detect non-compliant resources and can automatically remediate by taking corrective actions on cloud accounts.
Compliance operates at two levels:
- Policies -- individual Cloud Custodian rules targeting specific resource misconfigurations
- Standards -- portfolios of policies grouped under a compliance framework (CIS, HIPAA, ISO 27001, etc.)
Both levels support dry-run mode to preview what would be flagged or changed before applying.
Cloud Custodian Policies¶
A Cloud Custodian policy is a YAML-defined rule that targets a cloud resource type, applies filters to detect non-compliance, and optionally takes remediation actions.
Example Policy¶
policies:
- name: unencrypted-s3-buckets
resource: s3
filters:
- type: value
key: "ServerSideEncryptionConfiguration"
value: absent
actions:
- type: notify
subject: "Unencrypted S3 bucket detected"
Policy Attributes¶
| Attribute | Description |
|---|---|
| Label | Human-readable name |
| Resource | Cloud resource type the policy targets (ec2, s3, rds, etc.) |
| Cloud | Which cloud provider the policy applies to |
| Policy Type | Classification of the policy |
| Compliance Standards | Which standards this policy maps to |
| Original Policy | The raw YAML policy definition |
| RH Policy | The RosettaHub-enriched policy with platform integration |
Policy Actions¶
| Action | Description |
|---|---|
| Create Cloud Custodian Policy | Define a new policy from YAML |
| Update Cloud Custodian Policy | Modify an existing policy's YAML definition |
| Clone Cloud Custodian Policy | Create a copy of a policy to customize |
| Execute on Users | Run the policy against specific users' cloud accounts |
| Share | Share the policy with users, groups, or organizations |
| Publish | List the policy on the Marketplace |
| Add to Portfolio | Add the policy to a compliance standard portfolio |
| Customize | Update label and metadata |
| Delete | Remove the policy |
Compliance Standards¶
A compliance standard is a portfolio of Cloud Custodian policies grouped under a recognized framework. Executing a standard runs all its constituent policies against the selected cloud accounts.
Supported Frameworks¶
| Framework | Description |
|---|---|
| CIS Benchmarks | Cloud infrastructure hardening standards (AWS, Azure, GCP) |
| HIPAA | Safeguards for protected health information |
| ISO 27001 | Information security management system controls |
| NIST SP 800-53 | Security and privacy controls for federal systems |
| SOC 2 | Service organization controls for trust service criteria |
RosettaHub ships 207 Cloud Custodian policies that map to these frameworks.
Executing Policies and Standards¶
On Cloud Accounts¶
Right-click a cloud account and select from the Compliance menu:
- Execute Cloud Custodian Policy -- select one or more policies, choose target regions, and run
- Execute Compliance Standard -- select one or more standards, choose target regions, and run
Both actions support:
| Option | Description |
|---|---|
| Multi-select policies/standards | Run multiple policies or standards in one execution |
| Region selection | Choose specific regions or select all |
| Dry run | Preview results without making changes (enabled by default) |
On Users¶
Policies can also be executed against users, scanning all cloud accounts belonging to the selected users. This is available via the Execute on Users action on a policy.
Via Roles¶
Assigning compliance roles to users triggers automatic policy execution on their cloud accounts. This is the preferred approach for continuous enforcement -- when a compliance role is assigned, the associated policies run automatically.
Execution Output¶
Every policy execution produces an execution output record with:
| Attribute | Description |
|---|---|
| Cloud Account | Which account was scanned |
| Cloud | Which cloud provider |
| Regions | Which regions were scanned |
| Resources | Non-compliant resources detected |
| Run Log | Detailed execution log |
| Metadata | Execution context and timing |
Use the Cloud Custodian Policy Execution Output view to browse, filter, and drill into results.
Remediation¶
Policies can be configured with remediation actions that automatically correct non-compliant resources:
| Remediation Type | Description |
|---|---|
| Notify | Alert administrators about non-compliant resources |
| Tag | Mark non-compliant resources for tracking |
| Stop | Stop running instances that violate policy |
| Modify | Change resource configuration to achieve compliance |
Dry Run First
Always test policies in dry-run mode before enabling remediation actions. Remediation can modify or stop cloud resources.
Compliance Posture Dashboard¶
Coming 2026
A dashboard-driven view of compliance posture is in development, extending the existing policy enforcement with:
- Per-framework scores -- percentage of controls passing for each compliance standard
- Trend tracking -- compliance score changes over time
- Drill-down -- from aggregate score to individual failing controls to specific resources
- Organization-wide view -- compliance across sub-organizations and projects
- Scheduled scans -- configure scan frequency (hourly, daily, weekly)
- Exemption management -- document and track accepted risks
Related Topics¶
- Cloud Operations Overview -- The governance layer of the Supercloud
- The Portal — Compliance Roles -- Assign compliance policies via roles
- Portfolios -- Standards are portfolios of policies
- Sharing -- Share policies and standards across organizations