Apply a predefined Tanzu Hub governance benchmark

As an application owner or SRE, you must ensure that your resource configurations meet a predefined industry standard or government benchmark such as CIS, PCI DSS, ISO, or others. The following steps show you how to create, edit, or clone a compliance framework and publish it. Then, you can apply a filter of the findings for the compliance framework.

Before you begin

Create, edit, or clone a compliance framework

You can create, edit, or clone a compliance framework. You can also associate policies with the compliance framework, and create a control group and a control.

To create a compliance framework:

  1. To create a compliance framework, in Tanzu Hub, click Guardrails > Policies
  2. On the Posture Policies card, click View Compliance Frameworks, then click Add New.
  3. Provide the information for the new framework, and click Save.
  4. Open the new compliance framework and associate policies with it.
    1. Click Associate Policies.
    2. Select the policies to add, and click Associate.
    3. To edit a policy in the compliance framework, click the policy link and click Edit.
    4. Change the severity, policy category, or resources. Then, click Save.
  5. Create a control group that organizes the policies in the compliance framework.

    For example, control groups can include control plane components, control plane configuration, worker nodes, policies, and managed services. Each control group includes a number of controls that you can select.

    1. In Compliance Frameworks, locate a framework that is published.
    2. Click the link to the framework. For example, CIS AWS Foundations Benchmark version 2.0.0.

      The policies in the compliance framework appear.

    3. Click Control Group / Control.

    4. Select a control group and control. For example, to select all the controls in the control group Identity and Access Management, click the check box next to the control group.
    5. Expand the control group and deselect any controls.
  6. Next, you must publish your new compliance framework.

To edit a compliance framework:

  1. Click the link to the compliance framework.

    For example, locate the most recent version of CIS AWS Foundations Benchmark, such as version 2.0.0.

  2. Add or remove policies, and click Associate.

    Your updated version appears in the list of compliance frameworks.

To clone a compliance framework:

  1. Select the check box next to a compliance framework, and click Clone.

    For example, locate the most recent version of CIS AWS Foundations Benchmark, such as version 2.0.0.

  2. Update the version, resource URL, or resource display name, and click Clone.

  3. Your cloned version appears in the list of compliance frameworks.

Publish a compliance framework

To activate a compliance framework that corresponds to a governance benchmark that you must apply to your accounts, follow these steps.

  1. In Tanzu Hub, click Guardrails > Policies.
  2. On the Posture Policies card, click View Compliance Frameworks.
  3. Locate the compliance framework that you must publish.

    For example, locate the most recent version of CIS AWS Foundations Benchmark, such as version 2.0.0.

  4. Select the check box next to the compliance framework, and click Publish.

    When you publish the compliance framework, it gets published as an option in the filters, reports, and dashboards.

If you’ve set up projects in VMware Tanzu Hub, you can publish and view compliance frameworks for a specific project by selecting it from the context switcher in the top menu for VMware Tanzu Hub.

Apply a filter for findings related to a compliance framework

After you publish a compliance framework, you can create a filter for the associated findings and prioritize them for resolution to ensure that your accounts comply with the selected benchmark.

  1. In Tanzu Hub, click Guardrails > Findings.
  2. In the Filter section, click Applied Policies > Frameworks.
  3. Select the compliance framework that you created, or one of interest, and click Apply.

    For example, locate the most recent version of CIS AWS Foundations Benchmark, such as version 2.0.0.

    The findings for the compliance framework that you selected appear in priority order based on the attention score.

View overall compliance for your connected accounts

You can view the compliance dashboard from the Tanzu Hub Home tab to get a general overview of adherence to published compliance frameworks for all connected accounts.

  1. In Tanzu Hub, click Guardrails > Overview.

  2. Click the drop-down icon next to the “Guardrails Overview” text and select Compliance.

What to do next

Resolve the filtered findings according to your organization’s security prioritizations to ensure that your accounts comply with your chosen governance benchmark. For more information, see Investigate VMware Tanzu Guardrails findings.

Parent topic:Define and apply governance policies in VMware Tanzu Hub

check-circle-line exclamation-circle-line close-line
Scroll to top icon