The Cloud Report is a security scan of your cloud environment that shows misconfigurations and potential security risks. These tests are surfaced in the UI through the Tests page and are not found in a summarized view which is why this report exists. You will notice a difference between the count in a Cloud Report and the Asset Inventory, there are two reasons.
First, the report only includes resources that are marked in audit scope.
Second, a Cloud Resource can have anywhere from zero to many test results reported. When a resource has no test results, no entry is created in Cloud Report. Included in the report is the status as pass/fail.
This report can also be accessed from the Data Room, Export Data, along with a complete report of Cloud Resources called “Cloud Resource Inventory”.
Which actions should I take with the report?
- Your engineering team should thoroughly review the report, determine what is applicable to your organization, and document and approve the process of resolving the potential risks.
- Respond to or remediate, as appropriate, any potential risks or misconfigurations identified in accordance with the Vulnerability and Patch Management Policy that can be found under the Policies section.
- Note: Our cloud report’s scope consists of your entire cloud environment - with that in mind, it is up to you to determine which risks can be ignored (e.g., security controls relating to dev/non-prod environments can be ignored as they are out of audit scope or if an S3 bucket is intentionally public).
- If a pull request is required to solve the risk, the pull request and associated change ticket must capture the risk and resolution and document all of the steps in accordance with your change management policy.
- After changes have been made to our environment, you can export an updated Cloud Report to track any remaining vulnerabilities.