Reports
This article describes enhanced report features that are currently in preview.
Overview
Reports let you communicate compliance and security information from Lacework to your teams in an automated way. With reports, users can receive compliance and posture security report assessments delivered as PDF files to their inboxes.
By default, Lacework does not generate reports. To have Lacework start generating and delivering reports, you need to create a report configuration. A report configuration is based on a compliance framework. Frameworks determine which policy assessments appear in a report, and are often organized by security benchmarks or areas of common concern. Using report configurations, you can create and customize report contents and properties.
Reports versus Alerts
Alerts and reports contain the same information about issues detected by Lacework. Alerts are typically meant to be consumed soon after they occur, and may require immediate action. Alerts can be delivered through all channel types.
Reports are typically meant to be generated and delivered at regular intervals, such as once per day. They include a predefined information set, such as SOC 2 or NIST assessment results. Reports are delivered through email channels only.
Alerts facilitate a reactive workflow among security teams and service owners, allowing them to act in response to an event. Reports, on the other hand, facilitate a proactive workflow, allowing teams to discover and address compliance risk before those risks result in an event.
View Report Configurations
As a user with permissions to read reports, you can view report configurations and generated reports by clicking Reports in the left navigation.
Report configurations appear in the list. For each report configuration, the list presents a few details, including the resource group and delivery frequency, and information on when the configuration was last modified.
You can use the following methods to refine the list of report configurations displayed:
Use filters to display a subset of specific reports. Click the filter groups along the top of the page to display the list of filters associated with the selected filter group, then select the filters that you want to apply.
Use the search function at the top of the page to find a subset of specific reports.
Use the time filter to display a subset of specific reports based on their report time, that is, when they were generated. When you select a certain time frame, the Last run date changes to reflect the last run of this report configuration within the selected time frame. So, for example, if you select the previous week for the time frame, the Last run date shows the last day on which the report was generated.
The ability to view reports are subject to Lacework access controls, in particular, access permissions for the resource groups in the report configuration. You can only view reports that cover resources to which you have permissions.
View Reports
To see an individual report, click on a report configuration. By default, the latest report appears. You can view previous instances of the report by choosing an earlier date. When you choose an earlier date, that latest version of the report up to that date and time appears.
You can view previous instances of the report by clicking Report history. Lacework retains generated reports for 90 days. If your report retention requirements exceed 90 days, you should download and archive the reports.
Report history is only available for reports that reflect a single account. For cross-account reports, the report history is disabled.
You can also preview and download reports directly from the details view of a framework in the Cloud Compliance Dashboard. To view a report by framework there, click the framework and then click Preview Report.
It may take a minute or two for the report preview to appear. Note that the report preview displays a subset of the policy assessments that make up the entire report, from only two accounts by default. You can download the report in PDF or CSV format to see the entire report.
About Report Configurations
By default, Lacework does not generate or deliver reports. To enable Lacework reports, you need to create a report configuration.
A report configuration specifies a set of policies and a user group and email notification channel on which to distribute the report. Before following these steps, make sure that the email notification channels, resource groups, and user groups are already configured.
You should also choose the framework on which to base the reports. You can view available frameworks from the Cloud Compliance dashboard, where you can also modify or create assessments or preview reports, as described in View Reports.
A report can include policy assessment results from multiple AWS accounts, GCP projects, Azure tenants, or OCI compartments. However, reports are limited to 300 accounts, projects, tenants, or compartments. Attempting to exceed this limit results in a report generation error. Individual policy assessments within a report appear in alphabetical order by account.
Creating Report Configurations
You create report configurations from frameworks. To create a custom report configuration:
- As a Lacework Console user with reports write permission, go to the Reports page.
- Click the Configure report button.
- Select the framework on which you want to base the report. Any framework that appears in the Cloud Compliance Dashboard is available for use as a report template.
- Enter a name for the custom report configuration.
- Specify what resource assessment results will appear in reports using the content filter settings, as follows:
- Data scope: Click the Data scope field and use the dialog to choose what resource assessment results appear in the report by resource group or cloud account. The resource groups available for selection are constricted by the type of template you chose. That is, if you choose an AWS-based template, resource groups for other cloud providers are not available. You can choose a user group to narrow the resource group selection to those groups that the selected user group has permissions for.
- Severity: Choose the severity-level of the policies to be included in the report. If you remove medium severity, for example, the evaluation results of policies with medium severity are excluded from the generated reports.
- Status: refers to the evaluation result of each policy. By default, all statuses are included in the report. Exclude results by status by removing the status from the field. For more information, see Status definitions.
- Configure the delivery settings for the reports generated from this configuration:
- Email channel: Choose one or more email channel on which to distribute the report. Email channels can be any email address or distribution list, and is not limited to those associated with a Lacework user account. Be sure to consider the sensitivity of the content generated by the report when choosing recipients.
- Delivery frequency: Select the frequency with which report are delivered. Note that the time of report assessment is controlled by the compliance report schedule time, which is daily at 12 PM GMT, by default.
- Click Create.
The report now appears in the reports list. It will be evaluated and distributed at the next report evaluation cycle. You can modify the default evaluation time in the General Settings page.
You can preview a report by clicking on the report configuration. It may take a minute or two for the report to appear. The report preview displays a subset of the policy assessments that make up the entire report, from only two accounts by default. You can download the report in PDF format to see the entire report.
You can modify the report configuration settings at any point, or disable the report. Disabling a report retains the configuration and historical reports (up to 90 days old), but prevents new reports from being generated.
Status Definitions
A report is made up of a collection of policy assessment results. Each assessment includes the following details:
| Column | Description |
|---|---|
| ID | The Lacework identifier for the policy associated with each compliance assessment. You can see the mapping of Lacework IDs to benchmark-defined IDs under Compliance Frameworks. For example, for the CIS AWS 1.4.0 Benchmark report, the Lacework policy ID that corresponds to each CIS AWS 1.4.0 rule is listed on CIS AWS 1.4.0 Benchmark. |
| Policy | A description of the policy. |
| Status | The result of each policy assessment for this report:  - For the assessment in the selected report, this policy was not in compliance.  - For the assessment in the selected report, this policy was in compliance.  - For the assessment in the selected report, this policy was omitted as an exception. Manual - There is no way to determine if the policy is in compliance because the configuration status cannot be retrieved. You may want to manually check compliance directly in your cloud account. Could Not Assess - Lacework encountered a problem while attempting to assess this policy. This status can result from insufficient privileges for the Lacework role while conducting a compliance assessment. If this status appears intermittently, it may be related to API availability or rate limiting affecting Lacework's ability to query the AWS IAM credentials report. |
| Severity | The severity of the policy: Critical, High, Medium, Low or Info. |
| Affected | The total number of resources assessed as non-compliant (failed) for this policy. |
| Assessed | The total number of resources assessed for this policy. |
If you configure multiple AWS accounts to use a single CloudTrail associated with a single AWS organization, Lacework correctly accesses the compliance status across the accounts. However, the Affected and Assessed counts may be reported as 0.
For example, under Logging, the AWS_CIS_2_1 - Ensure CloudTrail is enabled in all regions policy may be reported as compliant but Affected and Assessed counts report as 0.