Lacework Compliance Policy Catalog
Lacework offers a range of out-of-the-box compliance policies for Cloud Providers and Kubernetes.
These compliance policies form our built-in Compliance Frameworks.
You can view individual policy information in this section (grouped by framework).
note
This catalog will continue to grow as new frameworks and policies are added.
Upcoming Changes
No upcoming changes.
Latest Changes
tip
View the Compliance Policy Changelog for a history of all changes.
7th October 2024
Changed
The policy query fix for lacework-global-306. Non-running compute instances were improperly being marked as non-compliant for having public access.
18th September 2024
Changed
Resolved an issue where AWS root accounts were incorrectly flagged as non-compliant due to changes in the AWS IAM get-credential-report API. Query logic has been updated in the following policies:
15th July 2024
Changed
The following policy's title and description have been updated to clarify that a violation occurs when an AWS Elastic Load Balancer is associated with a security group that allows unrestricted egress or ingress:
4th July 2024
Changed
A query improvement has been made for the following policy, fixing an issue where AWS accounts with CloudTrail trails configured to use advanced event selectors were being flagged as non-compliant:
3rd July 2024
Updated
The severity of the following policies has decreased from high to medium, to align with internal standards:
30th May 2024
Updated
The AWS Foundational Security Best Practices (FSBP) Standard compliance benchmark has been updated with new policies that are of high severity.
The following policies are newly added and are automated:
Click to expand
- lacework-global-371
- lacework-global-372
- lacework-global-382
- lacework-global-383
- lacework-global-384
- lacework-global-385
- lacework-global-386
- lacework-global-387
- lacework-global-388
- lacework-global-389
- lacework-global-390
- lacework-global-391
- lacework-global-392
- lacework-global-393
- lacework-global-394
- lacework-global-804
- lacework-global-805
- lacework-global-806
- lacework-global-810
- lacework-global-811
- lacework-global-821
- lacework-global-822
- lacework-global-827
The following policies are newly added but are manual:
Click to expand
The following policies already exist and have been updated as part of this release
Click to expand
- lacework-global-50 - new reference added and severity increased from medium to high
- lacework-global-52 - new reference added
- lacework-global-53 - new reference added and severity increased from medium to high
- lacework-global-87 - new reference added
- lacework-global-128 - new reference added
- lacework-global-128 - new reference added and severity reduced from critical to high
21st May 2024
Updated
A query improvement has been made for the following policies, which simplifies the logic and also updates the severity:
The severity for lacework-global-52 has been increased from medium to high, and for lacework-global-171 it has been decreased from critical to medium, to reflect recent reviews of some Lacework policies.
16th May 2024
Updated
The CIS Google Kubernetes Engine (GKE) 1.4.0 Benchmark compliance benchmark has been updated with newly automated policies.
The following policies that were manual have now been automated:
Click to expand
- lacework-global-729
- lacework-global-730
- lacework-global-731
- lacework-global-732
- lacework-global-736
- lacework-global-739
- lacework-global-744
- lacework-global-745
- lacework-global-746
- Note: This policy was split into 2 policies, with the other associated policy being lacework-global-823.
- lacework-global-747
- Note: This policy was split into 2 policies, with the other associated policy being lacework-global-824.
- lacework-global-748
- Note: This policy was split into 2 policies, with the other associated policy being lacework-global-825.
- lacework-global-749
- Note: This policy was split into 2 policies, with the other associated policy being lacework-global-826.
- lacework-global-750
- lacework-global-751
- lacework-global-752
- lacework-global-753
- lacework-global-754
- lacework-global-755
- lacework-global-762
- lacework-global-767
- lacework-global-768
- lacework-global-773
- lacework-global-778
- lacework-global-783
- lacework-global-792
- lacework-global-802
13th May 2024
Changed
Some changes have been made to the following policies to fix an issue whereby the region was being incorrectly reported, causing unexpected non-compliant assessment results.
The queries that support these policies now correctly report the primary region, rather than the paired region.
1st May 2024
Added
The CIS Google Cloud 2.0.0 Benchmark compliance framework is now available.
The following policies are newly added as part of this update:
The remaining policies in the benchmark are re-used from the CIS Google Cloud 1.3.0 Benchmark.
23rd April 2024
Added
The AWS Foundational Security Best Practices (FSBP) standard compliance framework is now available.
note
This framework contains only the critical severity policies in this initial release. Additional policies will be added in future.
The following policies are newly added as part of this update:
- lacework-global-215
- lacework-global-216
- lacework-global-367
- lacework-global-368
- lacework-global-369
- lacework-global-370
- lacework-global-378
- lacework-global-379
- lacework-global-380
- lacework-global-381
- lacework-global-807
- lacework-global-808
- lacework-global-809
Updated
As part of the AWS Foundational Security Best Practices (FSBP) Standard release, a number of existing policies have been updated:
- lacework-global-34
- lacework-global-69
- lacework-global-93
- lacework-global-102
- lacework-global-123
- lacework-global-160
This includes increasing the severity of lacework-global-102 and lacework-global-123 from high to critical.
15th April 2024
Changed
There have been content improvements made to 469 compliance policies. Of these, there have been 271 title improvements.
Click to display the compliance policies with old and new titles
| Policy ID | Old Title | New Title |
|---|---|---|
| lacework-global-32 | Ensure security contact information is registered | Register security contact information |
| lacework-global-33 | Ensure security questions are registered in the AWS account | Register security questions in the AWS account |
| lacework-global-35 | Ensure MFA is enabled for the 'root' user account | Enable Multi-Factor Authentication (MFA) for the 'root' user account |
| lacework-global-37 | Ensure IAM password policy requires minimum length of 14 or greater | Ensure Identity and Access Management (IAM) password policy requires minimum length of 14 or greater |
| lacework-global-38 | Ensure IAM password policy prevents password reuse | Ensure Identity and Access Management (IAM) password policy prevents password reuse |
| lacework-global-39 | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | Enable Multi-Factor Authentication (MFA) for all Identity and Access Management (IAM) users that have a console password |
| lacework-global-40 | Do not setup access keys during initial user setup for all IAM users that have a console password | Do not setup access keys during initial user setup for all Identity and Access Management (IAM) users that have a console password |
| lacework-global-41 | Ensure credentials unused for 45 days or greater are disabled | Disable credentials unused for 45 days or greater |
| lacework-global-42 | Ensure there is only one active access key available for any single IAM user | Ensure there is only one active access key available for any single Identity and Access Management (IAM) user |
| lacework-global-43 | Ensure access keys are rotated every 90 days or less | Rotate access keys every 90 days or less |
| lacework-global-45 | Ensure IAM policies that allow full "*:*" administrative privileges are not attached to users | Ensure Identity and Access Management (IAM) policies that allow full "*:*" administrative privileges are not attached to users |
| lacework-global-46 | Ensure a support role has been created to manage incidents with AWS Support | Create a support role to manage incidents with AWS Support |
| lacework-global-47 | Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | Remove all the expired SSL/Transport Layer Security (TLS) certificates stored in AWS Identity and Access Management (IAM) |
| lacework-global-48 | Ensure that IAM Access analyzer is enabled for all regions | Enable Identity and Access Management (IAM) Access analyzer for all regions |
| lacework-global-50 | Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | Configure S3 Buckets with 'Block public access (bucket settings)' |
| lacework-global-51 | Ensure EBS volume encryption is enabled | Enable volume encryption for Elastic Block Store (EBS) |
| lacework-global-52 | Ensure that encryption is enabled for RDS Instances | Enable encryption for Relational Database Service (RDS) Instances |
| lacework-global-53 | Ensure CloudTrail is enabled in all regions | Enable CloudTrail in all regions |
| lacework-global-56 | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | Enable S3 bucket access logging on the CloudTrail S3 bucket |
| lacework-global-58 | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | Ensure a log metric filter and alarm exist for Management Console sign-in without Multi-Factor Authentication (MFA) |
| lacework-global-60 | Ensure a log metric filter and alarm exist for IAM policy changes | Ensure a log metric filter and alarm exist for Identity and Access Management (IAM) policy changes |
| lacework-global-65 | Ensure a log metric filter and alarm exist for VPC changes | Ensure a log metric filter and alarm exist for Virtual Private Cloud (VPC) changes |
| lacework-global-67 | Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | Ensure no Network Access Control Lists (ACL) allow ingress from 0.0.0.0/0 to remote server administration ports |
| lacework-global-69 | Ensure hardware MFA is enabled for the 'root' user account | Enable hardware Multi-Factor Authentication (MFA) for the 'root' user account |
| lacework-global-70 | Ensure IAM instance roles are used for AWS resource access from instances | Use Identity and Access Management (IAM) instance roles for AWS resource access from instances |
| lacework-global-71 | Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments | Manage Identity and Access Management (IAM) users centrally via identity federation or AWS Organizations for multi-account environments |
| lacework-global-73 | Ensure S3 Bucket Policy is set to deny HTTP requests | Deny HTTP requests in S3 Bucket Policies |
| lacework-global-74 | Ensure all data in Amazon S3 has been discovered, classified and secured when required | Discover, classify, and secure all data in Amazon S3 when required |
| lacework-global-75 | Ensure CloudTrail log file validation is enabled | Enable CloudTrail log file validation |
| lacework-global-76 | Ensure AWS Config is enabled in all regions | Enable AWS Config in all regions |
| lacework-global-77 | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Encrypt CloudTrail logs at rest using Customer-Managed Key Management Service (KMS) Keys |
| lacework-global-78 | Ensure rotation for customer created CMKs is enabled | Enable rotation for Key Management Service (KMS) Keys |
| lacework-global-79 | Ensure VPC flow logging is enabled in all VPCs | Enable Virtual Private Cloud (VPC) flow logging in all VPCs |
| lacework-global-80 | Ensure that Object-level logging for write events is enabled for S3 bucket | Enable Object-level logging for write events on S3 buckets |
| lacework-global-81 | Ensure that Object-level logging for read events is enabled for S3 bucket | Enable Object-level logging for read events on S3 buckets |
| lacework-global-83 | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of Key Management Service (KMS) Keys |
| lacework-global-88 | Ensure routing tables for VPC peering are "least access" | Ensure routing tables for Virtual Private Cloud (VPC) peering are "least access" |
| lacework-global-91 | Ensure Redshift Cluster is encrypted | Encrypt Redshift Clusters |
| lacework-global-92 | Ensure no server certificate has been uploaded before Heartbleed vulnerability | Do not use server certificates uploaded before Heartbleed vulnerability |
| lacework-global-93 | RDS should not have a Public Interface | Relational Database Service (RDS) should not have a Public Interface |
| lacework-global-94 | Ensure the S3 bucket requires MFA to delete objects | Ensure the S3 bucket requires Multi-Factor Authentication (MFA) to delete objects |
| lacework-global-103 | EC2 instance should be deployed in EC2-VPC platform | Deploy EC2 instances in EC2-VPC platform |
| lacework-global-105 | No IAM users with password-based console access should exist | No Identity and Access Management (IAM) users with password-based console access should exist |
| lacework-global-108 | Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 1434 (SQLServer) | Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 1434 (SQLServer) |
| lacework-global-109 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 4333 (MSQL) | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 4333 (Mini SQL (mSQL)) |
| lacework-global-110 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5500 (VNC Listener) | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5500 (Virtual Network Computing (VNC) Listener) |
| lacework-global-111 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5900 (VNC Server) | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5900 (Virtual Network Computing (VNC) Server) |
| lacework-global-112 | Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 137 (NetBIOS) | Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 137 (NetBIOS) |
| lacework-global-113 | Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 138 (NetBIOS) | Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 138 (NetBIOS) |
| lacework-global-114 | Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 445 (CIFS) | Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 445 (Common Internet File System (CIFS)) |
| lacework-global-115 | Ensure access keys are rotated every 30 days or less | Rotate access keys every 30 days or less |
| lacework-global-116 | Ensure access keys are rotated every 45 days or less | Rotate access keys every 45 days or less |
| lacework-global-117 | Ensure public ssh keys are rotated every 30 days or less | Rotate public ssh keys every 30 days or less |
| lacework-global-118 | Ensure public ssh keys are rotated every 45 days or less | Rotate public ssh keys every 45 days or less |
| lacework-global-119 | Ensure public ssh keys are rotated every 90 days or less | Rotate public ssh keys every 90 days or less |
| lacework-global-120 | Ensure active access keys are used every 90 days or less | Deactivate access keys not used in 90 days |
| lacework-global-121 | IAM user should not be inactive for more than 30 days | Identity and Access Management (IAM) user should not be inactive for more than 30 days |
| lacework-global-122 | OpenSearch Domain should not be exposed | Exposed OpenSearch Domain |
| lacework-global-127 | Security group should not allow inbound traffic from all to all ICMP | Security group should not allow inbound traffic from all to all Internet Control Message Protocol (ICMP) |
| lacework-global-130 | Ensure the bucket ACL does not grant 'Everyone' READ permission [list S3 objects] | Ensure the bucket Access Control List (ACL) does not grant 'Everyone' READ permission [list S3 objects] |
| lacework-global-131 | Ensure the bucket ACL does not grant 'Everyone' WRITE permission [create, overwrite, and delete S3 objects] | Ensure the bucket Access Control List (ACL) does not grant 'Everyone' write permission [create, overwrite, and delete S3 objects] |
| lacework-global-132 | Ensure the bucket ACL does not grant 'Everyone' READ_ACP permission [read bucket ACL] | Ensure the bucket Access Control List (ACL) does not grant 'Everyone' READ_ACP permission [read bucket ACL] |
| lacework-global-133 | Ensure the bucket ACL does not grant 'Everyone' WRITE_ACP permission [modify bucket ACL] | Ensure the bucket Access Control List (ACL) does not grant 'Everyone' WRITE_ACP permission [modify bucket ACL] |
| lacework-global-134 | Ensure the bucket ACL does not grant 'Everyone' FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP] | Ensure the bucket Access Control List (ACL) does not grant 'Everyone' FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP] |
| lacework-global-135 | Ensure the bucket ACL does not grant AWS users READ permission [list S3 objects] | Ensure the bucket Access Control List (ACL) does not grant AWS users READ permission [list S3 objects] |
| lacework-global-136 | Ensure the bucket ACL does not grant AWS users WRITE permission [create, overwrite, and delete S3 objects] | Ensure the bucket Access Control List (ACL) does not grant AWS users WRITE permission [create, overwrite, and delete S3 objects] |
| lacework-global-137 | Ensure the bucket ACL does not grant AWS users READ_ACP permission [read bucket ACL] | Ensure the bucket Access Control List (ACL) does not grant AWS users READ_ACP permission [read bucket ACL] |
| lacework-global-138 | Ensure the bucket ACL does not grant AWS users WRITE_ACP permission [modify bucket ACL] | Ensure the bucket Access Control List (ACL) does not grant AWS users WRITE_ACP permission [modify bucket ACL] |
| lacework-global-139 | Ensure the bucket ACL does not grant AWS users FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP] | Ensure the bucket Access Control List (ACL) does not grant AWS users FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP] |
| lacework-global-141 | Ensure access keys are rotated every 180 days or less | Rotate access keys every 180 days or less |
| lacework-global-142 | Ensure access keys are rotated every 350 days or less | Rotate access keys every 350 days or less |
| lacework-global-144 | Lambda Function should not have VPC access | Lambda Function should not have Virtual Private Cloud (VPC) access |
| lacework-global-145 | Network ACLs do not allow unrestricted inbound traffic | Network Access Control Lists (ACL) do not allow unrestricted inbound traffic |
| lacework-global-146 | Network ACLs do not allow unrestricted outbound traffic | Network Access Control Lists (ACL) do not allow unrestricted outbound traffic |
| lacework-global-147 | AWS VPC endpoints should not be exposed | Exposed AWS Virtual Private Cloud (VPC) endpoints |
| lacework-global-155 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 135 (Windows RPC) | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 135 (Windows Remote Procedure Call (RPC)) |
| lacework-global-156 | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 445 (Windows SMB) | Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 445 (Windows Server Message Block (SMB)) |
| lacework-global-157 | No Default VPC should be present in an AWS account | No Default Virtual Private Cloud (VPC) should be present in an AWS account |
| lacework-global-160 | Ensure No Public EBS Snapshots | Ensure No Public Elastic Block Store (EBS) Snapshots |
| lacework-global-161 | OpenSearch Domain should have Encryption with KMS (Customer Managed Keys) | OpenSearch Domain should have Encryption with Customer-Managed Key Management Service (KMS) Keys |
| lacework-global-171 | Ensure RDS database is encrypted with customer managed KMS key | Encrypt Relational Database Service (RDS) database with customer managed Key Management Service (KMS) key |
| lacework-global-182 | Ensure ELB has latest Secure Cipher policies Configured for Session Encryption | Ensure Elastic Load Balancer (ELB) has latest Secure Cipher policies Configured for Session Encryption |
| lacework-global-183 | Ensure ELB is not affected by POODLE Vulnerability (CVE-2014-3566) | Ensure Elastic Load Balancer (ELB) is not affected by POODLE Vulnerability (CVE-2014-3566) |
| lacework-global-184 | ELB should not use insecure Ciphers | Elastic Load Balancer (ELB) should not use insecure Ciphers |
| lacework-global-207 | VCN has Internet Gateway attached | Virtual Cloud Network (VCN) has Internet Gateway attached |
| lacework-global-211 | IAM group has too few members | Identity and Access Management (IAM) group has too few members |
| lacework-global-212 | IAM group has too many members | Identity and Access Management (IAM) group has too many members |
| lacework-global-222 | EC2 instance should not allow inbound traffic from all to UDP port 53 | EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 53 |
| lacework-global-223 | ELB Security Group should have Outbound Rules attached to it | Elastic Load Balancer (ELB) Security Group should have Outbound Rules attached to it |
| lacework-global-224 | Ensure ELBv2 has latest Secure Cipher policies Configured for Session Encryption | Ensure Elastic Load Balancer V2 (ELBV2) has latest Secure Cipher policies Configured for Session Encryption |
| lacework-global-225 | ELB SSL Certificate expires in 5 Days | Elastic Load Balancer (ELB) SSL Certificate expires in 5 Days |
| lacework-global-226 | ELB SSL Certificate expires in 45 Days | Elastic Load Balancer (ELB) SSL Certificate expires in 45 Days |
| lacework-global-229 | Security group attached to RDS DB instance should not allow inbound traffic from all ports | Security group attached to Relational Database Service (RDS) DB instance should not allow inbound traffic from all ports |
| lacework-global-232 | Ensure that Corporate Login Credentials are Used | Use Corporate Login Credentials |
| lacework-global-236 | Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level | Ensure That Identity and Access Management (IAM) Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level |
| lacework-global-237 | Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer | Rotate User-Managed/External Keys for Service Accounts Every 90 Days or Fewer |
| lacework-global-238 | Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible | Ensure That Cloud Key Management Service (KMS) Cryptokeys Are Not Anonymously or Publicly Accessible |
| lacework-global-239 | Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days | Rotate Key Management Service (KMS) Encryption Keys Within a Period of 90 Days |
| lacework-global-241 | Ensure API Keys Are Restricted to Only APIs That Application Needs Access | Restrict API Keys to Only APIs That Application Needs Access |
| lacework-global-242 | Ensure API Keys Are Rotated Every 90 Days | Rotate API Keys Every 90 Days |
| lacework-global-243 | Ensure Essential Contacts is Configured for Organization | Configure Essential Contacts for Organization |
| lacework-global-245 | Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project | Configure Cloud Audit Logging Properly Across All Services and All Users From a Project |
| lacework-global-246 | Ensure That Sinks Are Configured for All Log Entries | Configure Sinks for All Log Entries |
| lacework-global-250 | Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes | Ensure That the Log Metric Filter and Alerts Exist for Virtual Private Cloud (VPC) Network Firewall Rule Changes |
| lacework-global-252 | Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes | Ensure That the Log Metric Filter and Alerts Exist for Virtual Private Cloud (VPC) Network Changes |
| lacework-global-253 | Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes | Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage Identity and Access Management (IAM) Permission Changes |
| lacework-global-255 | Ensure That Cloud DNS Logging Is Enabled for All VPC Networks | Enable Cloud Domain Name System (DNS) Logging for All Virtual Private Cloud (VPC) Networks |
| lacework-global-259 | Ensure That DNSSEC Is Enabled for Cloud DNS | Enable DNSSEC for Cloud Domain Name System (DNS) |
| lacework-global-260 | Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC | Ensure That RSASHA1 Is Not Used for the Key-Signing Key (KSK) in Cloud Domain Name System (DNS) DNSSEC |
| lacework-global-261 | Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC | Ensure That RSASHA1 Is Not Used for the Zone-Signing Key (ZSK) in Cloud Domain Name System (DNS) DNSSEC |
| lacework-global-262 | Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network | Enable Virtual Private Cloud (VPC) Flow Logs for Every Subnet in a VPC Network |
| lacework-global-266 | Ensure Block Project-Wide SSH Keys Is Enabled for VM Instances | Enable Block Project-Wide SSH Keys for VM Instances |
| lacework-global-267 | Ensure Oslogin Is Enabled for a Project | Enable Oslogin for a Project |
| lacework-global-273 | Ensure That Cloud SQL Database Instances Are Configured With Automated Backups | Configure Cloud SQL Database Instances With Automated Backups |
| lacework-global-275 | Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On' | Set 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance to 'On' |
| lacework-global-276 | Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off' | Set the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance to 'Off' |
| lacework-global-278 | Ensure That the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' | Set the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance to 'On' |
| lacework-global-279 | Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately | Set 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Appropriately |
| lacework-global-280 | Ensure 'Log_hostname' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'on' | Set 'Log_hostname' Database Flag for Cloud SQL PostgreSQL Instance to 'on' |
| lacework-global-281 | Ensure That the 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance Is Set to at least 'Warning' | Set the 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance to at least 'Warning' |
| lacework-global-282 | Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter | Set 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance to 'Error' or Stricter |
| lacework-global-283 | Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' (Disabled) | Set the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance to '-1' (Disabled) |
| lacework-global-284 | Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging | Set 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance to 'on' For Centralized Logging |
| lacework-global-286 | Ensure that the 'cross db ownership chaining' database flag for Cloud SQL on SQL Server instance is set to 'off' | Set the 'cross db ownership chaining' database flag for Cloud SQL on SQL Server instance to 'off' |
| lacework-global-287 | Ensure 'user Connections' Database Flag for Cloud SQL on SQL Server Instance Is Set to a Non-limiting Value | Set 'user Connections' Database Flag for Cloud SQL on SQL Server Instance to a Non-limiting Value |
| lacework-global-288 | Ensure 'user options' database flag for Cloud SQL on SQL Server instance is not configured | Do not configure 'user options' database flag for Cloud SQL on SQL Server instance |
| lacework-global-289 | Ensure 'remote access' database flag for Cloud SQL on SQL Server instance is set to 'off' | Set 'remote access' database flag for Cloud SQL on SQL Server instance to 'off' |
| lacework-global-290 | Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'off' | Set '3625 (trace flag)' database flag for all Cloud SQL Server instances to 'off' |
| lacework-global-291 | Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off' | Set the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance to 'off' |
| lacework-global-293 | Ensure that Security Key Enforcement is Enabled for All Admin Accounts | Enable Security Key Enforcement for All Admin Accounts |
| lacework-global-294 | Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users | Enforce Separation of Duties While Assigning Service Account Related Roles to Users |
| lacework-global-295 | Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users | Enforce Separation of Duties While Assigning Key Management Service (KMS) Related Roles to Users |
| lacework-global-297 | Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key | Encrypt Dataproc Cluster using Customer-Managed Encryption Key (CMEK) |
| lacework-global-298 | Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock | Configure Retention Policies on Cloud Storage Buckets Used for Exporting Logs Using Bucket Lock |
| lacework-global-301 | Ensure That SSH Access Is Restricted From the Internet | Restrict SSH Access From the Internet |
| lacework-global-302 | Ensure That RDP Access Is Restricted From the Internet | Restrict Remote Desktop Protocol (RDP) Access From the Internet |
| lacework-global-304 | Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) | Encrypt VM Disks for Critical VMs With Customer-Supplied Encryption Keys (CSEK) |
| lacework-global-305 | Ensure Compute Instances Are Launched With Shielded VM Enabled | Launch Compute Instances With Shielded VM Enabled |
| lacework-global-309 | Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects | Install the Latest Operating System Updates On Your Virtual Machines in All Projects |
| lacework-global-312 | Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter | Set 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance to 'DEFAULT' or Stricter |
| lacework-global-314 | Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets | Specify a Default Customer-Managed Encryption Key (CMEK) for All BigQuery Data Sets |
| lacework-global-316 | Ensure that the kubeconfig file permissions are set to 644 or more restrictive | Set the kubeconfig file permissions to 644 or more restrictive |
| lacework-global-317 | Ensure that the kubelet kubeconfig file ownership is set to root:root | Set the kubelet kubeconfig file ownership to root:root |
| lacework-global-319 | Ensure that the kubelet configuration file ownership is set to root:root | Set the kubelet configuration file ownership to root:root |
| lacework-global-320 | Ensure that the --anonymous-auth argument is set to false | Set the --anonymous-auth argument to false |
| lacework-global-322 | Ensure that the --client-ca-file argument is set as appropriate | Set the --client-ca-file argument as appropriate |
| lacework-global-323 | Ensure that the --read-only-port is secured | Secure the --read-only-port |
| lacework-global-325 | Ensure that the --protect-kernel-defaults argument is set to true | Set the --protect-kernel-defaults argument to true |
| lacework-global-326 | Ensure that the --make-iptables-util-chains argument is set to true | Set the --make-iptables-util-chains argument to true |
| lacework-global-328 | Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture | Set the --eventRecordQPS argument to 0 or a level which ensures appropriate event capture |
| lacework-global-330 | Ensure that the RotateKubeletServerCertificate argument is set to true | Set the RotateKubeletServerCertificate argument to true |
| lacework-global-346 | Ensure latest CNI version is used | Use latest Container Network Interface (CNI) version |
| lacework-global-352 | The default namespace should not be used | Do not use default namespace |
| lacework-global-353 | Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider | Ensure Image Vulnerability Scanning using Amazon Elastic Container Registry (ECR) image scanning or a third party provider |
| lacework-global-354 | Minimize user access to Amazon ECR | Minimize user access to Amazon Elastic Container Registry (ECR) |
| lacework-global-355 | Minimize cluster access to read-only for Amazon ECR | Minimize cluster access to read-only for Amazon Elastic Container Registry (ECR) |
| lacework-global-361 | Ensure clusters are created with Private Nodes | Create clusters with Private Nodes |
| lacework-global-362 | Ensure Network Policy is Enabled and set as appropriate | Enable Network Policy and set as appropriate |
| lacework-global-363 | Encrypt traffic to HTTPS load balancers with TLS certificates | Encrypt traffic to HTTPS load balancers with Transport Layer Security (TLS) certificates |
| lacework-global-364 | Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes | Manage Kubernetes Role-Based Access Control (RBAC) users with AWS Identity and Access Management (IAM) Authenticator for Kubernetes |
| lacework-global-483 | ELBs should have a secure security group | Elastic Load Balancers (ELB) should have a secure security group |
| lacework-global-485 | Ensure IAM policies that allow full "*:*" administrative privileges are not attached to groups | Ensure Identity and Access Management (IAM) policies that allow full "*:*" administrative privileges are not attached to groups |
| lacework-global-486 | Ensure IAM policies that allow full "*:*" administrative privileges are not attached to roles | Ensure Identity and Access Management (IAM) policies that allow full "*:*" administrative privileges are not attached to roles |
| lacework-global-487 | Ensure That Cloud Audit Logging Is Configured Properly Across All Users From a Folder | Configure Cloud Audit Logging Properly Across All Users From a Folder |
| lacework-global-488 | Ensure That Cloud Audit Logging Is Configured Properly Across All Users From an Organization | Configure Cloud Audit Logging Properly Across All Users From an Organization |
| lacework-global-499 | Ensure Guest Users Are Reviewed on a Regular Basis | Review Guest Users on a Regular Basis |
| lacework-global-501 | Ensure That 'Number of methods required to reset' is set to '2' | Set 'Number of methods required to reset' to '2' |
| lacework-global-502 | Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization | Set a Custom Bad Password List to 'Enforce' for your Organization |
| lacework-global-504 | Ensure that 'Notify users on password resets?' is set to 'Yes' | Set 'Notify users on password resets?' to 'Yes' |
| lacework-global-505 | Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' | Set 'Notify all admins when other admins reset their password?' to 'Yes' |
| lacework-global-506 | Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' | Set 'Users can consent to apps accessing company data on their behalf' to 'No' |
| lacework-global-507 | Ensure that 'Users can add gallery apps to My Apps' is set to 'No' | Set 'Users can add gallery apps to My Apps' to 'No' |
| lacework-global-508 | Ensure That 'Users Can Register Applications' Is Set to 'No' | Set 'Users Can Register Applications' to 'No' |
| lacework-global-509 | Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' | Set 'Guest users access restrictions' to 'Guest user access is restricted to properties and memberships of their own directory objects' |
| lacework-global-510 | Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' | Set 'Restrict access to Azure AD administration portal' to 'Yes' |
| lacework-global-511 | Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' | Set 'Require Multi-Factor Authentication to register or join devices with Azure AD' to 'Yes' |
| lacework-global-513 | Ensure Security Defaults is enabled on Azure Active Directory | Enable Security Defaults on Azure Active Directory |
| lacework-global-515 | Ensure that 'Restore multi-factor authentication on all remembered devices' is Enabled | Enable 'Restore multi-factor authentication on all remembered devices' |
| lacework-global-516 | Ensure Trusted Locations Are Defined | Define Trusted Locations |
| lacework-global-517 | Ensure that an exclusionary Geographic Access Policy is considered | Consider an exclusionary Geographic Access Policy |
| lacework-global-520 | Ensure Multi-factor Authentication is Required for Risky Sign-ins | Require Multi-factor Authentication for Risky Sign-ins |
| lacework-global-521 | Ensure Multi-factor Authentication is Required for Azure Management | Require Multi-factor Authentication for Azure Management |
| lacework-global-523 | Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' | Ensure Any of the Azure Security Center (ASC) Default Policy Settings are Not Set to 'Disabled' |
| lacework-global-524 | Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' | Set Auto provisioning of 'Log Analytics agent for Azure VMs' to 'On' |
| lacework-global-525 | Ensure That 'All users with the following roles' is set to 'Owner' | Set 'All users with the following roles' to 'Owner' |
| lacework-global-526 | Ensure 'Additional email addresses' is Configured with a Security Contact Email | Configure 'Additional email addresses' with a Security Contact Email |
| lacework-global-527 | Ensure That 'Notify about alerts with the following severity' is Set to 'High' | Set 'Notify about alerts with the following severity' to 'High' |
| lacework-global-528 | Ensure that 'Secure transfer required' is set to 'Enabled' | Set 'Secure transfer required' to 'Enabled' |
| lacework-global-529 | Ensure that 'Enable key rotation reminders' is enabled for each Storage Account | Enable 'Enable key rotation reminders' for each Storage Account |
| lacework-global-532 | Ensure that 'Public access level' is disabled for storage accounts with blob containers | Disable 'Public access level' for storage accounts with blob containers |
| lacework-global-533 | Ensure Default Network Access Rule for Storage Accounts is Set to Deny | Set Default Network Access Rule for Storage Accounts to Deny |
| lacework-global-535 | Ensure Soft Delete is Enabled for Azure Containers and Blob Storage | Enable Soft Delete for Azure Containers and Blob Storage |
| lacework-global-536 | Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2" | Set the "Minimum Transport Layer Security (TLS) version" for storage accounts to "Version 1.2" |
| lacework-global-537 | Ensure that 'Auditing' is set to 'On' | Set 'Auditing' to 'On' |
| lacework-global-538 | Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (any IP) |
| lacework-global-539 | Ensure that Azure Active Directory Admin is Configured for SQL Servers | Configure Azure Active Directory Admin for SQL Servers |
| lacework-global-540 | Ensure that 'Data encryption' is set to 'On' on a SQL Database | Set 'Data encryption' to 'On' on a SQL Database |
| lacework-global-542 | Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server | Set Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' for each SQL Server |
| lacework-global-544 | Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Set Server Parameter 'log_checkpoints' to 'ON' for PostgreSQL Database Server |
| lacework-global-545 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Set server parameter 'log_connections' to 'ON' for PostgreSQL Database Server |
| lacework-global-546 | Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Set server parameter 'log_disconnections' to 'ON' for PostgreSQL Database Server |
| lacework-global-547 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Set server parameter 'connection_throttling' to 'ON' for PostgreSQL Database Server |
| lacework-global-549 | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Disable 'Allow access to Azure services' for PostgreSQL Database Server |
| lacework-global-551 | Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server | Set 'Enforce SSL connection' to 'Enabled' for Standard MySQL Database Server |
| lacework-global-552 | Ensure 'TLS Version' is set to at least 'TLSV1.2' for Azure Database for MySQL Flexible Server | Set 'Transport Layer Security (TLS) Version' to at least 'TLSV1.2' for Azure Database for MySQL Flexible Server |
| lacework-global-553 | Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it | Enable Azure Monitor Resource Logging for All Services that Support it |
| lacework-global-568 | Ensure that RDP access from the Internet is evaluated and restricted | Evaluate and restrict Remote Desktop Protocol (RDP) access from the Internet |
| lacework-global-570 | Ensure that UDP access from the Internet is evaluated and restricted | Evaluate and restrict User Datagram Protocol (UDP) access from the Internet |
| lacework-global-571 | Ensure that HTTP(S) access from the Internet is evaluated and restricted | Evaluate and restrict HTTP(S) access from the Internet |
| lacework-global-572 | Ensure that Public IP addresses are Evaluated on a Periodic Basis | Evaluate Public IP addresses on a Periodic Basis |
| lacework-global-574 | Ensure that Only Approved Extensions Are Installed | Install Only Approved Extensions |
| lacework-global-581 | Ensure Web App is using the latest version of TLS encryption | Ensure Web App is using the latest version of Transport Layer Security (TLS) encryption |
| lacework-global-582 | Ensure that Register with Azure Active Directory is enabled on App Service | Enable Register with Azure Active Directory on App Service |
| lacework-global-587 | Ensure FTP deployments are Disabled | Disable File Transfer Protocol (FTP) deployments |
| lacework-global-588 | Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management | Set Up Access Review for External Users in Azure AD Privileged Identity Management |
| lacework-global-589 | Ensure That 'Users Can Consent to Apps Accessing Company Data on Their Behalf' Is Set To 'Allow for Verified Publishers' | Set 'Users Can Consent to Apps Accessing Company Data on Their Behalf' To 'Allow for Verified Publishers' |
| lacework-global-590 | Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" | Set 'Guest invite restrictions' to "Only users assigned to specific admin roles can invite guest users" |
| lacework-global-591 | Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' | Set 'Restrict user ability to access groups features in the Access Pane' to 'Yes' |
| lacework-global-592 | Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | Set 'Users can create security groups in Azure portals, API or PowerShell' to 'No' |
| lacework-global-593 | Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | Set 'Owners can manage group membership requests in the Access Panel' to 'No' |
| lacework-global-594 | Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | Set 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' to 'No' |
| lacework-global-595 | Ensure a Custom Role is Assigned Permissions for Administering Resource Locks | Assign Permissions for Administering Resource Locks to a Custom Role |
| lacework-global-596 | Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One' | Set 'Subscription Entering Azure Active Directory (AAD) Directory' and 'Subscription Leaving AAD Directory' To 'Permit No One' |
| lacework-global-598 | Ensure That Microsoft Defender for Servers Is Set to 'On' | Set Microsoft Defender for Servers to 'On' |
| lacework-global-599 | Ensure That Microsoft Defender for App Services Is Set To 'On' | Set Microsoft Defender for App Services To 'On' |
| lacework-global-600 | Ensure That Microsoft Defender for Databases Is Set To 'On' | Set Microsoft Defender for Databases To 'On' |
| lacework-global-601 | Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' | Set Microsoft Defender for Azure SQL Databases To 'On' |
| lacework-global-602 | Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | Set Microsoft Defender for SQL Servers on Machines To 'On' |
| lacework-global-603 | Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' | Set Microsoft Defender for Open-Source Relational Databases To 'On' |
| lacework-global-604 | Ensure That Microsoft Defender for Storage Is Set To 'On' | Set Microsoft Defender for Storage To 'On' |
| lacework-global-605 | Ensure That Microsoft Defender for Containers Is Set To 'On' | Set Microsoft Defender for Containers To 'On' |
| lacework-global-606 | Ensure That Microsoft Defender for Cosmos DB Is Set To 'On' | Set Microsoft Defender for Cosmos DB To 'On' |
| lacework-global-607 | Ensure That Microsoft Defender for Key Vault Is Set To 'On' | Set Microsoft Defender for Key Vault To 'On' |
| lacework-global-608 | Ensure That Microsoft Defender for DNS Is Set To 'On' | Set Microsoft Defender for Domain Name System (DNS) To 'On' |
| lacework-global-609 | Ensure That Microsoft Defender for IoT Is Set To 'On' | Set Microsoft Defender for IoT To 'On' |
| lacework-global-610 | Ensure That Microsoft Defender for Resource Manager Is Set To 'On' | Set Microsoft Defender for Resource Manager To 'On' |
| lacework-global-611 | Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' | Set Auto provisioning of 'Vulnerability assessment for machines' to 'On' |
| lacework-global-612 | Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' | Set Auto provisioning of 'Microsoft Defender for Containers components' to 'On' |
| lacework-global-613 | Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | Select Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud |
| lacework-global-614 | Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected | Select Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud |
| lacework-global-615 | Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled' | Set 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage to 'enabled' |
| lacework-global-616 | Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | Enable Storage Logging for Queue Service for 'Read', 'Write', and 'Delete' requests |
| lacework-global-617 | Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access | Enable 'Allow Azure services on the trusted services list to access this storage account' for Storage Account Access |
| lacework-global-618 | Ensure Storage for Critical Data are Encrypted with Customer Managed Keys | Encrypt Storage for Critical Data with Customer Managed Keys |
| lacework-global-619 | Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests | Enable Storage logging for Blob Service for 'Read', 'Write', and 'Delete' requests |
| lacework-global-620 | Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | Enable Storage Logging for Table Service for 'Read', 'Write', and 'Delete' Requests |
| lacework-global-621 | Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | Encrypt SQL server's Transparent Data Encryption (TDE) protector with Customer-managed key |
| lacework-global-623 | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Enable Vulnerability Assessment (VA) on a SQL server by setting a Storage Account |
| lacework-global-624 | Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server | Set Vulnerability Assessment (VA) setting 'Periodic recurring scans' to 'on' for each SQL server |
| lacework-global-625 | Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server | Configure Vulnerability Assessment (VA) setting 'Send scan reports to' for a SQL server |
| lacework-global-626 | Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server | Set server parameter 'audit_log_enabled' to 'ON' for MySQL Database Server |
| lacework-global-628 | Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks | Limit 'Firewalls & Networks' to Use Selected Networks Instead of All Networks |
| lacework-global-629 | Ensure That Private Endpoints Are Used Where Possible | Use Private Endpoints Where Possible |
| lacework-global-630 | Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key | Encrypt the storage account containing the container with activity logs with Customer Managed Key |
| lacework-global-631 | Ensure that Network Security Group Flow logs are captured and sent to Log Analytics | Capture Network Security Group (NSG) Flow logs and send to Log Analytics |
| lacework-global-632 | Ensure that logging for Azure AppService 'HTTP logs' is enabled | Enable logging for Azure AppService 'HTTP logs' |
| lacework-global-633 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Ensure that Network Security Group (NSG) Flow Log retention period is 'greater than 90 days' |
| lacework-global-635 | Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | Encrypt 'OS and Data' disks with Customer Managed Key (CMK) |
| lacework-global-636 | Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) | Encrypt 'Unattached disks' with Customer Managed Key (CMK) |
| lacework-global-637 | Ensure that Endpoint Protection for all Virtual Machines is installed | Install Endpoint Protection for all Virtual Machines |
| lacework-global-638 | (Legacy) Ensure that VHDs are Encrypted | (Legacy) Encrypt Virtual Hard Disks (VHD) |
| lacework-global-641 | Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services | Enable Automatic Key Rotation Within Azure Key Vault for the Supported Services |
| lacework-global-642 | Ensure App Service Authentication is set up for apps in Azure App Service | Set up App Service Authentication for apps in Azure App Service |
| lacework-global-644 | Ensure Azure Key Vaults are Used to Store Secrets | Use Azure Key Vaults to Store Secrets |
| lacework-global-645 | Ensure that Resource Locks are set for Mission-Critical Azure Resources | Set Resource Locks for Mission-Critical Azure Resources |
| lacework-global-669 | Ensure permissions on all resources are given only to the tenancy administrator group | Give permissions on all resources only to the tenancy administrator group |
| lacework-global-674 | Ensure MFA is enabled for all users with console password capability | Enable Multi-Factor Authentication (MFA) for all users with console password capability |
| lacework-global-690 | Ensure audit log retention period is set to 365 days | Set audit log retention period to 365 days |
| lacework-global-709 | Ensure Versioning is Enabled for Object Storage Buckets | Enable Versioning for Object Storage Buckets |
| lacework-global-715 | AWS ElastiCache Replication Group encryption-at-rest should be enabled | Enable encryption-at-rest on AWS ElastiCache Replication Groups |
| lacework-global-716 | AWS ElastiCache Replication Group encryption-at-rest should use a Customer Managed Key | AWS ElastiCache Replication Group encryption-at-rest should use a Customer-Managed Key Management Service (KMS) Key |
12th April 2024
Changed
A query improvement has been made for the following policy, to include container registries beginning with ghcr.io in the list of default allowed registries:
4th April 2024
Changed
A query improvement has been made for the following policy, to also check for GCP API keys with API restrictions set to Google Cloud APIs, allowing access to all services:
3rd April 2024
Changed
A query improvement has been made for the following policy, fixing an issue with identifying rules in AWS VPC default security groups:
27th March 2024
Added
See Adjusted Controls - 6.6 Ensure that Network Watcher is 'Enabled' for details.
Changed
There have been content and title improvements made to 25 compliance policies.
note
Only wording of the policies will have been updated, with no impact on functionality of the underlying query.
Click to display the compliance policies with old and new titles
| Policy ID | Old Title | New Title |
|---|---|---|
| lacework-global-44 | Ensure IAM Users Receive Permissions Only Through Groups | Ensure Identity and Access Management (IAM) Users Receive Permissions Only Through Groups |
| lacework-global-49 | Ensure MFA Delete is enabled on S3 buckets | Enable Multi-Factor Authentication (MFA) Delete on S3 buckets |
| lacework-global-55 | Ensure CloudTrail trails are integrated with CloudWatch Logs | Integrate CloudTrail trails with CloudWatch Logs |
| lacework-global-87 | Ensure the default security group of every VPC restricts all traffic | Ensure the default security group of every Virtual Private Cloud (VPC) restricts all traffic |
| lacework-global-90 | Ensure EBS Volumes are Encrypted | Encrypt Elastic Block Store (EBS) Volumes |
| lacework-global-240 | Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps | Restrict API Keys To Use by Only Specified Hosts and Apps |
| lacework-global-256 | Ensure Cloud Asset Inventory Is Enabled | Enable Cloud Asset Inventory |
| lacework-global-277 | Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' | Set the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance to 'On' |
| lacework-global-285 | Ensure 'external scripts enabled' database flag for Cloud SQL on SQL Server instance is set to 'off' | Set 'external scripts enabled' database flag for Cloud SQL on SQL Server instance to 'off' |
| lacework-global-313 | Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) | Encrypt All BigQuery Tables With Customer-Managed Encryption Key (CMEK) |
| lacework-global-339 | Minimize the admission of containers wishing to share the host IPC namespace | Minimize the admission of containers wishing to share the host Inter-Process Communication (IPC) namespace |
| lacework-global-358 | Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS | Encrypt Kubernetes Secrets using Customer Managed Keys (CMKs) managed in AWS Key Management Service (KMS) |
| lacework-global-360 | Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled | Create clusters with Private Endpoint Enabled and Public Access Disabled |
| lacework-global-534 | Ensure Private Endpoints are used to access Storage Accounts | Use Private Endpoints to access Storage Accounts |
| lacework-global-543 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Set 'Enforce SSL connection' to 'ENABLED' for PostgreSQL Database Server |
| lacework-global-569 | Ensure that SSH access from the Internet is evaluated and restricted | Evaluate and restrict SSH access from the Internet |
| lacework-global-622 | Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers | Set Microsoft Defender for SQL to 'On' for critical SQL Servers |
| lacework-global-640 | Ensure that Private Endpoints are Used for Azure Key Vault | Use Private Endpoints for Azure Key Vault |
| lacework-global-650 | Minimize the execution of container workloads sharing the host IPC namespace | Minimize the execution of container workloads sharing the host Inter-Process Communication (IPC) namespace |
| lacework-global-652 | Minimize the execution of container workloads that can escalate their privileges above those of their parent process | Minimize the execution of container workloads that can escalate their privileges beyond those of their parent process |
| lacework-global-670 | Ensure IAM administrators cannot update tenancy Administrators group | Ensure Identity and Access Management (IAM) administrators cannot update tenancy Administrators group |
| lacework-global-686 | Ensure the default security list of every VCN restricts all traffic except ICMP | Ensure the default security list of every Virtual Cloud Network (VCN) restricts all traffic except Internet Control Message Protocol (ICMP) |
| lacework-global-691 | Ensure default tags are used on resources | Use default tags on resources |
| lacework-global-708 | Ensure Object Storage Buckets are encrypted with a Customer Managed Key (CMK) | Encrypt Object Storage Buckets with a Customer Managed Key (CMK) |
| lacework-global-710 | Ensure Block Volumes are encrypted with Customer Managed Keys (CMK) | Encrypt Block Volumes with Customer Managed Keys (CMK) |
20th March 2024
Changed
Query improvements have been made to the following policies, which will fix an issue where some non-compliant S3 buckets were being flagged as compliant: