Console
    Contact Us Start free

    Audit your environment with Compliance Manager

    Preview

    This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of the Service Specific Terms . Pre-GA features are available "as is" and might have limited support. For more information, see the launch stage descriptions .

    Compliance Manager lets you run audits against frameworks so that you can understand the state of compliance of your Google Cloud environment. Auditing your environment lets you complete the following:

    • Automate compliance assessments to evaluate how well your Google Cloud workloads align with your compliance obligations.
    • Collect evidence for compliance audits.
    • Identify gaps to help remediate violations.

    Compliance Manager can provide assessments for any Google Cloud folder or project.

    The auditing process creates the following artifacts that Compliance Manager stores in Cloud Storage buckets:

    • An audit summary report that provides the following:
      • An overview of how well your folder or project aligns with the cloud controls in a framework.
      • A responsibilities matrix to help you understand your shared responsibilities with Google.
    • A control overview report that describes the results of the evaluation for a specific cloud control. This report provides assessment details for each compliance check, including observations and expected values.
    • The evidence used to create the report, which includes all the resources evaluated for each cloud control, including a raw dump of asset data.

    Before you begin

    Enroll resources

    Before you can audit your environment, you must enroll the organization, folders, or projects that you want to audit and specify a Cloud Storage bucket. Compliance Manager stores the audit data in the Cloud Storage bucket.

    1. In the console, go to the Compliancepage.

      Go to Compliance

    2. Select your organization.

    3. In the Audit (Preview)tab, click Audit settings.

    4. Find the projects or folders that you want to audit.

    5. Click Enroll. Inheritance works as follows:

      • If you enroll an organization, you can audit all folders and projects.
      • If you enroll a folder, you can audit the folders and projects within that folder.

    6. Select the Cloud Storage bucket that you want to use to store audit data, or create a new bucket.

    7. Click Enroll.

    Update your resource enrollment

    You can change the Cloud Storage bucket after you enroll a resource.

    1. In the console, go to the Compliancepage.

      Go to Compliance

    2. Select your organization.

    3. In the Audit (Preview)tab, click Audit settings.

    4. Find the project or folder that you want to change.

    5. Click Update.

    6. Modify the bucket information.

    7. Click Enroll.

    Audit your environment

    Complete the following task to start an audit of a folder or project.

    1. In the console, go to the Compliancepage.

      Go to Compliance

    2. Select your organization.

    3. In the Audit (Preview)tab, click Run audit.

    4. Select the resource that you want to audit. You can select only one folder or project for each audit.

    5. Select an applied framework.

    6. Select the location where the audit assessment must be processed. For the list of supported locations, see Audit locations for Compliance Manager . If you don't see the location that you're looking for, select global. Click Next.

    7. Review the assessment plan. This plan provides information about the audit scope based on the framework that you selected. To download the OpenDocument Spreadsheet (ODS) file, click the link.

    8. Click Next.

    9. Select the Cloud Storage bucket that you want to store your audit reports in. Click Done.

    10. Click Run Audit. The audit might take some time to complete. Refresh the main Auditpage to view progress.

    To watch for changes to the Cloud Storage bucket, you can set up notifications using an event-driven function or Pub/Sub .

    View audit information

    When an audit is completed, Compliance Manager creates and stores the artifacts in the destination storage buckets for you to view.

    1. In the console, go to the Compliancepage.

      Go to Compliance

    2. Select your organization.

    3. In the Audit (Preview)tab, to view the audit summary, click the link in the Statuscolumn.

      The Basic informationpage displays the information about compliance controls in scope and the status of the automated compliance:

      • Compliant:Shows the configurations that meet all the requirements.
      • Violations:Shows the misconfigurations that are detected against a given control.
      • Manual review needed:Shows the configurations that require you to validate manually to determine whether the configurations are compliant. user inputs to prove compliance and process control.
      • Skipped:Shows the configurations that Compliance Manager skipped for a given control.

    4. Depending on the type of audit information you want to view, follow the instructions in the corresponding tab.

      Audit summary report

      1. To see the details of a status, click View.

      2. To export the audit summary report, click Export.

        The audit summary report is exported in the ODS format.

      Control overview report

      You can view the control overview report based on a control or status.

      To view the control overview page based on a control, do the following:

      1. In the filtered list, expand the required control.

      2. Click the corresponding hyperlink. The control page shows the responsibility, findings, and requirements.

      To view the control overview report based on a status, do the following:

      1. For the required status, click View.

      2. From the list of controls, click the required hyperlink. The control overview page shows the responsibility, findings, and requirements.

      To export the control overview report, click Export. The control overview report is exported in the ODS format.

      Evidence

      You can view the evidence based on control or status.

      To view the evidence based on a control, do the following:

      1. Expand the required control.

      2. To view the detailed compliance assessment against each rule, click the corresponding hyperlink.

      The controls page shows the responsibility, findings, and requirements.

      To view the evidence based on a status, do the following:

      1. For the required status, click View.

      2. From the list of controls, click the required hyperlink.

      The controls page shows the responsibility, findings, and requirements.

      To view the evidence for a finding, in the filtered list, click Click here to open the evidence. The Object detailspage with the evidence details opens in a separate tab.

      To download the evidence, click Download. The evidence is downloaded in JSON format.

    Alternatively, you can download the required report and evidence directly from the destination storage bucket. For more information, see Download an object from a bucket .

    Audit summary report

    The audit summary report is a comprehensive report that provides an overview of all compliance controls and a responsibilities matrix to help you understand the compliance of the Google Cloud folder or project. The audit summary report is available in OpenDocument Spreadsheet (ODS) format.

    In the destination storage bucket, the audit summary report uses the following naming convention:

    audit-reports/audit_ FRAMEWORK_NAME _ TIMESTAMP / UNIQUE_ID /overall_report.ods

    The values are the following:

    • FRAMEWORK_NAME : the name of the framework.
    • TIMESTAMP : a timestamp that indicates when the report was generated.
    • UNIQUE_ID : a unique ID for the report.

    For each applicable control type, the following fields are populated in the audit summary report:

    Control type
    Description
    Control Info
    A description and requirement for the control.
    Google Responsibility
    Google Cloud responsibility and implementation details.
    Customer Responsibility
    Your responsibility and implementation details.
    Assessment Status

    Status of compliance for the control. Status can be one of the following types:

    • Non-Compliant : Compliance drift detected.
    • Compliant : System is compliant.
    • Manual Review Needed : Artifacts are produced but user input is required to finalize the status of compliance.
    • Skipped : Compliance Manager can't evaluate the cloud control.
    Control Report Link
    A link to the control overview report.

    Control overview report

    A control overview report contains a detailed description of the compliance evaluation for a single control. The report provides assessment details for each compliance check with observations and expected values.

    In the destination storage bucket, the control overview report uses the following naming convention:

    audit-reports/audit_ FRAMEWORK_NAME _ TIMESTAMP / UNIQUE_ID / CONTROL_ID .ods

    The values are the following:

    • FRAMEWORK : the name of the framework.
    • TIMESTAMP : a timestamp when the report was generated.
    • UNIQUE_ID : a unique ID for the report.
    • CONTROL_ID : the ID for the control.

    Within the report, dates use the MM/DD/YYYY format.

    A control overview report looks similar to the following example:

    Control ID : COMPLIANT
    Service name
    # of resources
    Status
    Resource Evaluation Details
    Resource ID
    Measured Field
    Current Value
    Expected Value
    Status
    Evidence Resource URI
    Evidence Timestamp
    Evidence for Project/Folder
    Evidence Link
    Total services in scope for this control
    Total resources in audit scope
    Compliance status
    Resource identifier
    Configuration to be measured for audit
    Observed values
    Compliant values
    Individual compliance status
    Timestamp when evidence was collected
    product1.googleapis.com
    2
    COMPLIANT
    folder_123456
    abc
    10
    >=10
    COMPLIANT
    Resource 1
    01/01/2025 12:55:16
    Project 1
    Link 1
    def
    15
    =15
    COMPLIANT
    Resource 4
    12/05/2024 13:55:16
    Project 1
    Link 4
    project_123456
    xyz
    20
    =20
    COMPLIANT
    Resource 2
    12/05/2024 14:55:16
    Project 1
    Link 2
    product2.googleapis.com
    1
    COMPLIANT
    project_123456
    def
    5
    >=5
    COMPLIANT
    Resource 3
    12/05/2024 15:55:16
    Project 1
    Link 3

    Evidence

    Evidence includes all the resources evaluated for each control, including a raw dump of asset data along with the command that was run to produce the output.

    In the destination storage bucket, evidence is in JSON format and uses the following naming convention:

    audit-reports/audit_ FRAMEWORK_NAME _ TIMESTAMP / UNIQUE_ID /evidences/evidence EVIDENCE_ID .json

    The values are the following:

    • FRAMEWORK_NAME : the name of the framework.
    • TIMESTAMP : a timestamp when the report was generated.
    • UNIQUE_ID : a unique ID for the report.
    • EVIDENCE_ID : a unique ID for the evidence.

    What's next
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: