To maximize the value of Lacework AWS compliance reports, we recommend using suppression. In addition to the report itself, Lacework creates an alert for every violation when the report is first run. Subsequently, Lacework will create an alert when a compliant recommendation changes to non-compliant or if an additional resource associated with a non-compliant recommendation produces a violation. Automated reports are run once a day and additional reports can be run on demand.
Use suppression to help create a structured view of your AWS resources. In addition, it allows you to focus on those assets that are most important to you.
To use suppression and write exceptions, navigate to AWS > Compliance Report. Select a recommendation with a violation and expand to view the non-compliant resources with the option to suppress. If you determine that a non-compliant resource is expected, you can mark it as an exception, which means that it will no longer be evaluated.
If you want to mark all shown resources as exceptions, you can click in the Actions column and select Suppress these violations only, which is helpful if you have a long list and want to select all the resources.
You can reactivate resources by either unchecking them individually or by clicking the Actions column and selecting Restore these violations only.
When expanding the Actions column, you can also select Advanced Suppression, which provides additional options. To disable the recommendation entirely, click Off in the Status column. Turning a recommendation OFF means that it will no longer be evaluated as part of the compliance report.
To create a new custom exception rule, click +New Exception. The available fields are dependent on the type of recommendation. Less complex recommendations typically have fewer options.
To add an exception using a Group Id/Name, you must provide this in the security group (resource) ID format. Using the ARN format does not suppress the resource.
Because AWS_CIS_4_2 supports exceptions by tag, you can use tags with your security groups to automatically suppress security_groups that are in violation by design. For example, you could create an AWS tag named 'ssh_access' with values of 'open' and 'limited'. You could then add the 'open' tag to any security groups, which you intend to be reachable from 0.0.0.0/0. As long as you included the tag upon creation, the new security group exceptions are automatically created.
After adding your tags, click Add Tag, Add Exception and Save to save your custom suppression rule. For AWS_CIS_4_2, you also have options to customize suppression by account, region and GroupID/Name.
Lacework compliance suppression is very flexible and powerful. Take the time to write exceptions so you can focus on your most important assets.