Skip to content

title: CloudSlash - Compliance Reference description: SOC 2, CIS, HIPAA. CloudSlash generates evidence from the live graph: not from a stale snapshot someone uploaded months ago. Create ~/.cloudslash/policies/so...


Compliance

SOC 2, CIS, HIPAA. CloudSlash generates evidence from the live graph: not from a stale snapshot someone uploaded months ago.


Prerequisites

  • CloudSlash installed and running
  • At least one provider plugin installed and scanning
  • Policies written for your compliance framework (examples below)

Compliance Policies

Create ~/.cloudslash/policies/soc2/rules.yaml:

rules:
  - id: soc2-no-public-s3
    condition: "kind == 's3:bucket' && resource.public_access == true"
    action: block
    message: "SOC2 CC6.1: Public S3 bucket violates data protection controls"
    enforcement_mode: shadow
    priority: 100

  - id: soc2-require-env-tag
    condition: "!('env' in tags)"
    action: warn
    message: "SOC2 CC6.3: Missing environment tag prevents asset classification"
    enforcement_mode: shadow
    priority: 90

  - id: soc2-no-public-rds
    condition: "kind == 'rds:instance' && resource.PubliclyAccessible == true"
    action: block
    message: "SOC2 CC6.1: Publicly accessible RDS endpoint violates isolation controls"
    enforcement_mode: shadow
    priority: 100

  - id: cis-no-wide-open-sg
    condition: "kind == 'ec2:security_group' && resource.allows_all_ingress == true"
    action: block
    message: "CIS 5.4: Security group allows unrestricted inbound access (0.0.0.0/0)"
    enforcement_mode: shadow

  - id: require-owner-tag
    condition: "!('owner' in tags)"
    action: warn
    message: "Internal policy: all resources must have an owner for cost attribution"
    enforcement_mode: shadow

Validate Your Policies

cs policy validate ~/.cloudslash/policies/soc2/rules.yaml
cs policy test ~/.cloudslash/policies/soc2/rules.yaml

The test command runs every rule against the last scan snapshot and shows violation counts. It has zero impact on your live infrastructure.

Run in Shadow Mode First

Start with all rules in shadow mode. This logs every violation without blocking any remediations:

cs daemon --rules ~/.cloudslash/policies/soc2/rules.yaml

Shadow mode lets you measure the scope of violations before committing to enforcement. Watch the PolicyMesh tab in the Web Dashboard. Trigger counts update in real time as the engine processes resources.

Review the s.a.u Audit Ledger

Every engine decision is recorded in the audit ledger. This is an append-only event log that survives daemon restarts.

# View all audit events from the last 30 days
cs history --since 30d

# Filter to policy violations only
cs history --type POLICY_CHANGE

# Full timeline for a specific resource
cs history --crn crn:devi:aws:us-east-1:s3:bucket:123456789012:my-bucket

Via the REST API (for integration with SIEM systems):

curl "http://localhost:8080/api/v1/history?type=s.a.u_ACTION&since=30d" \
  | jq '.events[] | {ts, crn, status, message}'

Audit Report

# HTML report for auditors
cs report --format=html --output=soc2-evidence-$(date +%Y-%m-%d).html

# JSON for programmatic processing
cs report --format=json --output=compliance-data.json

The report includes:

Remediations

  • Policy violation counts by rule and provider
  • Remediation actions taken (with timestamps and actors)
  • Resources exempt via cloudslash:ignore tag (with justification)
  • Cost savings from remediated waste

Promote Rules to Enforcing

Once you verify each rule captures the right resources, promote to enforcing:

# Toggle a specific rule via API
curl -X POST http://localhost:8080/api/v1/policies/toggle \
  -d '{"rule_id": "soc2-no-public-s3"}'

In enforcing mode, the s.a.u engine will block any attempted remediation of a matching resource until the violation is resolved. This creates a hard governance gate.

Break Glass Protocol

For emergencies where a blocked resource must be acted on immediately, set the sau:override label on the resource (or add it as a GitHub label to the auto-generated dry-run PR). This invokes the Break Glass Protocol and bypasses the CEL block with a logged justification.


Audit Trail Schema

Every event in cs history includes:

Field Description
id Unique event ID
ts ISO 8601 timestamp
type SCAN_COMPLETED, s.a.u_ACTION, APPROVAL, POLICY_CHANGE, etc.
crn Resource Cloud Resource Name
status OK, APPROVED, REJECTED, QUARANTINED, BLOCKED
message Human-readable description
actor daemon, user, or username
meta.savings_usd Cost savings if applicable

What's Next