Compliance
The Compliance module runs your cloud account against industry-standard security benchmarks and produces a structured pass/fail report for every control. Powered by the Calabi Compliance Engine, it continuously evaluates your cloud configuration against CIS, NIST, and AWS-published frameworks — giving security and compliance teams a single pane of glass for audit readiness.
Supported Benchmarks
| Benchmark | Standard | Controls | Update cadence |
|---|---|---|---|
| CIS AWS Foundations Benchmark v3.0 | CIS | 58 | Quarterly |
| CIS AWS Foundations Benchmark v1.4 | CIS | 53 | Quarterly |
| NIST 800-53 Revision 5 | NIST | 447 | Annual |
| Cloud Foundational Security Best Practices v1.0 | AWS | 210 | Monthly |
| PCI DSS v3.2.1 | PCI | 165 | Annual |
| SOC 2 Type II | AICPA | 98 | Annual |
| HIPAA Security Rule | HHS | 71 | Annual |
When a benchmark publishes a new version, Calabi releases an updated module within 30 days. Historical scan results are retained so you can compare your posture across benchmark versions.
How Benchmark Dashboards Work
The Calabi Compliance Engine evaluates each control by querying live AWS resource data and applying the control's logic. No agents are installed in your account — all evaluation is performed through read-only API calls via the Calabi Cloud Operations IAM role.
Running a Compliance Scan
- Navigate to Cloud Operations > Compliance.
- Select a benchmark from the list (e.g., CIS AWS Foundations Benchmark v3.0).
- Click Run Now to start an immediate scan.
- Scans typically complete in 2–5 minutes depending on the number of resources in your account.
- Results appear inline as controls complete — you do not need to wait for the full scan.
To set up automatic recurring scans, see Scheduling Compliance Scans below.
Reading a Compliance Report
Summary panel
The top of each benchmark report shows:
| Field | Description |
|---|---|
| Overall score | Percentage of controls that passed (PASS / total evaluated) |
| Critical controls failed | Count of controls marked Critical that failed |
| High controls failed | Count of controls marked High that failed |
| Last scan | Timestamp of the most recent completed scan |
| Trend | Score change vs. the previous scan |
Control table
Below the summary panel, each control is listed in a table with the following columns:
| Column | Description |
|---|---|
| ID | Benchmark control ID (e.g., 1.4, CIS.1.4) |
| Title | Human-readable control name |
| Severity | Critical / High / Medium / Low |
| Status | PASS / FAIL / SKIP / ERROR |
| Affected resources | Count of resources that failed this control |
| Remediation | Link to the remediation guide |
Expanding a control
Click any control row to expand it and see:
- The full control description and rationale
- A list of every affected resource (with ARN, region, and relevant attributes)
- Step-by-step remediation guidance
- A direct link to the relevant AWS documentation
Example: CIS 1.4 — Ensure no root account access key exists
Control: CIS AWS Foundations 1.4
Severity: Critical
Status: FAIL
Affected: 1 resource
Resource: arn:aws:iam::123456789012:root
Issue: Root account has an active access key (AKIA...)
Remediation:
1. Sign in as root.
2. Navigate to IAM > Security credentials.
3. Under "Access keys", delete all root access keys.
4. Verify that programmatic access is delegated to IAM users or roles.
Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Scheduling Compliance Scans
Automated scans ensure your compliance posture is always current without manual intervention.
- Open Cloud Operations > Compliance.
- Select a benchmark.
- Click Schedule.
- Choose a frequency: Daily, Weekly, or Monthly.
- Set the time and time zone.
- Optionally enable Alert on score drop: if the overall score drops by more than N percentage points between scans, an alert is sent to your configured notification channels.
- Click Save Schedule.
Scheduled scan results are stored and accessible in the Scan History tab for the last 90 days.
Exporting Compliance Reports
Reports can be exported for auditors and compliance reviews:
| Format | Contents | How to export |
|---|---|---|
| Formatted report with benchmark summary, control table, and resource details | Click Export PDF on the benchmark results page | |
| CSV | Raw control-level data: control ID, title, severity, status, affected resource ARNs | Click Export CSV on the benchmark results page |
PDF exports include your organization name, the scan timestamp, and a Calabi-generated report ID that can be used as an audit reference.
Benchmark Details
CIS AWS Foundations Benchmark
The CIS AWS Foundations Benchmark is the most widely adopted prescriptive set of AWS security configuration guidelines. It is organized into five sections:
| Section | Focus area | Control count (v3.0) |
|---|---|---|
| 1 | Identity and Access Management | 21 |
| 2 | Storage | 7 |
| 3 | Logging | 9 |
| 4 | Monitoring | 15 |
| 5 | Networking | 6 |
Level 1 controls are recommended as minimum baseline configurations. Level 2 controls are more restrictive and suited to environments that require a higher security posture.
NIST 800-53 Revision 5
NIST SP 800-53 Rev. 5 defines security and privacy controls for federal information systems and organizations. It is commonly used as the basis for FedRAMP, StateRAMP, and DoD compliance programmes. Calabi maps each NIST control to the corresponding AWS resource check where automation is possible; controls that require organizational policy evidence are flagged as manual.
Cloud Foundational Security Best Practices
AWS FSBP is a cloud-curated set of controls that covers services not addressed by CIS, including ECS, EKS, Kinesis, managed search services, and Secrets Manager. It is updated more frequently than CIS and reflects AWS's current recommended defaults.
Related Pages
- Security Posture — Continuous security checks outside the benchmark scan cycle
- Configure — Connect an cloud account and set up alert channels
- Query Resources — Write ad-hoc SQL for custom compliance checks