Skip to main content

Add Compliance Policy Exceptions in the Lacework Console

Add exceptions to a Compliance policy through the Lacework Console.

note

Manual Policies cannot have exceptions applied to them.

Once an exception is added and appears in the Console, it will not take effect until the next compliance assessment run is complete.

Add an Exception to a Compliance Policy

  1. Log in to the Lacework Console and go to Policies.

  2. Click on a specific compliance policy to view the policy details.

  3. Click the Exceptions tab.

  4. Click Add exception to add an exception to this policy.

    Policy exceptions tab

  5. In the New Exception window, add your criteria for the exception.

    New Exceptions tab

  6. (Optional) Enter a Comment for the exception.

  7. Click Add Exception / Save to add your exception to the policy.

    The new exception appears in the Exceptions tab list of the compliance policy.

Add Exception Criteria

The exception criteria varies from policy to policy.

As a general rule, the first variable always applies to the cloud account. The rest of the criteria depends on the affected resource.

AWS Exceptions

Do not use the ARN format when providing the resource name value for policy exceptions.

For example, using arn:aws:s3:::mys3bucket is not accepted, as only mys3bucket should be provided.

GCP Exceptions

The Resource Name field value must be in the full resource name format unless you are using wildcards.

For example, use //storage.googleapis.com/myBucketName instead of just myBucketName.

Additionally, the organizations and projects fields should be in ID format.

Wildcard Usage

info

All field values except Resource Tags, Resource Label, and Resource Labels accept wildcards.

You can use wildcards to match and exclude singular or multiple resources. Lacework allows RLIKE (Regex pattern matching) when using wildcards.

For example, if you wanted to exclude the AWS resource mySecurityGroup_sg, you can exclude it using wildcards with one of the following examples:

  • Group Id/Name = *_sg
  • Group Id/Name = *SecurityGroup*
  • Group Id/Name = mySecurityGroup*

For GCP, if you wanted to exclude the resource //storage.googleapis.com/myBucketName, the following example will work:

  • Resource Name = *myBucketName

Example Criteria

The following example shows how to add exception criteria to the lacework-global-54 policy.

note

The exception criteria that you can add depends on the type of resource that is affected by the policy. This example is specific to an Amazon S3 bucket.

  1. Locate the lacework-global-54 policy on the Policies page. Click it to open the Policy Drawer and click the Exceptions tab. Click Add exception.

  2. Select an account from the Account Ids dropdown list to associate with this exception. Choose either a specific account identifier or All Accounts.

    You can also search for accounts in the Account Ids field.

  3. Click + Add Criteria to add exception parameters for this policy.

    New Exceptions tab

  4. Select Bucket Name or Resource Tags to add exceptions to the policy based on your needs.

  5. Select or enter one or more values in the Bucket Name or Resource Tags field(s) for this exception.

  6. Select one or more resource tags in the Resource Tags field for this exception.

    Example new exception for resource tag owner:dev

    If the key:value for this resource tag is not valid, the Lacework Console shows an error message.

    Please enter the tag with the format of key:value

  7. (Optional) Enter a Comment for the exception.

  8. Click Save to save your new exception to the policy. Your new exception appears in the list for the compliance policy.

    You successfully created exception message

Add Compliance Exceptions in the Cloud Compliance Dashboard

Compliance Policy Exceptions can also be added in the Cloud Compliance dashboard.

  1. Go to Compliance > Cloud in the Lacework Console.

  2. Click Group by Policy to view individual policy assessments.

  3. Under filters, select the Report that you want to view (for example: Azure CIS Benchmark). Policies that apply to the selected report are shown.

  4. Click a policy to view more details in the Policy Drawer.

  5. Add exceptions using either of these methods:

    • Click View exceptions to see details of any exception defined for this policy. Click Add exception and provide the exception criteria. Click Save once complete.

    • If you want to add an exception for a resource listed in the Policy Drawer table, click the additional options button Additional Options for the resource.

      Add an exception from the policy drawer

      Click Add exception to enter the Exceptions tab for the policy. The Key Id/Alias is filled with the resource you selected.

Add Compliance Exceptions in the Kubernetes Compliance Dashboard

Kubernetes Compliance Policy Exceptions can also be added in the Kubernetes Compliance Dashboard.

  1. Go to Compliance > Kubernetes in the Lacework Console.
  2. Click Group by Policy to view individual policy assessments.
  3. (Optional) Use filters and/or the search function to find specific policies.
  4. Click a policy to view more details in the Policy Drawer.
  5. Click View exceptions to see details of any exception defined for this policy.
  6. Click Add exception and provide the exception criteria.
  7. Click Save once complete.