To populate the AWS data viewed in this page, you must configure an integration with at least one AWS account. For more information, see Lacework for AWS.
While the Compliance Dashboard provides a great overview of your accounts and resources, the Compliance Reports page is where data is presented to help you take action. The Compliance Reports page provides you with the ability to drill-down into details about your security posture such as rule recommendations and the associated non-compliance resources that are in violation.
To navigate to the AWS Compliance Reports page, select AWS > Compliance Reports in the Lacework Console. The following drop-downs control the output displayed in the compliance report page:
- Report Type
- Report Date
The Report Type drop-down controls the type of report or benchmark to report on. The following are available:
- CIS Benchmark and S3 Report
- HIPAA Report
- ISO 27001:2013 Report
- NIST 800-171 Report
- NIST 800-53 Report
- PCI DSS Report
- SOC 2 Report
The Account drop-down and text field controls the account to report on. You can use the Account drop-down to select a specific account or you can enter text in this field to start immediately searching by account number or account alias.
The Report Date drop-down and text field controls what compliance report run to report on. By default, the latest report is selected and displayed. You can use the Report Date drop-down to select a specific report run or you can enter text in this field to start immediately searching for a report run, such as entering 2/ to find all the reports in February. These reports can be useful to review specified points in time that correlate to your security posture at the provided date/time.
After you specify a Report Type, Account, and Report Date, the reports page displays corresponding compliance assessment data. A graph outlines the number of non-compliant recommendations by severity. A count of non-compliant recommendations with the correlated number of assessed and suppressed is also reported. In addition, a count of non-compliant resources with the correlated number of assessed and suppressed is reported. This data helps to identify if you are assessing by recommendation or resource.
Below the visual graph and compliance report calculations is a Recommendation Status drop-down filter that can be used to limit the output of the compliance report page by compliance status, for example, selecting Non-Compliant limits the result to only those recommendations that are determined to be not compliant when the selected compliance assessment run occurred. Each compliance assessment run is a snapshot in time, for example, the LW_S3_16 - Ensure the S3 bucket has versioning enabled recommendation could be non-compliant in the first assessment run but in the next assessment run, the status is compliant because someone turned on versioning for the S3 bucket between the two runs. By default, the Recommendation Status drop-down is set to view All, however, you can select one of the following recommendation status filter options: Non-Compliant, Compliant, Suppressed, Manual, or Could Not Assess. For a description of these status states, see below.
To the right of the Recommendation Status drop-down, are Recommendation Severity checkboxes. When selected, these checkboxes filter limits the recommendations reported on the page by severity, for example, if only the Critical checkbox is selected, only the critical recommendations are listed.
Click the Download Report icon to initiate a download of the currently open compliance report in PDF format.
Click the Download CSV Report icon to initiate a download report data about the currently open compliance report in the CSV (comma-separated value) format. The CSV file can be used to import the report data into other tools such as spreadsheets or databases.
Both these options are useful for providing reports to others in your organization that are responsible for remediating the non-compliant resources in violation.
Lacework runs a complete compliance assessment run for all accounts on a regular schedule, typically once a day. To immediately initiate a compliance assessment run for a single account, which occurs outside the regular schedule, click the Run a new report icon. Pending displays next to the icon. The assessment may take a few minutes to run. After the assessment completes, Pending stops displaying.
You can also verify that an assessment run for a single account is complete by looking at the drop-down options available under Report Date. The newest drop-down assessment run is the top Report Date drop-down item and is labeled with (Latest).
NOTE: Due to underlying AWS behavior, AWS compliance report content for Identity and Access Management can be updated only every four hours. This means IAM assessments retain the same status if a new report is generated within four hours of the latest report. For additional information, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html.
The recommendation data presented in the Compliance Report is structured in category tables. For example, if viewing the CIS Benchmark and S3 Report, the following category tables are displayed: S3, Identify and Access Management, Logging, Monitoring, Networking, and Lacework (LW) General Security. In each of these category tables, the data points about recommendations are displayed as the following columns:
|ID||Displays the unique identifier for the recommendation, for example: AWS_CIS_1_1 is the ID for the AWS CIS Benchmark 1.1 recommendation. LW_S3_16 is the ID for the Lacework recommendation that S3 buckets should have versioning enabled.|
|Recommendation||Displays the description of the recommendation.|
|Status||Displays the status of the recommendation at the selected report date: 1) Non-Compliant—During the assessment that occurred during the selected report run, this recommendation was not in compliance. It was in violation of the recommendation. 2) Compliant—During the assessment that occurred during the selected report run, this recommendation was in compliance. 3) Suppressed—During the assessment that occurred during the selected report run, this recommendation was completely suppressed. For more information, see Advanced Suppression in AWS Compliance Reports - Using Suppression. 4) Manual—There is no way to determine if the recommendation is in compliance because the configuration status cannot be retrieved. You may want to manually check compliance directly in AWS. For more information, see the remediation provided in Additional Info of the Actions column as described below. 5) Could Not Assess—Lacework encountered a problem while attempting to assess this recommendation, for example, the correct privileges have not been granted. During compliance assessment, Lacework queries the AWS IAM credentials report and if it cannot be generated or assessed, potentially due to API behavior/backfire or rate, this status may result.|
|Severity||Displays the severity of the recommendation: Critical, High, Medium, Low or Info.|
|Affected||Displays the total number of resources assessed as non-compliant (in violation) for this recommendation.|
|Assessed||Displays the total number of resources assessed for this recommendation.|
|Actions||Click the (more) icon, to reveal the following additional functionality: Additional Info provides additional information/documentation on the recommendation such as a description, rationale, audit, and remediation. Advanced Suppression optionally configures suppression of this recommendation. For additional information, see AWS Compliance Reports - Using Suppression.|
You can expand a recommendation that has a violation to view any non-compliant resources. Click a resource name to open that resource's details within Lacework Resource Management.
To sort by a column, click the column header, for example, if you want to sort the recommendations of a table by severity, click Severity in the column header.
A note about the Affected and Assessed counts for multiple AWS accounts that are managed by a single AWS organization with a single CloudTrail. Lacework correctly accesses the compliance status when you configure multiple AWS accounts to use a single CloudTrail associated with a single AWS organization, however, the Affected and Assessed counts may be reported as 0. For example, under Logging, the AWS_CIS_2_1 - Ensure CloudTrail is enabled in all regions recommendation may be reported as compliant but Affected and Assessed counts reported as 0.
AWS CIS Compliance Benchmarks - Monitoring Sections
CIS Benchmarks are consensus-based configuration guidelines developed by experts in the US government, business, industry, and academia to help organizations assess and improve the security of AWS deployments. They are generally accepted as best practices for security with no specific bearing to regulatory compliance like PCI or HIPAA.
AWS CIS benchmarks for the 3.2-3.14 sections recommend monitoring for critical changes within AWS environments such as disabling or deleting CMKs. The CIS standard further goes to suggest the method for meeting these requirements through the use of an AWS CloudTrail logs, Amazon CloudWatch alarms, and CloudWatch Events rules in combination within your AWS account to detect and alert on critical changes. This requires a specific filter for each of the events described in the table below and a matching filter for the detection action, across all monitored AWS accounts.
While this was a feasible approach with smaller environments, it adds overhead and does not align well with large environment workflows where Operations and Security teams may be distributed. Also, with newer paradigms like centralized CloudTrail logging, teams can monitor for these changes effectively from single aggregation source vs. distributed implementation. The intent of the monitoring section continues to be valid as a best practice for monitoring critical infrastructure changes, however, the methods suggested may be improved with newer efficiencies.
As an alternative, Lacework continuously monitors for critical infrastructure changes via AWS CloudTrail logs for one or all accounts that have been configured for monitoring, whether this is aggregated to a single CloudTrail account or distributed. Lacework by default implements a series of AWS CloudTrail policy rules that specifically maps to CIS Monitoring to provide similar coverage at an aggregated level, rather than account-by-account, alleviating the need to implement a filter for each AWS account. As this monitoring capability within Lacework’s CloudTrail rules is enabled on a continuous basis, Lacework recommends a manual review of CloudWatch alarms or enable suppressions to the CIS Monitoring section of the AWS CIS compliance report.
The following table maps CIS Compliance benchmark recommendations to Lacework CloudTrail policies.
|CIS Compliance Benchmark Recommendations||Lacework CloudTrail Policies|
|AWS_CIS_3_2 - Ensure a log metric filter and alarm exist for Management Console sign-in without MFA||LW_CT_IAM_26 - Successful Console Login Without MFA|
|AWS_CIS_3_3 - Ensure a log metric filter and alarm exist for usage of "root" account||LW_CT_IAM_28 - Usage of Root Account|
|AWS_CIS_3_4 - Ensure a log metric filter and alarm exist for IAM policy changes||LW_CT_IAM_14 - IAM Policy Changed|
|AWS_CIS_3_5 - Ensure a log metric filter and alarm exist for CloudTrail configuration changes||LW_CT_CloudTrail_18 - CloudTrail Changed LW_CT_CloudTrail_19 - CloudTrail Stopped LW_CT_CloudTrail_20 - CloudTrail Deleted|
|AWS_CIS_3_6 - Ensure a log metric filter and alarm exist for AWS Management Console authentication failures||LW_CT_IAM_27 - Failed Console Login|
|AWS_CIS_3_7 - Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer-created CMKs||LW_CT_KMS_23 - Customer Master Key Disabled LW_CT_KMS_25 - Customer Master Key Scheduled For deletion|
|AWS_CIS_3_8 - Ensure a log metric filter and alarm exist for S3 bucket policy changes||LW_CT_S3_12 - S3 Bucket Policy Changed|
|AWS_CIS_3_9 - Ensure a log metric filter and alarm exist for AWS Config configuration changes||LW_CT_AWSConfig_30 - Config Service Change|
|AWS_CIS_3_10 - Ensure a log metric filter and alarm exist for security group changes||LW_CT_VPC_4 - Security Group Change|
|AWS_CIS_3_11 - Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)||LW_CT_VPC_5 - NACL Change|
|AWS_CIS_3_12 - Ensure a log metric filter and alarm exist for changes to network gateways||LW_CT_VPC_7 - Network Gateway Change|
|AWS_CIS_3_13 - Ensure a log metric filter and alarm exist for route table changes||LW_CT_VPC_9 - Route Table Change|
|AWS_CIS_3_14 - Ensure a log metric filter and alarm exist for VPC changes||LW_CT_VPC_8 - VPN Gateway Change|