Create a Custom Policy
This topic describes how to create a policy with the Lacework CLI.
If you are new to the Lacework CLI, see Get Started to learn about installing and configuring the CLI.
This walkthrough shows you how to create a custom policy that checks for unrestricted ingress to TCP port 445.
note
For additional documentation about creating policies, see Policies.
Create a Policy
Open your text editor, create a new file, and add the following content:
---
title: Security Groups Should Not Allow Unrestricted Ingress to TCP Port 445
enabled: false
policyType: Violation
alertEnabled: false
alertProfile: LW_CFG_AWS_DEFAULT_PROFILE.CFG_AWS_Violation
evalFrequency: Daily
queryId: LW_Custom_UnrestrictedIngressToTCP445
severity: high
description: Security groups should not allow unrestricted ingress to TCP port 445
remediation: Policy remediationThe fields in the policy definition are:
title
: Customize the event title.enabled
: Enable or disable the policy (true|false
).policyType
: EnterViolation
as thepolicyType
.alertEnabled
: Enable or disable alerts (true|false
).alertProfile
: Provide thealertProfile
andalert
template name within the alert profile. It follows the formatalertProfileId.alert_template_name
.evalFrequency
: Optional. Set theevalFrequency
(Hourly|Daily
).queryId
: Provide thequeryID
. It must match the ID of the query you want to use.severity
: Set the desired severity (critical|high|medium|low|info
).description
: Customize the description to display.remediation
: Customize the remediation message to display.info
See the note following these steps for information on the optional
policyId
field.
Save the file as YAML with the filename UnrestrictedIngressToTCP445.yaml. Note the file's location.
In the Lacework CLI, run this command:
lacework policy create -f <path_to>/UnrestrictedIngressToTCP445.yaml
ResponseThe policy <policy_name> was created.
You can view the policy you created using the
show
command. For example, given apolicyId
ofdev8-unrestrictedtcp-1234
,enter:lacework policy show dev8-unrestrictedtcp-1234
ResponsePOLICY ID SEVERITY TITLE STATE ALERT STATE FREQUENCY QUERY ID TAGS
----------------------------+----------+--------------------------------+----------+-------------+-----------+---------------------------------------+--------------------------
dev8-unrestrictedtcp-1234 high Security Groups Should Not disabled disabled Daily LW_Custom_UnrestrictedIngressToTCP445 domain:AWS
Allow Unrestricted Ingress to subdomain:Configuration
TCP Port 445 SH
POLICY DETAILS
----------------------------------------------------------------------------------------------------
DESCRIPTION Security groups should not allow unrestricted ingress to TCP port 445
REMEDIATION Policy remediation
POLICY TYPE Violation
LIMIT 1000
ALERT PROFILE LW_CFG_AWS_DEFAULT_PROFILE.CFG_AWS_Violation
TAGS domain:AWS
subdomain:Configuration
OWNER username@email.net
UPDATED AT 2023-01-11T00:39:22.000Z
UPDATED BY username@email.net
EVALUATION FREQUENCY Daily
note
If you do not specify a policyId
when creating a policy, Lacework automatically generates one for you. This is the recommended workflow. However, you can define your own policyId
in this format: all lowercase letters optionally followed by a hyphen (-
) and numbers, for example, abcd-1234
.
If you specify your own policyId
, Lacework prepends it with the account name. The final policyId
would then be something like lwaccountname-abcd-1234
. Be sure to use that policyId
when referring to your custom policy using the CLI or API.
Update a Policy
To update the policy you just created, use this command:
- Run the following command:
lacework policy update <policy_name>
- At the following prompt, confirm that you want to launch a text editor by pressing enter:
Use the editor to update your policy [Enter to launch editor]
- Update the policy definition in the editor.
- Save the policy.Response
The policy <policy_name> was updated.