Skip to main content

Manage Policies

View Policies

You can view the policy catalog by clicking Policies in the Governance section of the left navigation panel. The policy catalog appears. Note that you can access the legacy policy view page by clicking the View legacy policy page button.

Policies in the catalog are organized by policy type, which include:

  • Compliance – These policies detect configuration risk and generate alerts and are available for inclusion in frameworks
  • Threats – These policies detect activity that could represent security threats.
  • Vulnerabilities – Vulnerability policies check for vulnerabilities found in the operating system software packages in hosts or Docker container images.
  • Anomalies – Anomaly policies triggers alerts when they detect anomalous behavior in the environment. An anomaly policy triggers when it discovers behaviors that match known bad data or unusual behavior.

Click the tab for each type to view its policies, using the search field and filters to narrow down the policies to those of interest.

Lacework-Managed versus Custom Policies

One of the filtering options for policies are the Managed by filter, of which there are two options, custom and Lacework.

Lacework-managed policies are those that are built-in to Lacework. It's possible for Lacework to modify Lacework-managed policies, for example, in response to changes to industry benchmark rules. For this reason, they are read-only. To achieve different behavior from Lacework Managed policies, you can create your own policy, possibly by cloning an existing policy.

Lacework does not modify policies you create. Nor do changes to a Lacework-Managed policy that was used as a clone source affect policies that were cloned from it.

You can view both types of policies from the policy catalog page by clicking the Lacework Managed tab or the Managed by you tab.

About Compliance Policies

Compliance policies assess the configuration of Cloud and Kubernetes infrastructure. Kubernetes configuration compliance support includes Amazon EKS and Google Kubernetes Engine (GKE) configuration support.

Every resource that violates a policy can have multiple reasons for non-compliance. Compliance policies generate one alert per policy. For example, if three S3 buckets violate a policy, Lacework generates one alert that lists the non-compliant resources. A compliance policy must return a reason for the compliance violation.

To perform these steps, you need to be a user with policy write permissions in the Lacework Console.

Severity

Policy severity levels are a measurement of the impact a violation or detection triggered by the policy has on the business. Severities contribute to the metrics available to assess system health and security, and serve as a filtering and grouping category in dashboards, reports, and views.

For the most part, the policy severity corresponds to the severity of the alerts generated by the policy. This isn't strictly the case, as Lacework can adjust alert severity based on frequency or other factors. See Alert Severity for more information.

Create a Custom Policy

This section takes you through the steps to create a custom policy by cloning or starting from scratch. Note that cloning a compliance policy creates a new, independent policy; changing the original policy do not affect the cloned policy, and vice versa.

There are two ways to create a custom compliance policy in the Lacework Console. If an existing policy closely matches the policy that you want to create, the easiest way is to clone an existing policy and modify it to fit your needs. Alternatively, you can create a new policy from scratch, as described below:

Create a Policy by Cloning

To create a policy by cloning and modifying an existing policy, follow these steps:

  1. As a user with write permissions for policies, click Policy Manager > Policies from the left navigation menu.
  2. Find and click the policy in the list that you want to clone.
  3. Click the Clone button.
  4. Edit the Policy title and Policy description, and modify any other general setting desired.
  5. Click Next.
  6. Modify the query as desired, or choose another query as the basis for this cloned policy.
  7. Click Save.

Create a Policy Manually

To create the sample custom compliance policy, follow these steps:

  1. As a user with write permissions for policies, click Policy Manager > Policies from the left navigation menu.
  2. Click Add policy.
  3. Configure the general policy settings:
    • Policy title: A title for the policy. The title appears in the policy list, so it should distinguish this policy from others.
    • Policy description: A description of the policy.
    • Policy type: For a compliance policy, choose Compliance. Compliance policies can generate alerts and appear in reports, while violation policies only generate alerts.
    • Severity: The severity associated with a failure in compliance with this policy.
    • Recommendations for remediation: Describe how to address the issue when the policy conditions are met. This appears in the alert text.
  4. Click Next.
  5. Enter the query text or choose to start with an existing template, based on an existing query. For example, the following is a query suitable for a compliance policy:
     {
       source {
         LW_CFG_AWS_EC2_SECURITY_GROUPS securityGroup,
         array_to_rows(securityGroup.RESOURCE_CONFIG:IpPermissions) as ip_permissions,
         array_to_rows(ip_permissions:IpRanges) as ip_ranges
       }
       filter {
         ip_permissions:IpProtocol = 'tcp'
         and ip_permissions:FromPort = 3349
         and ip_permissions:ToPort = 3349
         and ip_ranges:CidrIp = '0.0.0.0/0'
       }
       return distinct {
         'This is the compliance reason' as COMPLIANCE_FAILURE_REASON
       }
     }
    A query suitable for a violation policy would look something like this: 
    {
    source {
       LW_CFG_AWS_EC2_SECURITY_GROUPS a,
       array_to_rows(a.RESOURCE_CONFIG:IpPermissions) as (ip_permissions),
       array_to_rows(ip_permissions:IpRanges) as (ip_ranges)
    }
    filter {
       ip_permissions:IpProtocol = 'tcp'
       and ip_permissions:FromPort = 445
       and ip_permissions:ToPort = 445
       and ip_ranges:CidrIp = '0.0.0.0/0'
    }
    return distinct {
       ACCOUNT_ALIAS,
       ACCOUNT_ID,
       ARN as RESOURCE_KEY,
       RESOURCE_REGION,
       RESOURCE_TYPE,
       SERVICE
    }
    }
    The console detects any syntax errors in your query. You can proceed only with a valid query. To learn more about the datasources and fields you can query, see Datasource Information.
  6. Click Save.

The policy list appears. You should now be able to find your custom policy in the list.

If you created a compliance policy, you can now add it to a custom framework. For more information, see Manage Policy Frameworks

Last updated on