Working with Lacework Compliance Reports
Lacework AWS Compliance Reports help customers adhere to industry leading best practices and proactively monitor AWS infrastructure changes that may impact enterprise security. Although the reports are automated and provide an excellent snapshot, we encourage users to define exceptions to maximize feature value.
To spare the user a constant stream of 'non-compliant' reminders, Lacework only generate events if a recommendation changes from 'compliant' to 'non-compliant'. What does this mean? It means that we are not going to alert you to changes that increase 'non-compliance' in an already 'non-compliant' category. However, if you write exceptions and make a category 'compliant', we will alert you if something changes.
Let's use S3 buckets as a first example as buckets are sometimes intentionally publicly readable for hosting static websites or public datasets.
If we write exceptions for such intentionally open buckets, we will then be alerted if someone creates a GetObject policy on an existing bucket. Depending on the desired result, Lacework provides different methods for writing exceptions. For certain S3 recommendations, users can incorporate tags, which require less maintenance as the exception list need not be edited each time a bucket is created and destroyed. For example, all publicly readable buckets [ListBucket public access ACL] can be tagged as public_read. Lacework will then automatically add all such buckets, including newly created or changed ones, to the exception list.
As a second example, consider AWS_CIS_1_24 : Ensure IAM policies that allow full '*:*' administrative privileges are not created. As the default AWS AdministratorAccess cannot be deleted, the policy will always be flagged as a violation. To ensure being alerted if an IAM user creates an additional '*.*' policy, you must add the AWS AdministratorAccess policy as an exception.
It's good practice to review all the categories, especially the critical ones, and write exceptions to ensure Lacework works on your behalf. It will take some up front effort, and in the modern enterprise, time is certainly at a premium. If we can help with the effort, please contact us.