Skip to main content

Manage Alerts with CLI Commands

Use the commands listed in this page to effectively manage and resolve compliance alerts within your AWS infrastructure.

Discover Fixable Alerts

Get all fixable alerts by running the below command:

lacework alert list --fixable

Below is what you will see on the CLI:

❯ lacework alert list --fixable
222172 | ComplianceChanged | Compliance changed | Medium | 2023-01-30T08:00:00.000Z | 2023-01-30T09:00:00.000Z | Open

Use 'lacework alert show <alert_id>' to see details for a specific alert.
Use 'lacework remediate alert <alert_id>' to fix a specific alert.

Fix an Alert

The remediation of an alert consists of several steps (initialization, resource selection, plan, apply, etc.). These steps are represented as flags for the lacework remediate alert command.

  • Initialization:
    When issuing this command without any flags, Lacework will initialize (persist to disk) the remediation package. This prepares the remediation package without executing any automation (making changes).

    lacework remediate alert 12345
  • Planning:
    Use --plan to generate an execution plan. This shows Lacework's actions to apply the remediation (without making changes).

    lacework remediate alert 12345 --plan
  • Resource Selection:

    Use --resources to select and deselect resources.

    lacework remediate alert 12345 --resources
  • Application:
    Use --apply to apply the remediation.

    lacework remediate alert 12345 --apply
  • Rollback:

    Use --rollback to roll back the remediation (if supported).

    lacework remediate alert 12345 --rollback

Passing Credentials

The remediate component leverages the AWS CLI. When invoking the CLI, environment variables from the current environment are passed through to the component and the aws commands.

A specific profile from your AWS credential file can be specified using the --aws-profile flag. Below is an example command:

lacework remediate alert 12345 --apply --aws-profile security-engineering-admin

You can also use AWS Vault, a tool to securely store and access AWS credentials in a development environment. Below is an example command:

aws-vault exec security-engineering-admin -- lacework remediate alert 12345 --apply

Passing User Data

Use --userdata to specify user-defined variables inline.

lacework remediate alert 12345 --userdata user=someuser --userdata other=someother

Starting Over

Use --clean to start over (delete the local remediation package).

lacework remediate alert 12345 --clean

Setting a dedicated AWS IAM role

By default, AWS Remediations are set to assume the IAM role lacework-remediation before executing any actions. This ensures that all actions performed by the Lacework CLI tool can be traced back to the role. If you want to bypass the role assumption step, use the --no-assume-role flag.

lacework remediate alert 12345 --no-assume-role

You can also define the name of the role to assume with the --aws-role-name flag:

lacework remediate alert 12345 --aws-role-name my-iam-role

Least Privilege

You can access least privilege IAM policies through the show-policy subcommand. These policies include only the essential permissions required to carry out the activities specified in the comprehensive set of remediation templates.

Below is an example:

lacework remediate show-policy aws-iam


The Lacework remediate component offers persistence mechanisms for frequently used flags, such as aws-profile and aws-role-name. These mechanisms ensure that these flags are retained and readily available when needed.

For more information about these mechanisms, run the following command:

lacework remediate configure -h