Audit your environment with Compliance Manager

Compliance Manager lets you run audits against frameworks so that you can understand the state of compliance of your Google Cloud environment. Auditing your environment lets you complete the following:

  • Automate compliance assessments to evaluate how well your Google Cloud workloads align with your compliance obligations.
  • Collect evidence for compliance audits.
  • Identify gaps to help remediate violations.

Compliance Manager can provide assessments for any Google Cloud folder or project.

The auditing process creates the following artifacts that Compliance Manager stores in Cloud Storage buckets:

  • An audit summary report that provides the following:
    • An overview of how well your folder or project aligns with the cloud controls in a framework.
    • A responsibilities matrix to help you understand your shared responsibilities with Google.
  • A control overview report that describes the results of the evaluation for a specific cloud control. This report provides assessment details for each compliance check, including observations and expected values.
  • The evidence used to create the report, which includes all the resources evaluated for each cloud control, including a raw dump of asset data.

Before you begin

Enroll resources

Before you can audit your environment, you must enroll the organization, folders, or projects that you want to audit and specify a Cloud Storage bucket. Compliance Manager stores the audit data in the Cloud Storage bucket.

  1. In the console, go to the Compliance page.

    Go to Compliance

  2. Select your organization.

  3. In the Audit (Preview) tab, click Audit settings.

  4. Find the projects or folders that you want to audit.

  5. Click Enroll. Inheritance works as follows:

    • If you enroll an organization, you can audit all folders and projects.
    • If you enroll a folder, you can audit the folders and projects within that folder.
  6. Select the Cloud Storage bucket that you want to use to store audit data, or create a new bucket.

  7. Click Enroll.

Update your resource enrollment

You can change the Cloud Storage bucket after you enroll a resource.

  1. In the console, go to the Compliance page.

    Go to Compliance

  2. Select your organization.

  3. In the Audit (Preview) tab, click Audit settings.

  4. Find the project or folder that you want to change.

  5. Click Update.

  6. Modify the bucket information.

  7. Click Enroll.

Audit your environment

Complete the following task to start an audit of a folder or project.

  1. In the console, go to the Compliance page.

    Go to Compliance

  2. Select your organization.

  3. In the Audit (Preview) tab, click Run audit.

  4. Select the resource that you want to audit. You can select only one folder or project for each audit.

  5. Select an applied framework.

  6. Select the location where the audit assessment must be processed. For the list of supported locations, see Audit locations for Compliance Manager. If you don't see the location that you're looking for, select global. Click Next.

  7. Review the assessment plan. This plan provides information about the audit scope based on the framework that you selected. To download the OpenDocument Spreadsheet (ODS) file, click the link.

  8. Click Next.

  9. Select the Cloud Storage bucket that you want to store your audit reports in. Click Done.

  10. Click Run Audit. The audit might take some time to complete. Refresh the main Audit page to view progress.

To watch for changes to the Cloud Storage bucket, you can set up notifications using an event-driven function or Pub/Sub.

View audit information

When an audit is completed, Compliance Manager creates and stores the artifacts in the destination storage buckets for you to view.

  1. In the console, go to the Compliance page.

    Go to Compliance

  2. Select your organization.

  3. In the Audit (Preview) tab, to view the audit summary, click the link in the Status column.

    The Basic information page displays the information about compliance controls in scope and the status of the automated compliance:

    • Compliant: Shows the configurations that meet all the requirements.
    • Violations: Shows the misconfigurations that are detected against a given control.
    • Manual review needed: Shows the configurations that require you to validate manually to determine whether the configurations are compliant. user inputs to prove compliance and process control.
    • Skipped: Shows the configurations that Compliance Manager skipped for a given control.
  4. Depending on the type of audit information you want to view, follow the instructions in the corresponding tab.

    Audit summary report

    1. To see the details of a status, click View.
    2. To export the audit summary report, click Export.

      The audit summary report is exported in the ODS format.

    Control overview report

    You can view the control overview report based on a control or status.

    To view the control overview page based on a control, do the following:

    1. In the filtered list, expand the required control.

    2. Click the corresponding hyperlink. The control page shows the responsibility, findings, and requirements.

    To view the control overview report based on a status, do the following:

    1. For the required status, click View.

    2. From the list of controls, click the required hyperlink. The control overview page shows the responsibility, findings, and requirements.

    To export the control overview report, click Export. The control overview report is exported in the ODS format.

    Evidence

    You can view the evidence based on control or status.

    To view the evidence based on a control, do the following:

    1. Expand the required control.

    2. To view the detailed compliance assessment against each rule, click the corresponding hyperlink.

    The controls page shows the responsibility, findings, and requirements.

    To view the evidence based on a status, do the following:

    1. For the required status, click View.

    2. From the list of controls, click the required hyperlink.

    The controls page shows the responsibility, findings, and requirements.

    To view the evidence for a finding, in the filtered list, click Click here to open the evidence. The Object details page with the evidence details opens in a separate tab.

    To download the evidence, click Download. The evidence is downloaded in JSON format.

Alternatively, you can download the required report and evidence directly from the destination storage bucket. For more information, see Download an object from a bucket.

Audit summary report

The audit summary report is a comprehensive report that provides an overview of all compliance controls and a responsibilities matrix to help you understand the compliance of the Google Cloud folder or project. The audit summary report is available in OpenDocument Spreadsheet (ODS) format.

In the destination storage bucket, the audit summary report uses the following naming convention:

audit-reports/audit_FRAMEWORK_NAME_TIMESTAMP/UNIQUE_ID/overall_report.ods

The values are the following:

  • FRAMEWORK_NAME: the name of the framework.
  • TIMESTAMP: a timestamp that indicates when the report was generated.
  • UNIQUE_ID: a unique ID for the report.

For each applicable control type, the following fields are populated in the audit summary report:

Control type Description
Control Info A description and requirement for the control.
Google Responsibility Google Cloud responsibility and implementation details.
Customer Responsibility Your responsibility and implementation details.
Assessment Status

Status of compliance for the control. Status can be one of the following types:

  • Non-Compliant: Compliance drift detected.
  • Compliant: System is compliant.
  • Manual Review Needed: Artifacts are produced but user input is required to finalize the status of compliance.
  • Skipped: Compliance Manager can't evaluate the cloud control.
Control Report Link A link to the control overview report.

Control overview report

A control overview report contains a detailed description of the compliance evaluation for a single control. The report provides assessment details for each compliance check with observations and expected values.

In the destination storage bucket, the control overview report uses the following naming convention:

audit-reports/audit_FRAMEWORK_NAME_TIMESTAMP/UNIQUE_ID/CONTROL_ID.ods

The values are the following:

  • FRAMEWORK: the name of the framework.
  • TIMESTAMP: a timestamp when the report was generated.
  • UNIQUE_ID: a unique ID for the report.
  • CONTROL_ID: the ID for the control.

Within the report, dates use the MM/DD/YYYY format.

A control overview report looks similar to the following example:

Control ID: COMPLIANT
Service name # of resources Status Resource Evaluation Details
Resource ID Measured Field Current Value Expected Value Status Evidence Resource URI Evidence Timestamp Evidence for Project/Folder Evidence Link
Total services in scope for this control Total resources in audit scope Compliance status Resource identifier Configuration to be measured for audit Observed values Compliant values Individual compliance status Timestamp when evidence was collected
product1.googleapis.com 2 COMPLIANT folder_123456 abc 10 >=10 COMPLIANT Resource 1 01/01/2025 12:55:16 Project 1 Link 1
def 15 =15 COMPLIANT Resource 4 12/05/2024 13:55:16 Project 1 Link 4
project_123456 xyz 20 =20 COMPLIANT Resource 2 12/05/2024 14:55:16 Project 1 Link 2
product2.googleapis.com 1 COMPLIANT project_123456 def 5 >=5 COMPLIANT Resource 3 12/05/2024 15:55:16 Project 1 Link 3

Evidence

Evidence includes all the resources evaluated for each control, including a raw dump of asset data along with the command that was run to produce the output.

In the destination storage bucket, evidence is in JSON format and uses the following naming convention:

audit-reports/audit_FRAMEWORK_NAME_TIMESTAMP/UNIQUE_ID/evidences/evidenceEVIDENCE_ID.json

The values are the following:

  • FRAMEWORK_NAME: the name of the framework.
  • TIMESTAMP: a timestamp when the report was generated.
  • UNIQUE_ID: a unique ID for the report.
  • EVIDENCE_ID: a unique ID for the evidence.

What's next