Skip to main content

Create a Custom Policy

This topic describes how to create a policy with the Lacework CLI.

If you are new to the Lacework CLI, see Get Started to learn about installing and configuring the CLI.

This walkthrough shows you how to create a custom policy that checks for unrestricted ingress to TCP port 445.

note

For additional documentation about creating policies, see Policies.

Create a Policy

  1. Open your text editor, create a new file, and add the following content:

    ---
    title: Security Groups Should Not Allow Unrestricted Ingress to TCP Port 445
    enabled: false
    policyType: Violation
    alertEnabled: false
    alertProfile: LW_CFG_AWS_DEFAULT_PROFILE.CFG_AWS_Violation
    evalFrequency: Daily
    queryId: LW_Custom_UnrestrictedIngressToTCP445
    severity: high
    description: Security groups should not allow unrestricted ingress to TCP port 445
    remediation: Policy remediation

    The fields in the policy definition are:

    • title: Customize the event title.
    • enabled: Enable or disable the policy (true|false).
    • policyType: Enter Violation as the policyType.
    • alertEnabled: Enable or disable alerts (true|false).
    • alertProfile: Provide the alertProfile and alert template name within the alert profile. It follows the format alertProfileId.alert_template_name.
    • evalFrequency: Optional. Set the evalFrequency (Hourly|Daily).
    • queryId: Provide the queryID. It must match the ID of the query you want to use.
    • severity: Set the desired severity (critical|high|medium|low|info).
    • description: Customize the description to display.
    • remediation: Customize the remediation message to display.
      info

      See the note following these steps for information on the optional policyId field.

  2. Save the file as YAML with the filename UnrestrictedIngressToTCP445.yaml. Note the file's location.

  3. In the Lacework CLI, run this command:

    lacework policy create -f <path_to>/UnrestrictedIngressToTCP445.yaml
    Response
    The policy <policy_name> was created.
  4. You can view the policy you created using the show command. For example, given a policyId of dev8-unrestrictedtcp-1234,enter:

    lacework policy show dev8-unrestrictedtcp-1234
    Response
           POLICY ID           SEVERITY               TITLE                 STATE     ALERT STATE   FREQUENCY                 QUERY ID                           TAGS
    ----------------------------+----------+--------------------------------+----------+-------------+-----------+---------------------------------------+--------------------------
    dev8-unrestrictedtcp-1234 high Security Groups Should Not disabled disabled Daily LW_Custom_UnrestrictedIngressToTCP445 domain:AWS
    Allow Unrestricted Ingress to subdomain:Configuration
    TCP Port 445 SH

    POLICY DETAILS
    ----------------------------------------------------------------------------------------------------
    DESCRIPTION Security groups should not allow unrestricted ingress to TCP port 445
    REMEDIATION Policy remediation
    POLICY TYPE Violation
    LIMIT 1000
    ALERT PROFILE LW_CFG_AWS_DEFAULT_PROFILE.CFG_AWS_Violation
    TAGS domain:AWS
    subdomain:Configuration
    OWNER username@email.net
    UPDATED AT 2023-01-11T00:39:22.000Z
    UPDATED BY username@email.net
    EVALUATION FREQUENCY Daily

note

If you do not specify a policyId when creating a policy, Lacework automatically generates one for you. This is the recommended workflow. However, you can define your own policyId in this format: all lowercase letters optionally followed by a hyphen (-) and numbers, for example, abcd-1234.

If you specify your own policyId, Lacework prepends it with the account name. The final policyId would then be something like lwaccountname-abcd-1234. Be sure to use that policyId when referring to your custom policy using the CLI or API.

Update a Policy

To update the policy you just created, use this command:

  1. Run the following command:
    lacework policy update <policy_name>
  2. At the following prompt, confirm that you want to launch a text editor by pressing enter:
    Use the editor to update your policy [Enter to launch editor]
  3. Update the policy definition in the editor.
  4. Save the policy.
    Response
    The policy <policy_name> was updated.