Custom Policy Types
There are several types of Lacework policies, violation, compliance, and manual.
You can create custom policies using the CLI or API. When creating a custom policy, you pass a policy definition as a JSON file. The policy types with example definitions appear below.
Lacework supports custom violation and compliance policies.
Violation
Violation policies check for activity violations, for example, as indicated in CloudTrail or Kubernetes audit logs. Violation policies generate one alert for each violation.
Violation policies contain an alertProfile
field. This field controls the information presented for an alert as the "5 Ws" in the console's Alert Details panel: why, when, who, what, and where.
{
"policyId": "lacework-global-1",
"title": "VPC Change",
"enabled": true,
"policyType": "Violation",
"alertEnabled": true,
"alertProfile": "LW_CloudTrail_Alerts.VPCChange_AwsResource",
"evalFrequency": "Hourly",
"queryId": "LW_Global_AWS_CTA_VPCChange",
"severity": "medium",
"description": "A VPC was created, deleted or changed",
"remediation": "Check that the VPC change was expected.\nEnsure only specified users can modify VPCs."
}
Violation policies check for activity violations. For example, checking violations from CloudTrail or Kubernetes audit log activity. These policies generate one alert for each violation.
Violation policies contain an alertProfile field, which controls the information that is surfaced for an alert (the "5 Ws" in the Lacework Console seen in, for example, Resources > Cloud > AWS CloudTrail.
{
"policyId": "lacework-global-1",
"title": "VPC Change",
"enabled": true,
"policyType": "Violation",
"alertEnabled": true,
"alertProfile": "LW_CloudTrail_Alerts.VPCChange_AwsResource",
"evalFrequency": "Hourly",
"queryId": "LW_Global_AWS_CTA_VPCChange",
"severity": "medium",
"description": "A VPC was created, deleted or changed",
"remediation": "Check that the VPC change was expected.\nEnsure only specified users can modify VPCs."
}
Compliance
Compliance policies check for configuration compliance, such as whether AWS resources are properly configured. Every resource that violates a policy can have multiple reasons for non-compliance. In contrast with the violation policies, these compliance policies generate one alert per policy. For example, if three S3 buckets violate a policy, Lacework generates only one alert that lists the non-compliant resources.
{
"policyId": "lacework-global-75",
"title": "Ensure CloudTrail log file validation is enabled",
"enabled": false,
"policyType": "Compliance",
"alertEnabled": false,
"severity": "low",
"description": "CloudTrail log file validation creates a digitally signed digest\nfile containing a hash of each log that CloudTrail writes to S3. These digest\nfiles can be used to determine whether a log file was changed, deleted, or unchanged\nafter CloudTrail delivered the log. It is recommended that file validation be\nenabled on all CloudTrails.",
"remediation": "Perform the following to enable log file validation on a given trail:\nFrom Console:\n1. Sign in to the AWS Management Console and open the IAM console at (https://console.aws.amazon.com/cloudtrail)\n2. Click on Trails on the left navigation pane\n3. Click on target trail\n4. Within the S3 section click on the edit icon (pencil)\n5. Click Advanced\n6. Click on the Yes radio button in section Enable log file validation\n7. Click Save\nFrom Command Line:\naws cloudtrail update-trail --name <trail_name> --enable-log-file-validation\nNote that periodic validation of logs using these digests can be performed by running the following command:\naws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>",
"references": [
"CCE-78914-9",
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html"
],
"infoLink": "https://docs.lacework.com/catalog/policies/lacework-global-75",
"queryId": "LW_Global_AWS_Config_CloudTrailLogFileValidationNotEnabled",
"tags": [
"security:compliance",
"framework:cis-aws-1-4-0",
"control:3.2",
"identifier:CCE-78914-9",
"domain:AWS",
"subdomain:Configuration"
]
}
Manual
note
Custom manual policies are not supported.
Manual policies represent recommendations that are not able to be automated but still have information to provide and are included in compliance reports. However, manual policies do not result in an automated assessment.
{
"policyId": "lacework-global-32",
"title": "Ensure security contact information is registered",
"policyType": "Manual",
"severity": "low",
"description": "AWS provides customers with the option of specifying the contact\ninformation for account's security team. It is recommended that this information\nbe provided.",
"remediation": "Perform the following to establish security contact information:\nFrom Console:\n1. Click on your account name at the top right corner of the console.\n2. From the drop-down menu Click My Account\n3. Scroll down to the Alternate Contacts section\n4. Enter contact information in the Security section\nNote: Consider specifying an internal email distribution list to ensure emails\nare regularly monitored by more than one individual.",
"references": [
"CCE-79200-2"
],
"infoLink": "https://docs.lacework.com/catalog/policies/lacework-global-32",
"tags": [
"security:compliance",
"framework:cis-aws-1-4-0",
"control:1.2",
"identifier:CCE-79200-2",
"domain:AWS",
"subdomain:Configuration"
]
}