Skip to main content

Legacy Lacework AWS Rule Mapping

This section shows how legacy Lacework rules map to the latest Lacework policies. Legacy Lacework rules consist of CIS AWS 1.1.0 rules and supplemental rules for AWS S3, IAM, Lambda, networking, analytics, database, and general security. For the latest rules, see CIS AWS 1.4.0 Benchmark Report and Lacework AWS Security Addendum v1.0 rules.

Notice that changes between legacy rules and latest policies may include a change to severity. When determining the severity of CIS AWS 1.4.0 policies, Lacework originally used the severity assigned by Lacework for CIS AWS 1.1.0 and the severity assigned by AWS Security Hub for CIS controls as guides. These differed significantly, resulting in rules that were assigned critical severity that were unlikely to be a critical risk. In the latest policies, Lacework has assigned more suitable severity rankings.

The tables below list these severity differences and any other behavioral differences between rule versions.

S3 Rules

Legacy Rule IDLegacy Rule SeverityLacework Policy IDCurrent SeverityBehavioral Difference
LW_S3_1Criticallaceworkglobal130CriticalNone
LW_S3_2Criticallacework-global-131CriticalNone
LW_S3_3Criticallacework-global-132CriticalNone
LW_S3_4Criticallacework-global-133CriticalNone
LW_S3_5Criticallacework-global-134CriticalNone
LW_S3_6Criticallacework-global-135CriticalNone
LW_S3_7Criticallacework-global-136CriticalNone
LW_S3_8Criticallacework-global-137CriticalNone
LW_S3_9Criticallacework-global-138CriticalNone
LW_S3_10Criticallacework-global-139CriticalNone
LW_S3_11Criticallacework-global-140CriticalNone
LW_S3_12Mediumlacework-global-94MediumNone
LW_S3_13Lowlacework-global-95LowNone
LW_S3_14Highlacework-global-217MediumSeverity changed to medium

CIS AWS 1.1.0:
May not find all S3 buckets violating encryption at rest (known bug)

Impact:
CIS AWS 1.4.0 policy provides more accurate assessments
LW_S3_15Highlacework-global-96HighNone
LW_S3_16Highlacework-global-97HighNone
LW_S3_17HighN/AN/AN/A
LW_S3_18Criticallacework-global-98CriticalNone
LW_S3_19Criticallacework-global-99CriticalNone
LW_S3_20Criticallacework-global-100CriticalNone
LW_S3_21Criticallacework-global-101CriticalNone

Identity and Access Management Rules

Legacy Rule IDLegacy Rule SeverityLacework Policy IDCurrent SeverityBehavioral Difference
AWS_CIS_1_1Criticallaceworkglobal36LowSeverity changed to low
AWS_CIS_1_2Criticallacework-global-39HighSeverity changed to high
AWS_CIS_1_3Highlacework-global-41MediumSeverity changed to medium

CIS AWS 1.1.0:
Evaluates for enabled credentials that are unused for 90 days or more

CIS AWS 1.4.0:
Evaluates for enabled credentials that are unused for 45 days or more
AWS_CIS_1_4Criticallacework-global-43MediumSeverity changed to medium
AWS_CIS_1_9Mediumlacework-global-37MediumNone
AWS_CIS_1_10Highlacework-global-38LowSeverity changed to low
AWS_CIS_1_12Criticallacework-global-34CriticalNone
AWS_CIS_1_13Criticallacework-global-35CriticalNone
AWS_CIS_1_14Highlacework-global-69CriticalSeverity changed to critical

CIS AWS 1.1.0:
Evaluates if MFANotEnabled is True

CIS AWS 1.4.0:
Evaluates if MFANotEnabled is True
Evaluates for root-account-mfa-device as this is an indicator that the MFA device for the root account is virtual, not hardware

Impact:
If there are any virtual MFA configured, these will be extra appearances in non-compliant evaluations for CIS AWS 1.4.0
AWS_CIS_1_15Mediumlacework-global-33LowSeverity changed to low
AWS_CIS_1_16Criticallacework-global-44LowSeverity changed to low

CIS AWS 1.1.0:
Ensure IAM policies are associated to users only by group or role

CIS AWS 1.4.0:
Ensure IAM policies are associated to users only by group
AWS_CIS_1_19Mediumlacework-global-31LowSeverity changed to low
AWS_CIS_1_20Lowlacework-global-32LowNone
AWS_CIS_1_21Highlacework-global-70MediumSeverity changed to medium
AWS_CIS_1_22Infolacework-global-46LowSeverity changed to low
AWS_CIS_1_23Highlacework-global-40MediumSeverity changed to medium

CIS AWS 1.1.0:
Doesn't check that IAM access key rotation is enabled
Excludes AWS root user in evaluation

CIS AWS 1.4.0:
Includes AWS root user in evaluation
Includes check on last time IAM access key was rotated

Impact:
CIS AWS 1.4.0 report will have at least 1 extra assessed count due to the root user being included in the evaluation, as well as any IAM users that have IAM access keys that haven't been rotated or enabled for rotation
AWS_CIS_1_24Criticallacework-global-45, lacework-global-485, lacework-global-486HighSeverity changed to high

AWS 1.1.0:
Assessments done at IAM policy level; checks for the existence of any admin policy attachment. See Adjusted Rules for more policy mapping information.

AWS 1.4.0
Checks done at IAM policy group, policy role, and IAM user level; checks whether any user, group or role has an admin policy attached

Impact:
The total assessed count will likely be less than the count seen previously for the AWS 1.1.0 benchmark, because it counts the resources, such as user, group or role, rather than policies
LW_AWS_IAM_1Mediumlacework-global-115MediumNone
LW_AWS_IAM_2Mediumlacework-global-116MediumNone
LW_AWS_IAM_3Mediumlacework-global-117MediumNone
LW_AWS_IAM_4Mediumlacework-global-118MediumNone
LW_AWS_IAM_5Highlacework-global-119HighNone
LW_AWS_IAM_6Highlacework-global-120HighNone
LW_AWS_IAM_7Mediumlacework-global-121MediumNone
LW_AWS_IAM_8MediumN/AN/AN/A
LW_AWS_IAM_9MediumN/AN/AN/A
LW_AWS_IAM_10MediumN/AN/AN/A
LW_AWS_IAM_11Mediumlacework-global-181MediumNone
LW_AWS_IAM_12Mediumlacework-global-142MediumNone
LW_AWS_IAM_13Criticallacework-global-141CriticalNone
LW_AWS_IAM_14Mediumlacework-global-105MediumNone

Logging Rules

Legacy Rule IDLegacy Rule SeverityLacework Policy IDCurrent SeverityBehavioral Difference
AWS_CIS_2_1Criticallaceworkglobal53MediumSeverity changed to medium
AWS_CIS_2_2Highlacework-global-75LowSeverity changed to low

CIS AWS 1.1.0:
Assessments include any shadowed CloudTrails

CIS AWS 1.4.0:
Assessments exclude shadowed CloudTrails

Impact:
CIS AWS 1.4.0 report could result in reporting fewer assessed CloudTrails based on the number of shadowed CloudTrails in the account
AWS_CIS_2_3Highlacework-global-54HighNone
AWS_CIS_2_4Lowlacework-global-55LowCIS AWS 1.1.0:
Assessments include any shadowed CloudTrails

CIS AWS 1.4.0:
Assessments exclude shadowed CloudTrails

Impact:
CIS AWS 1.4.0 report could result in reporting fewer assessed resources based on the number of shadowed CloudTrails in the account
AWS_CIS_2_5Highlacework-global-76HighNone
AWS_CIS_2_6Highlacework-global-56HighNone
AWS_CIS_2_7Mediumlacework-global-77HighCIS AWS 1.1.0:
Assessments include any shadowed CloudTrails

CIS AWS 1.4.0:
Assessments exclude shadowed CloudTrails

Impact:
CIS AWS 1.4.0 report could result in reporting fewer assessed resources based on the number of shadowed CloudTrails in the account
AWS_CIS_2_8Criticallacework-global-78HighSeverity changed to high

CIS AWS 1.1.0:
KMS keys that have a 'Disabled' or 'PendingDeletion' key state are included in the violations if non-compliant

CIS AWS 1.4.0:
KMS keys that are not enabled are NOT included in violations if non-compliant

Impact:
CIS AWS 1.4.0 benchmark reports fewer violations if there are KMS keys in the 'Disabled' or 'PendingDeletion' key state
AWS_CIS_2_9Highlacework-global-79MediumSeverity changed to medium

Monitoring Rules

Legacy Rule IDLegacy Rule SeverityLacework Policy IDCurrent SeverityBehavioral Difference
AWS_CIS_3_1Criticallaceworkglobal57MediumSeverity changed to medium

CIS AWS 1.1.0:
Manual policy

CIS AWS 1.4.0:
Automated policy
AWS_CIS_3_2Criticallacework-global-58MediumSeverity changed to medium

CIS AWS 1.1.0:
Manual policy

CIS AWS 1.4.0:
Automated policy
AWS_CIS_3_3Criticallacework-global-59LowSeverity changed to low

CIS AWS 1.1.0:
Manual policy

CIS AWS 1.4.0:
Automated policy
AWS_CIS_3_4Highlacework-global-60MediumSeverity changed to medium

CIS AWS 1.1.0:
Manual policy

CIS AWS 1.4.0:
Automated policy
AWS_CIS_3_5Mediumlacework-global-61LowSeverity changed to low

CIS AWS 1.1.0:
Manual policy

CIS AWS 1.4.0:
Automated policy
AWS_CIS_3_6Highlacework-global-82MediumSeverity changed to medium

CIS AWS 1.1.0:
Manual policy

CIS AWS 1.4.0:
Automated policy
AWS_CIS_3_7Criticallacework-global-83MediumSeverity changed to medium

CIS AWS 1.1.0:
Manual policy

CIS AWS 1.4.0:
Automated policy
AWS_CIS_3_8Highlacework-global-62MediumSeverity changed to medium

CIS AWS 1.1.0:
Manual policy

CIS AWS 1.4.0:
Automated policy
AWS_CIS_3_9Mediumlacework-global-84MediumCIS AWS 1.1.0:
Manual policy

CIS AWS 1.4.0:
Automated policy
AWS_CIS_3_10Mediumlacework-global-85MediumCIS AWS 1.1.0:
Manual policy

CIS AWS 1.4.0:
Automated policy
AWS_CIS_3_11Highlacework-global-86MediumSeverity changed to medium

CIS AWS 1.1.0:
Manual policy

CIS AWS 1.4.0:
Automated policy
AWS_CIS_3_12Highlacework-global-63MediumSeverity changed to medium

CIS AWS 1.1.0:
Manual policy

CIS AWS 1.4.0:
Automated policy
AWS_CIS_3_13Highlacework-global-64MediumSeverity changed to medium

CIS AWS 1.1.0:
Manual policy

CIS AWS 1.4.0:
Automated policy
AWS_CIS_3_14Highlacework-global-65MediumSeverity changed to medium

CIS AWS 1.1.0:
Manual policy

CIS AWS 1.4.0:
Automated policy

Networking Rules

Legacy Rule IDLegacy Rule SeverityLacework Policy IDCurrent SeverityBehavioral Difference
AWS_CIS_4_1Criticallaceworkglobal68HighSeverity changed to high

CIS AWS 1.1.0:
Evaluates ports <= 22 and >= 22 that allows ingress from 0.0.0.0/0

CIS AWS 1.4.0:
Evaluates ports <= 22 and >= 22 that allows ingress from 0.0.0.0/0
Evaluates ports <= 3389 and >= 3389 that allows ingress from 0.0.0.0/0

Impact:
CIS AWS 1.4.0 benchmark covers more port range combinations; violation counts may differ
AWS_CIS_4_2Criticallacework-global-68HighSeverity changed to high

CIS AWS 1.1.0:
Evaluates ports <= 3389 and >= 3389 that allows ingress from 0.0.0.0/0

CIS AWS 1.4.0:
Evaluates ports <= 22 and >= 22 that allows ingress from 0.0.0.0/0
Evaluates ports <= 3389 and >= 3389 that allows ingress from 0.0.0.0/0

Impact:
CIS AWS 1.4.0 benchmark covers more port range combinations; violation counts may differ
AWS_CIS_4_3-lacework-global-79MediumNone
AWS_CIS_4_4Highlacework-global-87HighCIS AWS 1.1.0:
Assessed count is based on default security groups only

CIS AWS 1.4.0:
Assessed count is based on all security groups, both default and non-default

Impact:
CIS AWS 1.4.0 report has a higher assessed count because it includes non-default security groups
AWS_CIS_4_5Mediumlacework-global-88 (Manual)HighSeverity changed to high

CIS AWS 1.4.0:
Manual policy

Impact:
CIS AWS 1.4.0 report will not include this manual policy
LW_AWS_NETWORKING_1Lowlacework-global-227LowNone
LW_AWS_NETWORKING_2Criticallacework-global-145CriticalNone
LW_AWS_NETWORKING_3Mediumlacework-global-146MediumNone
LW_AWS_NETWORKING_4Mediumlacework-global-147MediumNone
LW_AWS_NETWORKING_5Criticallacework-global-148CriticalNone
LW_AWS_NETWORKING_6Highlacework-global-149HighNone
LW_AWS_NETWORKING_7Criticallacework-global-228CriticalNone
LW_AWS_NETWORKING_8Criticallacework-global-229CriticalNone
LW_AWS_NETWORKING_9Criticallacework-global-230CriticalNone
LW_AWS_NETWORKING_10Criticallacework-global-231CriticalNone
LW_AWS_NETWORKING_11Criticallacework-global-199CriticalNone
LW_AWS_NETWORKING_12Highlacework-global-150HighNone
LW_AWS_NETWORKING_13Highlacework-global-151HighNone
LW_AWS_NETWORKING_14Highlacework-global-152HighNone
LW_AWS_NETWORKING_15Highlacework-global-153HighNone
LW_AWS_NETWORKING_16Highlacework-global-225HighNone
LW_AWS_NETWORKING_17Highlacework-global-226HighNone
LW_AWS_NETWORKING_18Highlacework-global-154HighNone
LW_AWS_NETWORKING_19Highlacework-global-155HighNone
LW_AWS_NETWORKING_20Highlacework-global-156HighNone
LW_AWS_NETWORKING_21Highlacework-global-104HighNone
LW_AWS_NETWORKING_22Highlacework-global-106HighNone
LW_AWS_NETWORKING_23Highlacework-global-107HighNone
LW_AWS_NETWORKING_24Highlacework-global-108HighNone
LW_AWS_NETWORKING_25Highlacework-global-109HighNone
LW_AWS_NETWORKING_26Highlacework-global-110HighNone
LW_AWS_NETWORKING_27Highlacework-global-111HighNone
LW_AWS_NETWORKING_28Highlacework-global-112HighNone
LW_AWS_NETWORKING_29Highlacework-global-113HighNone
LW_AWS_NETWORKING_30Highlacework-global-114HighNone
LW_AWS_NETWORKING_31Highlacework-global-218HighNone
LW_AWS_NETWORKING_32Highlacework-global-219HighNone
LW_AWS_NETWORKING_33Highlacework-global-220HighNone
LW_AWS_NETWORKING_34Highlacework-global-221HighNone
LW_AWS_NETWORKING_35Highlacework-global-222HighNone
LW_AWS_NETWORKING_36Highlacework-global-148CriticalSeverity changed to critical
LW_AWS_NETWORKING_37Highlacework-global-102HighNone
LW_AWS_NETWORKING_38Highlacework-global-223HighNone
LW_AWS_NETWORKING_39Highlacework-global-184HighNone
LW_AWS_NETWORKING_40Highlacework-global-103HighNone
LW_AWS_NETWORKING_41Highlacework-global-125HighNone
LW_AWS_NETWORKING_42Highlacework-global-126HighNone
LW_AWS_NETWORKING_43Highlacework-global-127HighNone
LW_AWS_NETWORKING_44Highlacework-global-231CriticalSeverity changed to critical
LW_AWS_NETWORKING_45Highlacework-global-482HighNone
LW_AWS_NETWORKING_46Highlacework-global-157MediumSeverity changed to medium
LW_AWS_NETWORKING_47Highlacework-global-128MediumSeverity changed to medium
LW_AWS_NETWORKING_48HighN/AN/AN/A
LW_AWS_NETWORKING_49Lowlacework-global-159MediumSeverity changed to medium
LW_AWS_NETWORKING_50Highlacework-global-129HighNone
LW_AWS_NETWORKING_51Highlacework-global-483HighCIS AWS 1.1.0:
Only supports "redirect" listeners

CIS AWS 1.4.0:
Supports all listener types
LW_AWS_MONGODB_1Highlacework-global-196HighNone
LW_AWS_MONGODB_2Highlacework-global-196HighNone
LW_AWS_MONGODB_3Highlacework-global-197HighNone
LW_AWS_MONGODB_4Highlacework-global-197HighNone
LW_AWS_MONGODB_5Highlacework-global-198HighNone
LW_AWS_MONGODB_6Highlacework-global-198HighNone

LW General Security Rules

Legacy Rule IDLegacy Rule SeverityLacework Policy IDCurrent SeverityBehavioral Difference
LW_AWS_GENERAL_
SECURITY_1
Highlaceworkglobal89HighCIS AWS 1.1.0:
Assesses EBS volumes at a per volume configuration level

CIS AWS 1.4.0:
Assesses at EBS region configuration level (i.e., 17 regions)
LW_AWS_GENERAL_
SECURITY_2
Mediumlacework-global-90MediumNone
LW_AWS_GENERAL_
SECURITY_3
Criticallacework-global-160CriticalNone
LW_AWS_GENERAL_
SECURITY_4
Criticallacework-global-171CriticalNone
LW_AWS_GENERAL_
SECURITY_5
Criticallacework-global-91CriticalNone
LW_AWS_GENERAL_
SECURITY_6
Criticallacework-global-92CriticalNone
LW_AWS_GENERAL_
SECURITY_7
Criticallacework-global-182, lacework-global-224CriticalNone
LW_AWS_GENERAL_
SECURITY_8
Criticallacework-global-183CriticalNone
LW_AWS_SERVERLESS_1Criticallacework-global-179CriticalNone
LW_AWS_SERVERLESS_2Highlacework-global-180CriticalSeverity changed to critical
LW_AWS_SERVERLESS_3HighN/AN/AN/A
LW_AWS_SERVERLESS_4Highlacework-global-143HighNone
LW_AWS_SERVERLESS_5Highlacework-global-144LowSeverity changed to low
LW_AWS_RDS_1Mediumlacework-global-93MediumNone

LW Elastic Search Rules

Legacy Rule IDLegacy Rule SeverityLacework Policy IDCurrent SeverityBehavioral Difference
LW_AWS_ELASTICSEARCH_1Highlaceworkglobal122HighNone
LW_AWS_ELASTICSEARCH_2Highlacework-global-123HighNone
LW_AWS_ELASTICSEARCH_3Highlacework-global-124HighNone
LW_AWS_ELASTICSEARCH_4Highlacework-global-161HighNone