Skip to main content

Remediation Templates

The templates in the following table are available for you to leverage:

lwcustom-11Remove World Writeable Policy for %{bucket}This remediation template effectively eliminates S3 world-writable access by deleting the bucket policy.
lacework-global-37Ensure IAM password policy requires minimum length of 14 or greaterTo enhance account security and protect against brute force login attempts, ensure that the IAM password policy enforces a minimum length of 14 characters or more.
Implementing a password complexity policy further strengthens the account's resilience.
lacework-global-38Ensure IAM password policy prevents password reuseIAM password policies can effectively prevent users from reusing the same password.
It is strongly recommended to enforce a password policy that prohibits password reuse.
lacework-global-40Delete non-compliant IAM access key for userThis policy deletes an IAM access key for a given user.
lacework-global-41Ensure credentials unused for 45 days or greater are disabledAWS IAM users have various types of credentials, including passwords and access keys, to access AWS resources.
It is advisable to deactivate or remove any credentials that have remained unused for 45 days or more.
lacework-global-46Create a support role to manage incidents with AWS SupportAWS offers a support center to provide technical assistance and incident response. This remediation action involves creating a least-privilege role specifically designed for managing incidents with AWS Support.
lacework-global-48Create IAM Access AnalyzerThis remediation template enables IAM Access analyzer for all regions.
lacework-global-49Ensure MFA Delete is enabled on S3 bucketsEnabling MFA Delete on your sensitive and classified S3 bucket ensures that users are required to authenticate using two forms of authentication.

Note: Enabling MFA Delete will also activate versioning for the bucket. Once versioning is enabled, it cannot be disabled, although you can choose to suspend versioning on the bucket.
lacework-global-51Enable EBS EncryptionThis remediation template ensures the default enablement of EBS encryption across all regions.
lacework-global-66Ensure a log metric filter and alarm exists for AWS Organization changesThis remediation template adds a metric filter alarm, SNS topic, and subscription for monitoring AWS Organization changes performed in the master AWS Account.
lacework-global-73Deny HTTP requests to S3 bucketsThis remediation template updates the S3 bucket policies to explicitly deny HTTP requests directed towards the respective S3 buckets.
lacework-global-76Ensures AWS Config is enabled in all regionsThis remediation template ensures AWS Config is enabled for all regions.
In addition to the config recorder and config delivery channel, the config service requires an S3 bucket, SNS topic, and IAM role.
lacework-global-78Enable Customer Managed KMS key rotationThis remediation template enables key rotation for Customer Managed KMS keys that do not have it already enabled.