Legacy Lacework AWS Rule Mapping
This section shows how legacy Lacework rules map to the latest Lacework policies. Legacy Lacework rules consist of CIS AWS 1.1.0 rules and supplemental rules for AWS S3, IAM, Lambda, networking, analytics, database, and general security. For the latest rules, see CIS AWS 1.4.0 Benchmark Report and Lacework AWS Security Addendum v1.0 rules.
Notice that changes between legacy rules and latest policies may include a change to severity. When determining the severity of CIS AWS 1.4.0 policies, Lacework originally used the severity assigned by Lacework for CIS AWS 1.1.0 and the severity assigned by AWS Security Hub for CIS controls as guides. These differed significantly, resulting in rules that were assigned critical severity that were unlikely to be a critical risk. In the latest policies, Lacework has assigned more suitable severity rankings.
The tables below list these severity differences and any other behavioral differences between rule versions.
S3 Rules
| Legacy Rule ID | Legacy Rule Severity | Lacework Policy ID | Current Severity | Behavioral Difference |
|---|---|---|---|---|
| LW_S3_1 | Critical | lacework‑global‑130 | Critical | None |
| LW_S3_2 | Critical | lacework-global-131 | Critical | None |
| LW_S3_3 | Critical | lacework-global-132 | Critical | None |
| LW_S3_4 | Critical | lacework-global-133 | Critical | None |
| LW_S3_5 | Critical | lacework-global-134 | Critical | None |
| LW_S3_6 | Critical | lacework-global-135 | Critical | None |
| LW_S3_7 | Critical | lacework-global-136 | Critical | None |
| LW_S3_8 | Critical | lacework-global-137 | Critical | None |
| LW_S3_9 | Critical | lacework-global-138 | Critical | None |
| LW_S3_10 | Critical | lacework-global-139 | Critical | None |
| LW_S3_11 | Critical | lacework-global-140 | Critical | None |
| LW_S3_12 | Medium | lacework-global-94 | Medium | None |
| LW_S3_13 | Low | lacework-global-95 | Low | None |
| LW_S3_14 | High | lacework-global-217 | Medium | Severity changed to medium CIS AWS 1.1.0: • May not find all S3 buckets violating encryption at rest (known bug) Impact: • CIS AWS 1.4.0 policy provides more accurate assessments |
| LW_S3_15 | High | lacework-global-96 | High | None |
| LW_S3_16 | High | lacework-global-97 | High | None |
| LW_S3_17 | High | N/A | N/A | N/A |
| LW_S3_18 | Critical | lacework-global-98 | Critical | None |
| LW_S3_19 | Critical | lacework-global-99 | Critical | None |
| LW_S3_20 | Critical | lacework-global-100 | Critical | None |
| LW_S3_21 | Critical | lacework-global-101 | Critical | None |
Identity and Access Management Rules
| Legacy Rule ID | Legacy Rule Severity | Lacework Policy ID | Current Severity | Behavioral Difference |
|---|---|---|---|---|
| AWS_CIS_1_1 | Critical | lacework‑global‑36 | Low | Severity changed to low |
| AWS_CIS_1_2 | Critical | lacework-global-39 | High | Severity changed to high |
| AWS_CIS_1_3 | High | lacework-global-41 | Medium | Severity changed to medium CIS AWS 1.1.0: • Evaluates for enabled credentials that are unused for 90 days or more CIS AWS 1.4.0: • Evaluates for enabled credentials that are unused for 45 days or more |
| AWS_CIS_1_4 | Critical | lacework-global-43 | Medium | Severity changed to medium |
| AWS_CIS_1_9 | Medium | lacework-global-37 | Medium | None |
| AWS_CIS_1_10 | High | lacework-global-38 | Low | Severity changed to low |
| AWS_CIS_1_12 | Critical | lacework-global-34 | Critical | None |
| AWS_CIS_1_13 | Critical | lacework-global-35 | Critical | None |
| AWS_CIS_1_14 | High | lacework-global-69 | Critical | Severity changed to critical CIS AWS 1.1.0: • Evaluates if MFANotEnabled is True CIS AWS 1.4.0: • Evaluates if MFANotEnabled is True • Evaluates for root-account-mfa-device as this is an indicator that the MFA device for the root account is virtual, not hardware Impact: • If there are any virtual MFA configured, these will be extra appearances in non-compliant evaluations for CIS AWS 1.4.0 |
| AWS_CIS_1_15 | Medium | lacework-global-33 | Low | Severity changed to low |
| AWS_CIS_1_16 | Critical | lacework-global-44 | Low | Severity changed to low CIS AWS 1.1.0: • Ensure IAM policies are associated to users only by group or role CIS AWS 1.4.0: • Ensure IAM policies are associated to users only by group |
| AWS_CIS_1_19 | Medium | lacework-global-31 | Low | Severity changed to low |
| AWS_CIS_1_20 | Low | lacework-global-32 | Low | None |
| AWS_CIS_1_21 | High | lacework-global-70 | Medium | Severity changed to medium |
| AWS_CIS_1_22 | Info | lacework-global-46 | Low | Severity changed to low |
| AWS_CIS_1_23 | High | lacework-global-40 | Medium | Severity changed to medium CIS AWS 1.1.0: • Doesn't check that IAM access key rotation is enabled • Excludes AWS root user in evaluation CIS AWS 1.4.0: • Includes AWS root user in evaluation • Includes check on last time IAM access key was rotated Impact: • CIS AWS 1.4.0 report will have at least 1 extra assessed count due to the root user being included in the evaluation, as well as any IAM users that have IAM access keys that haven't been rotated or enabled for rotation |
| AWS_CIS_1_24 | Critical | lacework-global-45, lacework-global-485, lacework-global-486 | High | Severity changed to high AWS 1.1.0: • Assessments done at IAM policy level; checks for the existence of any admin policy attachment. See Adjusted Rules for more policy mapping information. AWS 1.4.0 • Checks done at IAM policy group, policy role, and IAM user level; checks whether any user, group or role has an admin policy attached Impact: • The total assessed count will likely be less than the count seen previously for the AWS 1.1.0 benchmark, because it counts the resources, such as user, group or role, rather than policies |
| LW_AWS_IAM_1 | Medium | lacework-global-115 | Medium | None |
| LW_AWS_IAM_2 | Medium | lacework-global-116 | Medium | None |
| LW_AWS_IAM_3 | Medium | lacework-global-117 | Medium | None |
| LW_AWS_IAM_4 | Medium | lacework-global-118 | Medium | None |
| LW_AWS_IAM_5 | High | lacework-global-119 | High | None |
| LW_AWS_IAM_6 | High | lacework-global-120 | High | None |
| LW_AWS_IAM_7 | Medium | lacework-global-121 | Medium | None |
| LW_AWS_IAM_8 | Medium | N/A | N/A | N/A |
| LW_AWS_IAM_9 | Medium | N/A | N/A | N/A |
| LW_AWS_IAM_10 | Medium | N/A | N/A | N/A |
| LW_AWS_IAM_11 | Medium | lacework-global-181 | Medium | None |
| LW_AWS_IAM_12 | Medium | lacework-global-142 | Medium | None |
| LW_AWS_IAM_13 | Critical | lacework-global-141 | Critical | None |
| LW_AWS_IAM_14 | Medium | lacework-global-105 | Medium | None |
Logging Rules
| Legacy Rule ID | Legacy Rule Severity | Lacework Policy ID | Current Severity | Behavioral Difference |
|---|---|---|---|---|
| AWS_CIS_2_1 | Critical | lacework‑global‑53 | Medium | Severity changed to medium |
| AWS_CIS_2_2 | High | lacework-global-75 | Low | Severity changed to low CIS AWS 1.1.0: • Assessments include any shadowed CloudTrails CIS AWS 1.4.0: • Assessments exclude shadowed CloudTrails Impact: • CIS AWS 1.4.0 report could result in reporting fewer assessed CloudTrails based on the number of shadowed CloudTrails in the account |
| AWS_CIS_2_3 | High | lacework-global-54 | High | None |
| AWS_CIS_2_4 | Low | lacework-global-55 | Low | CIS AWS 1.1.0: • Assessments include any shadowed CloudTrails CIS AWS 1.4.0: • Assessments exclude shadowed CloudTrails Impact: • CIS AWS 1.4.0 report could result in reporting fewer assessed resources based on the number of shadowed CloudTrails in the account |
| AWS_CIS_2_5 | High | lacework-global-76 | High | None |
| AWS_CIS_2_6 | High | lacework-global-56 | High | None |
| AWS_CIS_2_7 | Medium | lacework-global-77 | High | CIS AWS 1.1.0: • Assessments include any shadowed CloudTrails CIS AWS 1.4.0: • Assessments exclude shadowed CloudTrails Impact: • CIS AWS 1.4.0 report could result in reporting fewer assessed resources based on the number of shadowed CloudTrails in the account |
| AWS_CIS_2_8 | Critical | lacework-global-78 | High | Severity changed to high CIS AWS 1.1.0: • KMS keys that have a 'Disabled' or 'PendingDeletion' key state are included in the violations if non-compliant CIS AWS 1.4.0: • KMS keys that are not enabled are NOT included in violations if non-compliant Impact: • CIS AWS 1.4.0 benchmark reports fewer violations if there are KMS keys in the 'Disabled' or 'PendingDeletion' key state |
| AWS_CIS_2_9 | High | lacework-global-79 | Medium | Severity changed to medium |
Monitoring Rules
| Legacy Rule ID | Legacy Rule Severity | Lacework Policy ID | Current Severity | Behavioral Difference |
|---|---|---|---|---|
| AWS_CIS_3_1 | Critical | lacework‑global‑57 | Medium | Severity changed to medium CIS AWS 1.1.0: • Manual policy CIS AWS 1.4.0: • Automated policy |
| AWS_CIS_3_2 | Critical | lacework-global-58 | Medium | Severity changed to medium CIS AWS 1.1.0: • Manual policy CIS AWS 1.4.0: • Automated policy |
| AWS_CIS_3_3 | Critical | lacework-global-59 | Low | Severity changed to low CIS AWS 1.1.0: • Manual policy CIS AWS 1.4.0: • Automated policy |
| AWS_CIS_3_4 | High | lacework-global-60 | Medium | Severity changed to medium CIS AWS 1.1.0: • Manual policy CIS AWS 1.4.0: • Automated policy |
| AWS_CIS_3_5 | Medium | lacework-global-61 | Low | Severity changed to low CIS AWS 1.1.0: • Manual policy CIS AWS 1.4.0: • Automated policy |
| AWS_CIS_3_6 | High | lacework-global-82 | Medium | Severity changed to medium CIS AWS 1.1.0: • Manual policy CIS AWS 1.4.0: • Automated policy |
| AWS_CIS_3_7 | Critical | lacework-global-83 | Medium | Severity changed to medium CIS AWS 1.1.0: • Manual policy CIS AWS 1.4.0: • Automated policy |
| AWS_CIS_3_8 | High | lacework-global-62 | Medium | Severity changed to medium CIS AWS 1.1.0: • Manual policy CIS AWS 1.4.0: • Automated policy |
| AWS_CIS_3_9 | Medium | lacework-global-84 | Medium | CIS AWS 1.1.0: • Manual policy CIS AWS 1.4.0: • Automated policy |
| AWS_CIS_3_10 | Medium | lacework-global-85 | Medium | CIS AWS 1.1.0: • Manual policy CIS AWS 1.4.0: • Automated policy |
| AWS_CIS_3_11 | High | lacework-global-86 | Medium | Severity changed to medium CIS AWS 1.1.0: • Manual policy CIS AWS 1.4.0: • Automated policy |
| AWS_CIS_3_12 | High | lacework-global-63 | Medium | Severity changed to medium CIS AWS 1.1.0: • Manual policy CIS AWS 1.4.0: • Automated policy |
| AWS_CIS_3_13 | High | lacework-global-64 | Medium | Severity changed to medium CIS AWS 1.1.0: • Manual policy CIS AWS 1.4.0: • Automated policy |
| AWS_CIS_3_14 | High | lacework-global-65 | Medium | Severity changed to medium CIS AWS 1.1.0: • Manual policy CIS AWS 1.4.0: • Automated policy |
Networking Rules
| Legacy Rule ID | Legacy Rule Severity | Lacework Policy ID | Current Severity | Behavioral Difference |
|---|---|---|---|---|
| AWS_CIS_4_1 | Critical | lacework‑global‑68 | High | Severity changed to high CIS AWS 1.1.0: • Evaluates ports <= 22 and >= 22 that allows ingress from 0.0.0.0/0 CIS AWS 1.4.0: • Evaluates ports <= 22 and >= 22 that allows ingress from 0.0.0.0/0 • Evaluates ports <= 3389 and >= 3389 that allows ingress from 0.0.0.0/0 Impact: • CIS AWS 1.4.0 benchmark covers more port range combinations; violation counts may differ |
| AWS_CIS_4_2 | Critical | lacework-global-68 | High | Severity changed to high CIS AWS 1.1.0: • Evaluates ports <= 3389 and >= 3389 that allows ingress from 0.0.0.0/0 CIS AWS 1.4.0: • Evaluates ports <= 22 and >= 22 that allows ingress from 0.0.0.0/0 • Evaluates ports <= 3389 and >= 3389 that allows ingress from 0.0.0.0/0 Impact: • CIS AWS 1.4.0 benchmark covers more port range combinations; violation counts may differ |
| AWS_CIS_4_3 | - | lacework-global-79 | Medium | None |
| AWS_CIS_4_4 | High | lacework-global-87 | High | CIS AWS 1.1.0: • Assessed count is based on default security groups only CIS AWS 1.4.0: • Assessed count is based on all security groups, both default and non-default Impact: • CIS AWS 1.4.0 report has a higher assessed count because it includes non-default security groups |
| AWS_CIS_4_5 | Medium | lacework-global-88 (Manual) | High | Severity changed to high CIS AWS 1.4.0: • Manual policy Impact: • CIS AWS 1.4.0 report will not include this manual policy |
| LW_AWS_NETWORKING_1 | Low | lacework-global-227 | Low | None |
| LW_AWS_NETWORKING_2 | Critical | lacework-global-145 | Critical | None |
| LW_AWS_NETWORKING_3 | Medium | lacework-global-146 | Medium | None |
| LW_AWS_NETWORKING_4 | Medium | lacework-global-147 | Medium | None |
| LW_AWS_NETWORKING_5 | Critical | lacework-global-148 | Critical | None |
| LW_AWS_NETWORKING_6 | High | lacework-global-149 | High | None |
| LW_AWS_NETWORKING_7 | Critical | lacework-global-228 | Critical | None |
| LW_AWS_NETWORKING_8 | Critical | lacework-global-229 | Critical | None |
| LW_AWS_NETWORKING_9 | Critical | lacework-global-230 | Critical | None |
| LW_AWS_NETWORKING_10 | Critical | lacework-global-231 | Critical | None |
| LW_AWS_NETWORKING_11 | Critical | lacework-global-199 | Critical | None |
| LW_AWS_NETWORKING_12 | High | lacework-global-150 | High | None |
| LW_AWS_NETWORKING_13 | High | lacework-global-151 | High | None |
| LW_AWS_NETWORKING_14 | High | lacework-global-152 | High | None |
| LW_AWS_NETWORKING_15 | High | lacework-global-153 | High | None |
| LW_AWS_NETWORKING_16 | High | lacework-global-225 | High | None |
| LW_AWS_NETWORKING_17 | High | lacework-global-226 | High | None |
| LW_AWS_NETWORKING_18 | High | lacework-global-154 | High | None |
| LW_AWS_NETWORKING_19 | High | lacework-global-155 | High | None |
| LW_AWS_NETWORKING_20 | High | lacework-global-156 | High | None |
| LW_AWS_NETWORKING_21 | High | lacework-global-104 | High | None |
| LW_AWS_NETWORKING_22 | High | lacework-global-106 | High | None |
| LW_AWS_NETWORKING_23 | High | lacework-global-107 | High | None |
| LW_AWS_NETWORKING_24 | High | lacework-global-108 | High | None |
| LW_AWS_NETWORKING_25 | High | lacework-global-109 | High | None |
| LW_AWS_NETWORKING_26 | High | lacework-global-110 | High | None |
| LW_AWS_NETWORKING_27 | High | lacework-global-111 | High | None |
| LW_AWS_NETWORKING_28 | High | lacework-global-112 | High | None |
| LW_AWS_NETWORKING_29 | High | lacework-global-113 | High | None |
| LW_AWS_NETWORKING_30 | High | lacework-global-114 | High | None |
| LW_AWS_NETWORKING_31 | High | lacework-global-218 | High | None |
| LW_AWS_NETWORKING_32 | High | lacework-global-219 | High | None |
| LW_AWS_NETWORKING_33 | High | lacework-global-220 | High | None |
| LW_AWS_NETWORKING_34 | High | lacework-global-221 | High | None |
| LW_AWS_NETWORKING_35 | High | lacework-global-222 | High | None |
| LW_AWS_NETWORKING_36 | High | lacework-global-148 | Critical | Severity changed to critical |
| LW_AWS_NETWORKING_37 | High | lacework-global-102 | High | None |
| LW_AWS_NETWORKING_38 | High | lacework-global-223 | High | None |
| LW_AWS_NETWORKING_39 | High | lacework-global-184 | High | None |
| LW_AWS_NETWORKING_40 | High | lacework-global-103 | High | None |
| LW_AWS_NETWORKING_41 | High | lacework-global-125 | High | None |
| LW_AWS_NETWORKING_42 | High | lacework-global-126 | High | None |
| LW_AWS_NETWORKING_43 | High | lacework-global-127 | High | None |
| LW_AWS_NETWORKING_44 | High | lacework-global-231 | Critical | Severity changed to critical |
| LW_AWS_NETWORKING_45 | High | lacework-global-482 | High | None |
| LW_AWS_NETWORKING_46 | High | lacework-global-157 | Medium | Severity changed to medium |
| LW_AWS_NETWORKING_47 | High | lacework-global-128 | Medium | Severity changed to medium |
| LW_AWS_NETWORKING_48 | High | N/A | N/A | N/A |
| LW_AWS_NETWORKING_49 | Low | lacework-global-159 | Medium | Severity changed to medium |
| LW_AWS_NETWORKING_50 | High | lacework-global-129 | High | None |
| LW_AWS_NETWORKING_51 | High | lacework-global-483 | High | CIS AWS 1.1.0: • Only supports "redirect" listeners CIS AWS 1.4.0: • Supports all listener types |
| LW_AWS_MONGODB_1 | High | lacework-global-196 | High | None |
| LW_AWS_MONGODB_2 | High | lacework-global-196 | High | None |
| LW_AWS_MONGODB_3 | High | lacework-global-197 | High | None |
| LW_AWS_MONGODB_4 | High | lacework-global-197 | High | None |
| LW_AWS_MONGODB_5 | High | lacework-global-198 | High | None |
| LW_AWS_MONGODB_6 | High | lacework-global-198 | High | None |
LW General Security Rules
| Legacy Rule ID | Legacy Rule Severity | Lacework Policy ID | Current Severity | Behavioral Difference |
|---|---|---|---|---|
| LW_AWS_GENERAL_ SECURITY_1 | High | lacework‑global‑89 | High | CIS AWS 1.1.0: • Assesses EBS volumes at a per volume configuration level CIS AWS 1.4.0: • Assesses at EBS region configuration level (i.e., 17 regions) |
| LW_AWS_GENERAL_ SECURITY_2 | Medium | lacework-global-90 | Medium | None |
| LW_AWS_GENERAL_ SECURITY_3 | Critical | lacework-global-160 | Critical | None |
| LW_AWS_GENERAL_ SECURITY_4 | Critical | lacework-global-171 | Critical | None |
| LW_AWS_GENERAL_ SECURITY_5 | Critical | lacework-global-91 | Critical | None |
| LW_AWS_GENERAL_ SECURITY_6 | Critical | lacework-global-92 | Critical | None |
| LW_AWS_GENERAL_ SECURITY_7 | Critical | lacework-global-182, lacework-global-224 | Critical | None |
| LW_AWS_GENERAL_ SECURITY_8 | Critical | lacework-global-183 | Critical | None |
| LW_AWS_SERVERLESS_1 | Critical | lacework-global-179 | Critical | None |
| LW_AWS_SERVERLESS_2 | High | lacework-global-180 | Critical | Severity changed to critical |
| LW_AWS_SERVERLESS_3 | High | N/A | N/A | N/A |
| LW_AWS_SERVERLESS_4 | High | lacework-global-143 | High | None |
| LW_AWS_SERVERLESS_5 | High | lacework-global-144 | Low | Severity changed to low |
| LW_AWS_RDS_1 | Medium | lacework-global-93 | Medium | None |
LW Elastic Search Rules
| Legacy Rule ID | Legacy Rule Severity | Lacework Policy ID | Current Severity | Behavioral Difference |
|---|---|---|---|---|
| LW_AWS_ELASTICSEARCH_1 | High | lacework‑global‑122 | High | None |
| LW_AWS_ELASTICSEARCH_2 | High | lacework-global-123 | High | None |
| LW_AWS_ELASTICSEARCH_3 | High | lacework-global-124 | High | None |
| LW_AWS_ELASTICSEARCH_4 | High | lacework-global-161 | High | None |