Governance
Central to Lacework's cloud visibility and security approach is the data that Lacework collects from your cloud environments. Lacework uses this data to help you understand and protect your environment.
Lacework policies, for example, check configuration information or log activity in the data and generate alerts or reports based on the policy conditions. Most policies use a query, in Lacework Query Language format, to define the tested condition. In a similar manner, you can create your own queries, which you can use in custom policies or for your own, ad hoc investigations.
You can view, create, and manage policies and frameworks from the Policies and Frameworks manager pages, which are accessible from the Governance section of the left navigation tree. The Governance section includes these catalogs:
- Policies
- Frameworks
How Queries, Policies, and Frameworks Work Together
Lacework includes many built-in policies. A policy consists of a query plus certain additional information that describes the policy, including the Policy name, description, severity, remediation step, and more.
At the core of a policy is its query. The query defines the condition that, when met, results in a positive detection. This detection appears in the console and may also generate an alert. By creating a framework that includes the policy, you can have the result of the assessment of a compliance policy appear in reports. In short, frameworks contain policies, while policies contain queries, as shown:
While policies have a single query (except in rare cases), a query can appear in one or many policies. It may not appear in a policy at all, but instead serve as an information gathering tool for ad hoc investigations. You may even use them in your own scripts, outside of the Lacework Console.
Frameworks can be used for two different use cases:
Managing over-all posture across your cloud infrastructure. Frameworks track compliant and non-compliant resources, and allow you to monitor and maintain posture from the Cloud Compliance and Kubernetes Compliance pages within the console.
Automated report generation of a given framework. Reports contain the assessment results of a collection of policies. You can define your own frameworks that collect a set of policies that you want to group and present together.
The policy and framework catalogs show you the relationships between those components. They show you which frameworks use a given policy, for example, or which policies use a given query. This enables you to assess the impact of changes to those components before you make them.
Working with the Catalogs
You can build your own queries, policies and frameworks. Before starting, it is important to familiarize yourself with the built-in policies and frameworks, and what customizations you need for your specific requirements. You should also consider how your users will consume the results of assessments from your policy, typically as alerts or reports.
After assessing your requirement, you can start with Lacework defined Policies and Frameworks. If existing policies do not cover all of your requirements, you can create custom policies with custom queries, and use these policies within a custom framework.
To work with frameworks and reports programmatically, see the Frameworks (Beta) API and Report Configurations (Beta) preview documentation.