CloudGuard Dome9 User Guide

Compliance and Governance


The CloudGuard Dome9 Compliance Engine tests your cloud environments for compliance against industry standards and best practices, or your organization's own security policies, using rules that you define, or using sets of rules (rulesets) developed by Dome9 that are available out-of-the-box . Dome9 provides a comprehensive set of rulesets covering many of the common standards, such as PCI-DSS and HIPAA, for cloud security, which you can run immediately on your cloud accounts. In addition, you can build and test new rules, or modify existing rules, using an intuitive graphical rule builder, to tailor policies to your organization's specific needs and compliance goals.

The Compliance Engine works with all cloud providers, and can check compliance in for an organization with a multi-cloud presence.

You can also use the Compliance Engine to test your cloud accounts continuously, and receive notifications when issues are detected.

You can see detailed results of tests, or view summary reports.

The Compliance Engine accesses your cloud accounts directly, using cloud provider APIs and the Dome9 policies you set up on these accounts (see Onboard an AWS Account) to assess compliance. It works on all cloud providers, and you can test compliance even when your cloud presence is distributed over multiple cloud providers.

Compliance & Governance

The Dome9 Compliance Engine evaluates your cloud environment using compliance rulesets and rules.

Rulesets & Rules

The Compliance Engine uses a set of rulesets to test your cloud accounts. Rulesets contain rules, which are individual tests of a capability in your account. For example, a rule could test whether an account has a 'root' user, or whether a password policy is enforced.

The Compliance Engine includes a set of predefined rulesets, developed by Dome9, which test for common cloud security standards and best practices. These include remediation steps which you can apply to your account. These rulesets cannot be changed, but you can clone them, to make a copy, and modify the copy.

Note: once remediation steps are applied to an account, and Dome9 is updated (time may vary, based on backend sync intervals), re-run the assessment to verify the remedy.

Dome9 GSL (Governance Specification Language)

Rules used by the Compliance Engine are defined using the Dome9 Governance Specification Language (GSL). This is a user-readable, intuitive language that describes the test. For example, the rule

S3Bucket should have logging.enabled=true

checks that logging is enabled for AWS S3Buckets.

See The CloudGuard Dome9 GSL Language for details and examples of the GSL syntax, and how to build rules.

Built-in Rulesets

The Compliance Engine comes with a set of predefined rulesets, developed by Dome9, that cover common cloud security standards such as PCI-DSS, HIPAA, and CIS Foundations, for AWS, Azure, and GCP.


  • At-a-glance dashboard view of organizational compliance across entire cloud presence, on all providers

  • Check compliance with cloud security standards

  • Clear reports indicate non-compliant issues

  • Easily build custom rules using graphical rule builder (GSL)

  • Predefined (built-in) rulesets developed by Dome9 cover a wide range of standards and best practices


  • Enforce cloud accounts compliance with standards

  • Enforce compliance with organizational policies across the estate

  • Review the security and compliance posture across the entire estate using a unified dashboard

  • Evaluate compliance of a proposed cloud design (CloudFormation Template), before actual deployment

  • Customize the compliance engine dashboard according to your needs, allowing you to focus on the more sensitive and interesting environments

  • Review latest assessment results and apply remediation

  • Review assessments on specific environment from specific point in time

  • Create customized compliance or organizational policy rules


The Compliance and Governance module has the following views.


The Dashboard view is a summary view. It shows the following:

  • summary status of all rulesets, on all your cloud accounts, including results of the most recent assessment
  • organized by Organizational Units
  • click-to-run, or re-run, an assessment on an account, from the Dashboard

  • click-to-show detailed results or statistics for an assessment

    configurable result thresholds

Assessment statistics

Results for assessments are shown as the percentage of passed tests from the total number of tests run. A test is the application of a policy rule on a cloud entity. For example, applying a rule on an ES2 instance or S3 bucket is a test. The same rule applied to many entities results in many tests, each with its own result.

So, for example, the result

shows that 68% of the tests passed on the entities on which they were tested, while 32%, or 444 in total, failed.  

The result also shows that the bundle has 933 rules, of which 666 passed on all entities on which they were tested.


This view shows your rulesets and rules, including predefined rulesets and custom ones that you define.

  • filter or search for specific rules 

  • view details for each rule
  • show GSL details for a rule (toggle)

  • show/edit JSON format for rules


This view lets you build and test rules.

  • test rules before running them in an assessment

  • build rules using a text or graphical editor input format

Assessment History

This view shows a list of the assessments that were run, with summary details for each. You can filter the view by account, rulesets, and time, to show specific assessments of interest.


Add a Ruleset

Add a new ruleset. Once you have a ruleset, you can add rules to it. These can then be applied to a VPC in one of your cloud accounts, or to a CloudFormation Template.

  1. Navigate to the Rulesets main page in the Compliance & Governance menu. 

  2. Click ADD RULESET to create a new ruleset. Enter a name for the ruleset and, optionally, a description, and select the cloud provider on which it will be applied. 

Add Rules to a Ruleset

Add rules to a ruleset. You can add rules to custom rulesets (new policies that you add), but not to predefined rulesets.

  1. Select the Rulesets tab, and select the ruleset.
  2. Click +NEW RULE to add a rule to the policy. This opens the online GSL rule builder (see The CloudGuard Dome9 GSL Language

  3. Enter a name for the rule and, optionally, a description, remediation (corrective steps), compliance sections that the rule covers, and a severity level (that is, the severity or impact of non-compliance with this rule).

  4. Enter the rule in the Rule GSL box, using the GSL syntax. then press SAVE. The rule appears in the list of rules for the policy. You can enter the rule as text, in the Text Editor mode, or graphically, in the Rule Builder mode.

  5. Optionally, addAutoremediation of Compliance issues using Dome9 CloudBots tags in the Compliance Section of the rule. These tags are used only if the rule is used in a Continuous Compliance policy. They indicate a remedial Dome9 CloudBot to be run if the rule fails in an assessment. The tag has the form:
     AUTO: ec2_stop_instance
    The prefix 'AUTO' indicates this is an autoremediation tag. The expression following the tag is the name of a remediation bot (for example, 'ec2_stop_instance') followed, optionally, by parameters. You can add more than one tag for a rule, in which all the remediation actions will be performed if the rule fails.
  6. Add additional rules, as needed.

Modify Rules

You can modify existing rules in a custom ruleset. You can modify them using the graphical Rule Builder, in the same way that new rules are created. The Compliance Engine stores rules as in JSON format, so you can also edit rules for a policy by editing the JSON block.

  1. Navigate to the Rulesets.

  2. Select the ruleset. The rules are shown on the right.

  3. Click on the rule you wish to edit. This will open the Rule Builder. From there you can change the rule, either by changing the text, or using the graphical Rule Builder.

  4. Modify the text of the rules, as necessary, and then click Save.

Run an assessment

Run a ruleset on an selected cloud account.

  1. Navigate to the Rulesets tab in the Compliance & Governance menu.

  2. Select the ruleset to be run.
  3. Click  in the upper right.

  4. Select the Environment tab.
  5. Select the Cloud account, region, and VPC on which the policy will be run, and then click RUN. The assessment will take from a few seconds to a few minutes (depending on the complexity of the ruleset and the number of rules). When completed, the results will be displayed.

    Details for each rule are shown. This shows that number entities tested (Tests), the number that were included in the scope of the rule (Relevant), the number of entities that were excluded (if is selected), and the number of failed tests (Failed tests).

  6. Click Expand to show more detail, including details for the rule, and a list of the failed entities.

Note: you can also run an assessment from the Dashboard view. Click  next to the results for a specific bundle and account, or CLICK TO RUN for an account and bundle without results, to run (or re-run an assessment).

View Assessment History

You can view a summary of previous assessments, and then see details for a specific assessment.

  1. Navigate to the Compliance Engine.

  2. Select Assessment History from the menu. A list of previous assessments is shown. This list can be filtered and sorted. 
    The list shows, for each assessment, the date the assessment was run, the ruleset and account, the score, the number of failed tests, the number of excluded tests, and the event that triggered the assessment. The event could be Manual, for assessments run from the Compliance Dashboard, Continuous Compliance, for assessments run continuously, or System, for assessments defined on the Dome9 Dashboard (which are run hourly).

  3. Click next to an assessment to show details for it.

Clone a Ruleset

You can copy an existing ruleset. The copy will contain the same rules. This is useful if you wish to modify or extend rules in a built-in ruleset (which cannot be edited).

  1. Navigate to the Rulesets tab.

  2. Select the ruleset to be cloned, and then click CLONE.

  3. Enter a name for the new ruleset, and select the cloud provider on it will run.

See also

The CloudGuard Dome9 GSL Language

CFT Assessment

Policy Reports