To populate the AWS data viewed in this page, you must configure an integration with at least one AWS account. For more information, see Integrate Lacework with AWS.
While the Compliance Dashboard provides a great overview of your accounts and resources, the Compliance Reports page is where data is presented to help you take action. The Compliance Reports page provides you with the ability to drill-down into details about your security posture such as policy recommendations and the associated non-compliance resources that are in violation.
Note: You can run a compliance report for a maximum of 100 times a day.
Select Compliance > AWS > Reports in the Lacework Console to display the AWS Compliance Reports page. The following drop-downs control the output displayed in the compliance report page:
- Report Type
- Report Date
Use the Report Type drop-down to select one of following types of report or benchmarks to report on:
- AWS CIS Benchmark and S3 Report
- AWS HIPAA Report
- AWS ISO 27001:2013 Report
- AWS NIST 800-171 Report
- AWS NIST 800-53 Report
- AWS PCI DSS Report
- AWS SOC 2 Report
- AWS SOC 2 Report Rev2
Use the Account drop-down and text field to specify the account to report on. You can select a specific account or you can enter text in this field to immediately start searching by account number or account alias.
Use the Report Date drop-down and text field to specify the compliance report run to report on enter text in this field to immediately start searching for a report run. For example, enter 2/ to find all the reports in February. By default, the latest report is selected and displayed. These reports can be useful to review specified points in time that correlate to your security posture at the provided date/time.
After you specify a Report Type, Account, and Report Date, the reports page displays corresponding compliance assessment data. A graph outlines the number of non-compliant recommendations by severity. The report displays a count of non-compliant recommendations with the correlated number of assessed and suppressed. It also displays a count of non-compliant resources with the correlated number of assessed and suppressed is reported. This data helps to identify if you are assessing by recommendation or resource.
Use the Recommendation Status drop-down filter below the visual graph and compliance report calculations to limit the output of the compliance report page by compliance status. For example, select Non-Compliant to limit the result to only those recommendations that are determined to be not compliant when the selected compliance assessment run occurred. Each compliance assessment run is a snapshot in time, for example, the LW_S3_16 - Ensure the S3 bucket has versioning enabled recommendation could be non-compliant in the first assessment run but in the next assessment run, the status is compliant because someone turned on versioning for the S3 bucket between the two runs. By default, the Recommendation Status drop-down is set to view All, however, you can select one of the following recommendation status filter options: Non-Compliant, Compliant, Suppressed, Manual, or Could Not Assess. For a description of these status states, see below.
Select the Recommendation Severity checkboxes to the right of the Recommendation Status drop-down to filter limit the recommendations reported on the page by severity. For example, select just the Critical checkbox to list only critical recommendations.
Click the Download Report icon to initiate a download of the currently open compliance report in PDF format. Like the Lacework Console, the PDF displays one recommendation per row and its status, compliant/non-compliant/suppressed/manual.
Click the Download CSV Report icon to initiate a download of report data about the currently open compliance report in the CSV (comma-separated value) format. You can use the CSV file to import the report data into other tools such as spreadsheets or databases. The CSV data differs from the PDF data in following ways:
- The CSV contains non-compliant resources and suppressed resources.
- Each CSV row represents one resource, so there could be multiple rows for the same resource. Each row in the PDF represents one recommendation.
- The PDF groups resources together by recommendation. The CSV flattens the resources. For example:
Row 1: RecId_1, Non-Compliant
Row1: RecId_1, Resource_1, Non-Compliant
Row2: RecId_1, Resource_2, Non-Compliant
Row3: RecId_1, Resource_3, Non-Compliant
Both download options are useful for providing reports to others in your organization that are responsible for remediating the non-compliant resources in violation.
Lacework runs a complete compliance assessment run for all accounts on a regular schedule, typically once a day. To immediately initiate a compliance assessment run for a single account, which occurs outside the regular schedule, click the Run a new report icon. Pending displays next to the icon. The assessment may take a few minutes to run. After the assessment completes, Pending stops displaying.
You can also verify that an assessment run for a single account is complete by looking at the drop-down options available under Report Date. The newest drop-down assessment run is the top Report Date drop-down item and is labeled with (Latest).
NOTE: Due to underlying AWS behavior, AWS compliance report content for Identity and Access Management can be updated only every four hours. This means IAM assessments retain the same status if a new report is generated within four hours of the latest report. For additional information, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html.
The recommendation data presented in the Compliance Report is structured in category tables. For example, if viewing the CIS Benchmark and S3 Report, the following category tables are displayed: S3, Identify and Access Management, Logging, Monitoring, Networking, and Lacework (LW) General Security. In each of these category tables, the data points about recommendations are displayed as the following columns:
|ID||Displays the unique identifier for the recommendation, for example: AWS_CIS_1_1 is the ID for the AWS CIS Benchmark 1.1 recommendation. LW_S3_16 is the ID for the Lacework recommendation that S3 buckets should have versioning enabled.|
|Recommendation||Displays the description of the recommendation.|
|Status||Displays the status of the recommendation at the selected report date: 1) Non-Compliant—During the assessment that occurred during the selected report run, this recommendation was not in compliance. It was in violation of the recommendation. 2) Compliant—During the assessment that occurred during the selected report run, this recommendation was in compliance. 3) Suppressed—During the assessment that occurred during the selected report run, this recommendation was completely suppressed. For more information, see Advanced Suppression in AWS Compliance Reports - Using Suppression. 4) Manual—There is no way to determine if the recommendation is in compliance because the configuration status cannot be retrieved. You may want to manually check compliance directly in AWS. For more information, see the remediation provided in Additional Info of the Actions column as described below. 5) Could Not Assess—Lacework encountered a problem while attempting to assess this recommendation, for example, the correct privileges have not been granted. During compliance assessment, Lacework queries the AWS IAM credentials report and if it cannot be generated or assessed, potentially due to API behavior/backfire or rate, this status may result.|
|Severity||Displays the severity of the recommendation: Critical, High, Medium, Low or Info.|
|Affected||Displays the total number of resources assessed as non-compliant (in violation) for this recommendation.|
|Assessed||Displays the total number of resources assessed for this recommendation.|
|Actions||Click the (more) icon, to reveal the following additional functionality: Additional Info provides additional information/documentation on the recommendation such as a description, rationale, audit, and remediation. Advanced Suppression optionally configures suppression of this recommendation. For additional information, see AWS Compliance Reports - Using Suppression.|
You can expand a recommendation that has a violation to view any non-compliant resources. Click a resource name to open that resource's details within Lacework Resource Inventory.
To sort by a column, click the column header, for example, if you want to sort the recommendations of a table by severity, click Severity in the column header.
A note about the Affected and Assessed counts for multiple AWS accounts that are managed by a single AWS organization with a single CloudTrail. Lacework correctly accesses the compliance status when you configure multiple AWS accounts to use a single CloudTrail associated with a single AWS organization, however, the Affected and Assessed counts may be reported as 0. For example, under Logging, the AWS_CIS_2_1 - Ensure CloudTrail is enabled in all regions recommendation may be reported as compliant but Affected and Assessed counts reported as 0.
AWS CIS Compliance Benchmarks - Monitoring Sections
CIS Benchmarks are consensus-based configuration guidelines developed by experts in the US government, business, industry, and academia to help organizations assess and improve the security of AWS deployments. They are generally accepted as best practices for security with no specific bearing to regulatory compliance like PCI or HIPAA.
AWS CIS benchmarks for the 3.2-3.14 sections recommend monitoring for critical changes within AWS environments such as disabling or deleting CMKs. The CIS standard further goes to suggest the method for meeting these requirements through the use of AWS CloudTrail logs, Amazon CloudWatch alarms, and CloudWatch Events rules in combination within your AWS account to detect and alert on critical changes. This requires a specific filter for each of the events described in the table below and a matching filter for the detection action, across all monitored AWS accounts.
While this was a feasible approach with smaller environments, it adds overhead and does not align well with large environment workflows where Operations and Security teams may be distributed. Also, with newer paradigms like centralized CloudTrail logging, teams can monitor for these changes effectively from single aggregation source vs. distributed implementation. The intent of the monitoring section continues to be valid as a best practice for monitoring critical infrastructure changes, however, the methods suggested may be improved with newer efficiencies.
As an alternative, Lacework continuously monitors for critical infrastructure changes via AWS CloudTrail logs for one or all accounts that have been configured for monitoring, whether this is aggregated to a single CloudTrail account or distributed. Lacework by default implements a series of AWS CloudTrail policies that specifically maps to CIS Monitoring to provide similar coverage at an aggregated level, rather than account-by-account, alleviating the need to implement a filter for each AWS account. As this monitoring capability within Lacework’s CloudTrail policies is enabled on a continuous basis, Lacework recommends a manual review of CloudWatch alarms or enable suppressions to the CIS Monitoring section of the AWS CIS compliance report.
The following table maps CIS Compliance benchmark recommendations to Lacework CloudTrail policies.
|CIS Compliance Benchmark Recommendations||Lacework CloudTrail Policies|
|AWS_CIS_3_2 - Ensure a log metric filter and alarm exist for Management Console sign-in without MFA||LW_CT_IAM_26 - Successful Console Login Without MFA|
|AWS_CIS_3_3 - Ensure a log metric filter and alarm exist for usage of "root" account||LW_CT_IAM_28 - Usage of Root Account|
|AWS_CIS_3_4 - Ensure a log metric filter and alarm exist for IAM policy changes||LW_CT_IAM_14 - IAM Policy Changed|
|AWS_CIS_3_5 - Ensure a log metric filter and alarm exist for CloudTrail configuration changes||LW_CT_CloudTrail_18 - CloudTrail Changed LW_CT_CloudTrail_19 - CloudTrail Stopped LW_CT_CloudTrail_20 - CloudTrail Deleted|
|AWS_CIS_3_6 - Ensure a log metric filter and alarm exist for AWS Management Console authentication failures||LW_CT_IAM_27 - Failed Console Login|
|AWS_CIS_3_7 - Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer-created CMKs||LW_CT_KMS_23 - Customer Master Key Disabled LW_CT_KMS_25 - Customer Master Key Scheduled For deletion|
|AWS_CIS_3_8 - Ensure a log metric filter and alarm exist for S3 bucket policy changes||LW_CT_S3_12 - S3 Bucket Policy Changed|
|AWS_CIS_3_9 - Ensure a log metric filter and alarm exist for AWS Config configuration changes||LW_CT_AWSConfig_30 - Config Service Change|
|AWS_CIS_3_10 - Ensure a log metric filter and alarm exist for security group changes||LW_CT_VPC_4 - Security Group Change|
|AWS_CIS_3_11 - Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)||LW_CT_VPC_5 - NACL Change|
|AWS_CIS_3_12 - Ensure a log metric filter and alarm exist for changes to network gateways||LW_CT_VPC_7 - Network Gateway Change|
|AWS_CIS_3_13 - Ensure a log metric filter and alarm exist for route table changes||LW_CT_VPC_9 - Route Table Change|
|AWS_CIS_3_14 - Ensure a log metric filter and alarm exist for VPC changes||LW_CT_VPC_8 - VPN Gateway Change|