Skip to main content

Policies Overview

Policies provide visibility into the security and integrity of your integrated cloud environments, enabling you to understand and act based on that visibility. Lacework policies generate events based on data collected by Lacework from your integrated cloud environments.

Lacework provides numerous built-in policies that provide actionable information out-of-the-box. An important step in implementing and maintaining Lacework for your environment is evaluating and fine-tuning the behavior of built-in policies. In doing so, you can change their default configuration, enable or disable them, or create brand new policies specific to your environments and your requirements.

Reactive and Proactive Policies

At a high level, the Lacework policy types can all be classified by how they enable organizational security processes in one of two ways:

  • Risk detection policies help you understand and mitigate security risk. Proactive policy types include:
    • Cloud compliance
    • Kubernetes compliance
    • IaC
    • Host Vulnerability
    • Container Vulnerability
  • Threat detection policies allow you to react to threat events. Reactive policy types include:
    • Host user and entity behavior analytics
    • Host rules
    • Cloud activity user and entity behavior analytics (machine learning aided)
    • Cloud activity rules
    • Kubernetes activity user and entity behavior analytics
    • Kubernetes activity rules

The two types are most distinguished in how you consume the information they provide. Threat detection events typically trigger an alert, such as an email notification. Risk detection policies are typically consumed a report, which aggregates the assessments of multiple policies.

Default Policies

Lacework include numerous built-in policies. You can view the policies from the policy manager page in the Lacework Console. The following list links to pages where many of the default policies are listed and described.

Working with Policies

The steps for creating custom policies varies by policy type. For example, for violation and compliance policies, you can clone default policies or create new ones. For other types, only cloning is permitted, or cloning may not be permitted at all.

In general, policies that are associated with industry benchmarks and included in benchmark assessments are not intended to be modified. Lacework may occasionally update policies to adhere to changes to the source industry benchmark. For this reason, changing the policy is not permitted. However, you can usually modify the effects of the policy by configuring suppressions or exceptions.

For details on policy management by type, see the topics in this section that pertain to the specific policy type.