Misconfigurations (formerly Compliance Scorecard)
Copy link

The Misconfigurations page helps you quickly identify resources that are most at risk, have a security impact, or affect your compliance goals. You can also create Exceptions and view remediation details directly from the interface to streamline misconfiguration management.

ℹ️

New experience available

Clicking the Switch to Modern UI button in the top right corner replaces the Compliance Scorecard with the Misconfigurations page. The Compliance Scorecard (Legacy UI) is on by default and you can toggle between the interfaces at anytime. The Misconfigurations page is designed to make compliance workflows faster, more consistent, and easier to use without losing any of your current functionality, including exports. With Misconfigurations, you can:

  • Diagnose misconfigurations more efficiently in the context of the standards that matter most.
  • Visualize Exception status to streamline reviews and remediation.
  • Gain increased performance for quicker risk analysis and compliance posture checks.
  • Manage cloud infrastructure more effectively with improved tag visibility.

Prerequisites
Copy link

Before using the Misconfigurations page, make sure at least one cloud account is connected to InsightCloudSec. While not required, it’s helpful to understand Insights and Compliance Packs.

Explore misconfigurations
Copy link

In InsightCloudSec, a misconfiguration is a resource with security configuration that results in an Insight finding. There’s a large variety of Insights for all resource and cloud account types. Insights also provide criteria for Compliance Packs, which can be used to audit your environment.

To view your misconfigurations:

  1. Log in to InsightCloudSec.
  2. Go to Security > Misconfigurations.

You can filter the displayed resources using:

  • Filters: Select an item or status and click Apply.
  • Scopes: Select a scope, including cloud accounts, badges, or compliance packs and click Apply Scope.

The filter options change based on the current display:

  • By Resource (default): Resources are shown. Expand a resource to see its Insight findings.
  • By Insight: Insights are shown, but scopes are unavailable. Expand an Insight to view affected resources.

Share and take action on misconfigurations
Copy link

The Misconfigurations page provides many options for sharing and remediating misconfigurations, reducing the time it takes to assess and take ownership of remediation activities.

View resource details

Click a resource name or switch to Display By: Resource and click Action (…) > View Resource Details. To learn more about resources and their properties, see Resources.

Share misconfigurations

To download the Misconfiguration Report:

  1. Go to Security > Misconfigurations.
  2. Filter or scope the view if needed. If you do not filter or scope the page, InsightCloudSec generates the scorecard against all cloud accounts and resource types.
  3. Click Share > Download (Excel).
  4. Select one or more Compliance Packs. If you select more than one, InsightCloudSec generates a scorecard for each Compliance Pack.
  5. Optionally, include tags or badges, which adds respective columns to the sheet.
  6. Click Download. Your browser downloads the files.

The Misconfiguration Report is a large downloadable file that compiles Insight performance data for the resources in a selected group of cloud accounts. The report includes:

  • Overview: A summary of the scorecard and its contents, including what Compliance Pack was used, the number of findings, and the severity of the findings.
  • Clouds | Clusters Scorecard: A heatmap of how well the selected cloud accounts are configured for the selected Compliance Pack.
  • Impacted Resources: A list of resources that are misconfigured for the selected Compliance Pack.
  • Exempt Resources: A list of resources that are exempt from one or more of the Insights in the selected Compliance Pack. See Exempt resources from misconfigurations for more information on Exceptions.
  • Insight Notes: Detailed notes and remediation details for the Insights in the selected Compliance Pack.
  • Cloud Results: A list of cloud accounts assessed for the Misconfiguration Report as well as their overall performance.

To generate a shareable link:

  1. Go to Security > Misconfigurations.
  2. Filter or scope the page if needed.
  3. Click Share > Generate Share Link.
  4. Select a Compliance Pack if needed.
  5. Enter a name for the link.
  6. Click Generate, then View or copy the link.
⚠️

Link requirements

Opening the link requires InsightCloudSec access and Domain Admin or Organization Admin permissions in your ICS Organization.

To download a list of misconfigured resources:

  1. Go to Security > Misconfigurations.
  2. Filter or scope the page if needed.
  3. Switch to Display By: Insight.
  4. Click Action (…) > Download All. Your browser downloads the file. The file contains a list of resources that are misconfigured for the selected Insight.

Subscribe to misconfigurations

ℹ️

Need to manage existing subscriptions?

After you create a subscription, you can reconfigure it, delete it, or run it on demand from the Manage Subscriptions page. Cloud storage subscriptions also have the option to validate settings and to be toggled on or off. From the Misconfigurations page, click Share > Manage Subscriptions.

To create an email subscription:

  1. Go to Security > Misconfigurations.
  2. Filter or scope the page if needed.
  3. Click Share > Create Email Subscription.
  4. Select a Compliance Pack. If you scoped to a Compliance Pack, it will automatically be selected.
  5. Enter a Subscription Name.
  6. Select Recipient Email Addresses. The email subscription can only go to an existing user in InsightCloudSec.
  7. Configure the Email Frequency as needed.
  8. Optionally, include tags or badges, which adds respective columns to the sheet.
  9. Click OK.

To create a cloud storage subscription:

  1. Go to Security > Misconfigurations.
  2. Filter or scope the page if needed.
  3. Click Share > Create Cloud Storage Subscription.
  4. Select a Compliance Pack. If you scoped to a Compliance Pack, it will automatically be selected.
  5. Enter an Export Name.
  6. Select a Storage Container Resource. The cloud storage container must be already harvested by InsightCloudSec, which means it appears in the Resources Inventory.
  7. Optionally, enter a Storage Container Prefix to change the path for subscription delivery. By default, the subscription is sent to the root level of the container.
  8. Optionally, include tags or badges, which adds respective columns to the sheet.
  9. Optionally, select to export the subscription as an .xlsx file (the default is a .zip file).
  10. Click OK. The Misconfiguration Report is delivered at 3:00 (UTC) every day.

Take action on misconfigurations

To manage tags:

  1. Go to Security > Misconfigurations.
  2. Switch to Display By: Resource.
  3. Filter or scope the page if needed.
  4. Next to a resource, click Action (…) > Manage Tag(s). The resource properties panel opens to the Tags tab.
  5. Add or remove tags as needed.

To assign ownership:

  1. Go to Security > Misconfigurations.
  2. Switch to Display By: Resource.
  3. Filter or scope the page if needed.
  4. Next to a resource, click Action (…) > Assign Owner.
  5. Select an InsightCloudSec user to associate as an owner.
  6. Click OK.

To view contextual cloud account-based actions:

  1. Go to Security > Misconfigurations.
  2. Switch to Display By: Resource.
  3. Filter or scope the page if needed.
  4. Next to a resource, click Action (…) > View Resource Actions.

Actions relevant to the selected resource appear. The cloud account associated with the resource needs special permissions (referred to as an Automation Full Access policy or role) to perform any of these actions.

To create a Bot for an Insight:

  1. Go to Security > Misconfigurations.
  2. Switch to Display By: Insight.
  3. Filter or scope the page if needed.
  4. Next to a resource, click Action (…) > Create Bot. The Create Bot page opens with some information already provided.

See Creating a Bot for more instructions.

To view remediation details:

  1. Go to Security > Misconfigurations.
  2. Switch to Display By: Insight.
  3. Filter or scope the page if needed.
  4. Next to a resource, click Action (…) > View Remediation Details. The Insight Information panel opens.

Exempt resources from misconfigurations
Copy link

Exceptions exclude a resource from being assessed by a specific Insight. Use Exceptions for compliant resources that do not require further evaluation. You can view all existing Exceptions and manage them from the Exceptions page.

Exempt a resource (Display By: Resource)

To create an Exception (select an Insight):

  1. Go to Security > Misconfigurations.
  2. Switch to Display By: Resource.
  3. Optionally, filter or scope the page as necessary.
  4. Next to a resource, click Action > Create Exception.
  5. Select an Insight.
  6. Select a Start Date.
  7. Optionally, select an Expiration Date.
  8. Enter an Approver Email.
  9. Optionally, enter Notes.
  10. Click Create. The Exception is created.

To create an Exception for a resource:

  1. Go to Security > Misconfigurations.
  2. Switch to Display By: Resource.
  3. Optionally, filter or scope the page as necessary.
  4. Expand a resource.
  5. Next to an Insight, click Action > Create Exception.
  6. Select a Start Date.
  7. Optionally, select an Expiration Date.
  8. Enter an Approver Email.
  9. Optionally, enter Notes.
  10. Click Create. The Exception is created.

To create multiple Exceptions for a resource:

  1. Go to Security > Misconfigurations.
  2. Switch to Display By: Resource.
  3. Optionally, filter or scope the page as necessary.
  4. Expand a resource.
  5. Select as many Insights as desired.
  6. Click Create Exception.
  7. Select a Start Date.
  8. Optionally, select an Expiration Date.
  9. Enter an Approver Email.
  10. Optionally, enter Notes.
  11. Click Create. The Exceptions are created.

Exempt a resource (Display By: Insight)

To create an Exception for an Insight:

  1. Go to Security > Misconfigurations.
  2. Switch to Display By: Insight.
  3. Optionally, filter or scope the page as necessary.
  4. Expand an Insight.
  5. Next to a resource, click Action > Create Exception.
  6. Select a Start Date.
  7. Optionally, select an Expiration Date.
  8. Enter an Approver Email.
  9. Optionally, enter Notes.
  10. Click Create. The Exception is created.

To create multiple Exceptions for an Insight:

  1. Go to Security > Misconfigurations.
  2. Switch to Display By: Insight.
  3. Optionally, filter or scope the page as necessary.
  4. Expand an Insight.
  5. Select as many resources as desired.
  6. Click Create Exception.
  7. Select a Start Date.
  8. Optionally, select an Expiration Date.
  9. Enter an Approver Email.
  10. Optionally, enter Notes.
  11. Click Create. The Exceptions are created.

Use the Compliance Scorecard (legacy UI)
Copy link

Legacy UI details

The Cloud Security (InsightCloudSec) Compliance Scorecard audits compliance and identifies risks in your cloud environment in a simple, transparent way. It can assist teams of all types (auditors, operations, security teams, and managers) in identifying areas with possible compliance issues and provide guidance for acting appropriately on the right resources to mitigate those issues. Using a heatmap visual, summaries, and non-compliance history details, you can see where resources are failing these compliance checks.

Prerequisites
Copy link

Before you get started with the Compliance Scorecard, you need at least one cloud account connected to Cloud Security (InsightCloudSec). While not required, having some custom badges or custom Insight packs already created can be helpful when filtering for the Compliance Scorecard. It’s also helpful to have a basic understanding of Insights and Compliance Packs in Cloud Security (InsightCloudSec).

Generate a scorecard
Copy link

The Compliance Scorecard is generated dynamically based on the filters selected. The only required filter is an Insight Pack (also known as a Compliance Pack).

To generate the scorecard:

  1. Log into Cloud Security (InsightCloudSec).
  2. Go to Security > Compliance Scorecard.
  3. Select an Insight Pack in the Insight Filters section.
  4. Optionally, add severities, resource types, and Insights to filter the results.
  5. Optionally, add a Resource Filter. You can only add one type of Resource Filter.
  6. Click Apply. The Compliance Heatmap loads.
⚠️

Scorecards do not persist

If you leave this page, the scorecard is removed, so when you return, you’ll have to regenerate the scorecard. If you’d like to easily return to the scorecard, you should export it.

Understand a scorecard
Copy link

The Compliance Scorecard consists of a few different views that are all accessed from the Compliance Heatmap. The Compliance Heatmap lists your scoped cloud accounts (or cloud filters) on the y-axis (vertical) and your Insights (as determined by the selected Insight Pack and any additional filtering) along the x-axis (horizontal). Where each cloud account intersects with an Insight, you’ll find a square with a color that expresses the cloud account’s Insight compliance as a percentage. The following is a list of important features to note when interacting with the heatmap:

  • Point your mouse cursor to a square to display a summary of the impacted resources in the cloud account.
  • Click a square to open a report card for the intersection of a particular cloud account and Insight, which includes a list of noncompliant resources for the particular cloud account, an overview of the Insight, and remediation details.
  • Click a cloud account name to open a list of report cards for the cloud account. Click an Insight to open the report card for that Insight.
  • Click an Insight name to open a report card for the Insight, which includes a list of noncompliant resources across all cloud accounts, an overview of the Insight, and remediation details.
ℹ️

Noncompliant resource actions

From the list of noncompliant resources, you can download the data, create a Bot to fix the noncompliance, or create an Exception.

Export a scorecard
Copy link

After generating your scorecard, you can export the data in a few different ways from the Options menu:

ℹ️

Need to manage an existing subscription?

After you create a subscription, you can reconfigure or delete it or you can send it on demand from the Manage Subscriptions page. Cloud storage subscriptions also have the option to validate settings and to be toggled on or off. From the Compliance Scorecard page, click Options > Manage Subscriptions.

Microsoft Excel download

You can download the currently configured scorecard as an Microsoft Excel file from the main filtering menu and from the Report Card view for impacted resources. All Insights for the selected pack will be downloaded and are not limited to selected severities, badges, or resource types. This download option has data size limitations: if your report is too large, you will not be able to download the file.

ℹ️

Percentage of Compliance

In the interface, the scorecard is displayed as Insights (along the x-axis) vs. Cloud accounts (along the y-axis). In the Compliance Export, however, the reverse is true: Cloud accounts are on the X-axis and Insights along the Y-Axis.

The calculation of percent compliance, though, is the same in both cases. This percentage is calculated as 1 minus the ratio of noncompliant resources to total resources checked against that insight, and the ratio is then multiplied by 100 to obtain a percentage. For example, if a field has 50 impacted (noncompliant) resources out of a total of 1000 assessed resources for an Insight, the compliance for the assessed resources is therefore (1 - [50/1000])*100, or 95%. This field would be color-coded yellow, indicating a compliance level of between 95% and 99%.

To download a Microsoft Excel file:

  1. From the Compliance Scorecard page, generate a scorecard.
  2. Click Options > Download (Excel). A file downloads asynchronously.

Email subscription

You can send the currently configured scorecard as an email on a regular basis. When the email is sent, it has a short message along with an attached Microsoft Excel file.

To create an email subscription:

  1. From the Compliance Scorecard page, generate a scorecard.
  2. Click Options > Create Email Subscription.
  3. Provide a Subscription Name.
  4. Optionally, provide a Description.
  5. Add Recipient Email Addresses to send the email to.
  6. Select an Email Frequency.
  7. Optionally, include tags or badges. These are represented as columns in the Excel file included with the email.
  8. Click Subscribe.

Cloud storage subscription

You can send the currently configured scorecard to a cloud storage container (for example: AWS S3 bucket, GCP Cloud Storage) on a regular basis. By default, the scorecard is sent as a Microsoft Excel file in a .zip archive. The cloud storage container must be already harvested by Cloud Security (InsightCloudSec), which means it appears in the Resources Inventory.

To create a cloud storage subscription:

  1. From the Compliance Scorecard page, generate a scorecard.
  2. Click Options > Create Cloud Storage Subscription.
  3. Provide an Export Name.
  4. Select a cloud storage container Resource to send the scorecard to.
  5. Optionally, provide a Prefix to store the scorecard in. If no prefix is provided, the scorecard will be stored at the root level of the container.
  6. Optionally, include tags or badges. These are represented as columns in the Excel file.
  7. Optionally, select Export to storage container as .xlsx file to not send the file in a .zip archive.
  8. Click Create. The export runs every day at 03:00 UTC.