Skip to main content

Bulk Policy Update

BETA FEATURE

This article describes functionality that is currently in beta.

The Lacework API enables you to create, delete, and update Lacework policies programmatically. You can update policies individually, using the Update Policies endpoint, or multiple policies at once, using the Bulk Update Policies (beta) endpoint described here.

Bulk Update Guidelines

The Bulk Update Policy API lets you change the status (enabled or disabled) or severity of multiple policies at a time.

The API reference documentation provides overview and usage information for the API. However, there are additional guidelines applicable to the use of the Bulk Update Policy API, as follows.

General Guidelines

General guidelines for using the Bulk Update Policy API include:

  1. Bulk operations to enable/disable policies apply only to LPP/LQL-based policies.
  2. If you are using Terraform to automate policy management, you cannot use the Bulk Update Policy APIs to enable/disable policies.
  3. Bulk operations are not compatible with config-analyzer (legacy) policies. They work only with LQL-based policies.

Enable/Disable Update Guidelines for Policies

In addition to the general guidelines, the following guidelines apply to the policies permitted in a single bulk update operation:

  1. To update policy status (enabled/disabled), all policies in a single bulk operation must have the same policy type, either compliance or violation. That is, all policies in a single batch must be either compliance policies or all must be violation policies.
  2. Manual policies cannot be bulk enabled/disabled.
  3. For compliance or violation policies, bulk enable or disable works only if the policies all have the same combination of metadata tag values; that is, a policy with these tags can only be updated with other policies with the same tag values:
    tags:
    - security:compliance
    - domain:AWS
  4. For violation policies, bulk enabling or disabling policies is only allowed if the policy sources are the same, CloudTrailRawEvents, Azure, or GCP. That is, the source of violation policies in a batch cannot be different cloud provider types.

Severity Update Guidelines for Policies

The enable/disable update guidelines also apply to operations to update severity, but with these additional guidelines:

  1. For compliance policies, all policies must also have the same original severity and metadata fields and tags, such as:
    Severity= medium 
    And:
    tags:
    - security:compliance
    - domain:AWS
    - subdomain: configuration
  2. For violation policies, all policies must have the same source and original severity value.

Bulk Update Example

The Bulk Update API enables you to change the severity or status (enabled/disabled) of multiple policies at a time. To use the Bulk Update API, send a list of policies with new field values to the Bulk API endpoint:

PATCH https://YourLacework.lacework.net/api/v2/Policies

A sample request body is as follows:

[
{
"policyId": "LW_Custom_UnrestrictedIngressToTCP445",
"enabled": true,
"severity": "high"
},
{
"policyId": "LW_Custom_UnrestrictedIngressToTCP139",
"enabled": true
}
]

This example updates the LW_Custom_UnrestrictedIngressToTCP445 policy with a new status and severity setting, along with a second policy, LW_Custom_UnrestrictedIngressToTCP139, with a new status value.

A successful response returns the full policy definition of each updated policy with new values. See Bulk Update Policies (beta) for more information about the API. Also note the following guidelines on the types of policies that can be submitted in a single batch.