Lacework AWS Security Addendum 1.0
Lacework AWS Security Addendum 1.0 policies supplement the CIS AWS benchmark with rules for AWS S3, IAM, Lambda, networking, analytics, database, and general security.
For a mapping between legacy Lacework rules and the Lacework AWS Security Addendum 1.0 policies, see CIS AWS 1.4.0 - Legacy Lacework AWS Rule Mapping.
Prerequisites
Before using Lacework AWS Security Addendum 1.0 policies, you need to integrate your AWS environment with the Lacework Compliance platform.
The following articles describe how to integrate your AWS environment with the Lacework Compliance platform, depending on your specific environment:
- Integrate Lacework with AWS - Terraform
- Choose one of the configuration options to enable AWS configuration compliance. These articles provide guidance on multiple deployment scenarios.
- Integrate Lacework with AWS - AWS CloudFormation
- Choose one of the configuration options to enable AWS configuration compliance.
- If you have SSE-KMS enabled on your CloudTrail bucket, configure additional permissions.
- Integrate Lacework with AWS - AWS GovCloud (US)
- This guide is for AWS GovCloud (US) users specifically.
Enable the Lacework AWS Security Addendum Policies
All policies in the Lacework AWS Security Addendum are enabled by default. You can disable or enable them as follows.
Enable or Disable Policies through the Lacework Console
On the Policies page, use the framework:aws-lacework-security-1-0 tag to filter for Lacework AWS Security Addendum policies only.
Enable or disable a policy using its status toggle: 
Alternatively, you can modify multiple policies at once, as described on Batch Update Policies.
Bulk Enable or Disable Policies through the Lacework CLI
Enable or disable all the Lacework AWS Security Addendum policies by using the following commands in the Lacework CLI:
Enable all policies
lacework policy enable --tag framework:aws-lacework-security-1-0
Disable all policies
lacework policy disable --tag framework:aws-lacework-security-1-0
tip
If you have not used the CLI before, see the Lacework CLI guide to get started.
Lacework AWS Security Addendum Policies
1: Identity and Access Management
| Policy ID | Policy Name | Severity |
|---|---|---|
| lacework‑global‑115 | Ensure access keys are rotated every 30 days or less | Medium |
| lacework-global-116 | Ensure access keys are rotated every 45 days or less | Medium |
| lacework-global-117 | Ensure public ssh keys are rotated every 30 days or less | Medium |
| lacework-global-118 | Ensure public ssh keys are rotated every 45 days or less | Medium |
| lacework-global-119 | Ensure public ssh keys are rotated every 90 days or less | High |
| lacework-global-120 | Ensure active access keys are used every 90 days or less | High |
| lacework-global-121 | IAM user should not be inactive for more than 30 days | Medium |
| lacework-global-181 | Ensure non-root user exists in the account | Medium |
| lacework-global-142 | Ensure access keys are rotated every 350 days or less | Medium |
| lacework-global-141 | Ensure access keys are rotated every 180 days or less | Critical |
| lacework-global-105 | No IAM users with password-based console access should exist | Medium |
2: Storage
| Policy ID | Policy Name | Severity |
|---|---|---|
| lacework‑global‑130 | Ensure the bucket ACL does not grant 'Everyone' READ permission (list S3 objects) | Critical |
| lacework-global-131 | Ensure the bucket ACL does not grant 'Everyone' WRITE permission (create, overwrite, and delete S3 objects) | Critical |
| lacework-global-132 | Ensure the bucket ACL does not grant 'Everyone' READ_ACP permission (read bucket ACL) | Critical |
| lacework-global-133 | Ensure the bucket ACL does not grant 'Everyone' WRITE_ACP permission (modify bucket ACL) | Critical |
| lacework-global-134 | Ensure the bucket ACL does not grant 'Everyone' FULL_CONTROL (READ, WRITE, READ_ACP, WRITE_ACP) | Critical |
| lacework-global-135 | Ensure the bucket ACL does not grant AWS users READ permission (list S3 objects) | Critical |
| lacework-global-136 | Ensure the bucket ACL does not grant AWS users WRITE permission (create, overwrite, and delete S3 objects) | Critical |
| lacework-global-137 | Ensure the bucket ACL does not grant AWS users READ_ACP permission (read bucket ACL) | Critical |
| lacework-global-138 | Ensure the bucket ACL does not grant AWS users WRITE_ACP permission (modify bucket ACL) | Critical |
| lacework-global-139 | Ensure the bucket ACL does not grant AWS users FULL_CONTROL (READ, WRITE, READ_ACP, WRITE_ACP) | Critical |
| lacework-global-140 | Ensure the attached S3 bucket policy does not grant 'Allow' permission to everyone | Critical |
| lacework-global-94 | Ensure the S3 bucket requires MFA to delete objects | Medium |
| lacework-global-217 | Ensure the S3 bucket has default server-side encryption enabled | High |
| lacework-global-96 | Ensure all data is transported from the S3 bucket securely | High |
| lacework-global-97 | Ensure the S3 bucket has versioning enabled | High |
| lacework-global-98 | Ensure the attached S3 bucket policy does not grant global 'Get' permission | Critical |
| lacework-global-99 | Ensure the attached S3 bucket policy does not grant global 'Delete' permission | Critical |
| lacework-global-100 | Ensure the attached S3 bucket policy does not grant global 'List' permission | Critical |
| lacework-global-101 | Ensure the attached S3 bucket policy does not grant global 'Put' permission | Critical |
3: Logging
| Policy ID | Policy Name | Severity |
|---|---|---|
| lacework‑global‑95 | Ensure the S3 bucket has access logging enabled | Low |
4: Networking
| Policy ID | Policy Name | Severity |
|---|---|---|
| lacework‑global‑227 | Security groups are not attached to an in-use network interface | Low |
| lacework-global-145 | Network ACLs do not allow unrestricted inbound traffic | Critical |
| lacework-global-146 | Network ACLs do not allow unrestricted outbound traffic | Medium |
| lacework-global-147 | AWS VPC endpoints should not be exposed | Medium |
| lacework-global-148 | Security group inbound traffic should not allow inbound traffic from all | Critical |
| lacework-global-149 | Security group inbound traffic should not allow traffic except port 80 and 443 | High |
| lacework-global-228 | Security group attached to EC2 instance should not allow inbound traffic from all ports | Critical |
| lacework-global-229 | Security group attached to RDS DB instance should not allow inbound traffic from all ports | Critical |
| lacework-global-230 | Security group attached to Network Interface should not allow inbound traffic from all ports | Critical |
| lacework-global-231 | Security group attached to Elastic Load Balancer should not allow inbound traffic from all ports | Critical |
| lacework-global-199 | Security group attached to Application Load Balancer should not allow inbound traffic from all | Critical |
| lacework-global-150 | Security Group should not allow inbound traffic from all to TCP port 9200 or 9300 (Opensearch/Elasticsearch) | High |
| lacework-global-151 | Security Group should not allow inbound traffic from all to TCP port 5601 (Kibana) | High |
| lacework-global-152 | Security Group should not allow inbound traffic from all to TCP port 6379 (Redis) | High |
| lacework-global-153 | Security Group should not allow inbound traffic from all to TCP port 2379 (etcd) | High |
| lacework-global-225 | ELB SSL Certificate expires in 5 Days | High |
| lacework-global-226 | ELB SSL Certificate expires in 45 Days | High |
| lacework-global-154 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 23 (Telnet) | High |
| lacework-global-155 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 135 (Windows RPC) | High |
| lacework-global-156 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 445 (Windows SMB) | High |
| lacework-global-104 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 3306 (MySQL) | High |
| lacework-global-106 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5432 (PostgreSQL) | High |
| lacework-global-107 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 1433 (SQLServer) | High |
| lacework-global-108 | Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 1434 (SQLServer) | High |
| lacework-global-109 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 4333 (MSQL) | High |
| lacework-global-110 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5500 (VNC Listener) | High |
| lacework-global-111 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5900 (VNC Server) | High |
| lacework-global-112 | Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 137 (NetBIOS) | High |
| lacework-global-113 | Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 138 (NetBIOS) | High |
| lacework-global-114 | Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 445 (CIFS) | High |
| lacework-global-218 | EC2 instance should not allow inbound traffic from all to TCP port 21 | High |
| lacework-global-219 | EC2 instance should not allow inbound traffic from all to TCP port 20 | High |
| lacework-global-220 | EC2 instance should not allow inbound traffic from all to TCP port 25 | High |
| lacework-global-221 | EC2 instance should not allow inbound traffic from all to TCP port 53 | High |
| lacework-global-222 | EC2 instance should not allow inbound traffic from all to UDP port 53 | High |
| lacework-global-102 | Redshift Cluster should not be Publicly Accessible | High |
| lacework-global-223 | ELB Security Group should have Outbound Rules attached to it | High |
| lacework-global-184 | ELB should not use insecure Cipher(s) | High |
| lacework-global-103 | EC2 instance should be deployed in EC2-VPC platform | High |
| lacework-global-125 | CloudFront Origin Protocol Policy should use https-only | High |
| lacework-global-126 | CloudFront Origin SSL Protocols should not use insecure Cipher(s) | High |
| lacework-global-127 | Security group should not allow inbound traffic from all to all ICMP | High |
| lacework-global-482 | Classic LBs should have a valid and secure security group | High |
| lacework-global-157 | No Default VPC should be present in an AWS account | Medium |
| lacework-global-128 | EC2 instances should not have a Public IP address attached | Medium |
| lacework-global-159 | Load Balancers should have Access Logs enabled | Medium |
| lacework-global-129 | CloudFront Viewer Protocol Policy should use https-only | High |
| lacework‑global‑483 | ELBs should have a valid and secure security group | High |
| lacework-global-93 | RDS should not have a Public Interface | Medium |
| lacework-global-196 | EC2 instance should not allow inbound traffic from all to TCP port 27017 or 27018 (MongoDB) | High |
| lacework-global-197 | Elastic Load Balancer instance should not allow inbound traffic from all to TCP port 27017 or 27018 (MongoDB) | High |
| lacework-global-198 | Application Load Balancer instance should not allow inbound traffic from all to TCP port 27017 or 27018 (MongoDB) | High |
| lacework-global-122 | OpenSearch Domain should not be exposed | High |
| lacework-global-123 | OpenSearch Domain should be in Virtual Private Cloud (VPC) | High |
5: Lambda
| Policy ID | Policy Name | Severity |
|---|---|---|
| lacework‑global‑179 | Lambda Function should not have Admin Privileges | Critical |
| lacework-global-180 | Lambda Function should not have Cross Account Access | Critical |
| lacework-global-143 | Lambda Function should have tracing enabled | High |
| lacework-global-144 | Lambda Function should not have VPC access | Low |
6: General Security
| Policy ID | Policy Name | Severity |
|---|---|---|
| lacework‑global‑89 | EC2 instance does not have any tags | High |
| lacework-global-90 | Ensure EBS Volumes are Encrypted | Medium |
| lacework-global-160 | Ensure No Public EBS Snapshots | Critical |
| lacework-global-171 | Ensure RDS database is encrypted with customer managed KMS key | Critical |
| lacework-global-91 | Ensure Redshift Cluster is encrypted | Critical |
| lacework-global-92 | Ensure no server certificate has been uploaded before Heartbleed vulnerability | Critical |
| lacework-global-182 | Ensure ELB has latest Secure Cipher policies Configured for Session Encryption | Critical |
| lacework-global-224 | Ensure ELBv2 has latest Secure Cipher policies Configured for Session Encryption | Critical |
| lacework-global-183 | Ensure ELB is not affected by POODLE Vulnerability (CVE-2014-3566) | Critical |
| lacework-global-124 | OpenSearch Domain should have Encryption At Rest enabled | High |
| lacework-global-161 | OpenSearch Domain should have Encryption with KMS (Customer Managed Keys) | High |