title: CloudSlash - Compliance Reference description: SOC 2, CIS, HIPAA. CloudSlash generates evidence from the live graph: not from a stale snapshot someone uploaded months ago. Create ~/.cloudslash/policies/so...
Compliance¶
SOC 2, CIS, HIPAA. CloudSlash generates evidence from the live graph: not from a stale snapshot someone uploaded months ago.
Prerequisites¶
- CloudSlash installed and running
- At least one provider plugin installed and scanning
- Policies written for your compliance framework (examples below)
Compliance Policies¶
Create ~/.cloudslash/policies/soc2/rules.yaml:
rules:
- id: soc2-no-public-s3
condition: "kind == 's3:bucket' && resource.public_access == true"
action: block
message: "SOC2 CC6.1: Public S3 bucket violates data protection controls"
enforcement_mode: shadow
priority: 100
- id: soc2-require-env-tag
condition: "!('env' in tags)"
action: warn
message: "SOC2 CC6.3: Missing environment tag prevents asset classification"
enforcement_mode: shadow
priority: 90
- id: soc2-no-public-rds
condition: "kind == 'rds:instance' && resource.PubliclyAccessible == true"
action: block
message: "SOC2 CC6.1: Publicly accessible RDS endpoint violates isolation controls"
enforcement_mode: shadow
priority: 100
- id: cis-no-wide-open-sg
condition: "kind == 'ec2:security_group' && resource.allows_all_ingress == true"
action: block
message: "CIS 5.4: Security group allows unrestricted inbound access (0.0.0.0/0)"
enforcement_mode: shadow
- id: require-owner-tag
condition: "!('owner' in tags)"
action: warn
message: "Internal policy: all resources must have an owner for cost attribution"
enforcement_mode: shadow
Validate Your Policies¶
cs policy validate ~/.cloudslash/policies/soc2/rules.yaml
cs policy test ~/.cloudslash/policies/soc2/rules.yaml
The test command runs every rule against the last scan snapshot and shows violation counts. It has zero impact on your live infrastructure.
Run in Shadow Mode First¶
Start with all rules in shadow mode. This logs every violation without blocking any remediations:
Shadow mode lets you measure the scope of violations before committing to enforcement. Watch the PolicyMesh tab in the Web Dashboard. Trigger counts update in real time as the engine processes resources.
Review the s.a.u Audit Ledger¶
Every engine decision is recorded in the audit ledger. This is an append-only event log that survives daemon restarts.
# View all audit events from the last 30 days
cs history --since 30d
# Filter to policy violations only
cs history --type POLICY_CHANGE
# Full timeline for a specific resource
cs history --crn crn:devi:aws:us-east-1:s3:bucket:123456789012:my-bucket
Via the REST API (for integration with SIEM systems):
curl "http://localhost:8080/api/v1/history?type=s.a.u_ACTION&since=30d" \
| jq '.events[] | {ts, crn, status, message}'
Audit Report¶
# HTML report for auditors
cs report --format=html --output=soc2-evidence-$(date +%Y-%m-%d).html
# JSON for programmatic processing
cs report --format=json --output=compliance-data.json
The report includes:
Remediations¶
- Policy violation counts by rule and provider
- Remediation actions taken (with timestamps and actors)
- Resources exempt via
cloudslash:ignoretag (with justification) - Cost savings from remediated waste
Promote Rules to Enforcing¶
Once you verify each rule captures the right resources, promote to enforcing:
# Toggle a specific rule via API
curl -X POST http://localhost:8080/api/v1/policies/toggle \
-d '{"rule_id": "soc2-no-public-s3"}'
In enforcing mode, the s.a.u engine will block any attempted remediation of a matching resource until the violation is resolved. This creates a hard governance gate.
Break Glass Protocol¶
For emergencies where a blocked resource must be acted on immediately, set the sau:override label on the resource (or add it as a GitHub label to the auto-generated dry-run PR). This invokes the Break Glass Protocol and bypasses the CEL block with a logged justification.
Audit Trail Schema¶
Every event in cs history includes:
| Field | Description |
|---|---|
id |
Unique event ID |
ts |
ISO 8601 timestamp |
type |
SCAN_COMPLETED, s.a.u_ACTION, APPROVAL, POLICY_CHANGE, etc. |
crn |
Resource Cloud Resource Name |
status |
OK, APPROVED, REJECTED, QUARANTINED, BLOCKED |
message |
Human-readable description |
actor |
daemon, user, or username |
meta.savings_usd |
Cost savings if applicable |
What's Next¶
- Writing CEL Policies: Full policy authoring guide
- s.a.u Audit Ledger Reference: Complete schema and query options
- API Endpoints: Integrate audit data into your SIEM