Skip to main content

Lacework Compliance Policy Catalog

Lacework offers a range of out-of-the-box compliance policies for Cloud Providers and Kubernetes.

These compliance policies form our built-in Compliance Frameworks.

You can view individual policy information in this section (grouped by framework).

note

This catalog will continue to grow as new frameworks and policies are added.

Upcoming Changes

No upcoming changes.

Latest Changes

tip

View the Compliance Policy Changelog for a history of all changes.

7th October 2024

Changed

The policy query fix for lacework-global-306. Non-running compute instances were improperly being marked as non-compliant for having public access.

18th September 2024

Changed

Resolved an issue where AWS root accounts were incorrectly flagged as non-compliant due to changes in the AWS IAM get-credential-report API. Query logic has been updated in the following policies:

15th July 2024

Changed

The following policy's title and description have been updated to clarify that a violation occurs when an AWS Elastic Load Balancer is associated with a security group that allows unrestricted egress or ingress:

4th July 2024

Changed

A query improvement has been made for the following policy, fixing an issue where AWS accounts with CloudTrail trails configured to use advanced event selectors were being flagged as non-compliant:

3rd July 2024

Updated

The severity of the following policies has decreased from high to medium, to align with internal standards:

30th May 2024

Updated

The AWS Foundational Security Best Practices (FSBP) Standard compliance benchmark has been updated with new policies that are of high severity.

The following policies are newly added and are automated:

Click to expand

The following policies are newly added but are manual:

Click to expand

The following policies already exist and have been updated as part of this release

Click to expand
21st May 2024

Updated

A query improvement has been made for the following policies, which simplifies the logic and also updates the severity:

The severity for lacework-global-52 has been increased from medium to high, and for lacework-global-171 it has been decreased from critical to medium, to reflect recent reviews of some Lacework policies.

16th May 2024

Updated

The CIS Google Kubernetes Engine (GKE) 1.4.0 Benchmark compliance benchmark has been updated with newly automated policies.

The following policies that were manual have now been automated:

Click to expand
13th May 2024

Changed

Some changes have been made to the following policies to fix an issue whereby the region was being incorrectly reported, causing unexpected non-compliant assessment results.

The queries that support these policies now correctly report the primary region, rather than the paired region.

1st May 2024

Added

The CIS Google Cloud 2.0.0 Benchmark compliance framework is now available.

The following policies are newly added as part of this update:

The remaining policies in the benchmark are re-used from the CIS Google Cloud 1.3.0 Benchmark.

23rd April 2024

Added

The AWS Foundational Security Best Practices (FSBP) standard compliance framework is now available.

note

This framework contains only the critical severity policies in this initial release. Additional policies will be added in future.

The following policies are newly added as part of this update:

Updated

As part of the AWS Foundational Security Best Practices (FSBP) Standard release, a number of existing policies have been updated:

This includes increasing the severity of lacework-global-102 and lacework-global-123 from high to critical.

15th April 2024

Changed

There have been content improvements made to 469 compliance policies. Of these, there have been 271 title improvements.

Click to display the compliance policies with old and new titles
Policy IDOld TitleNew Title
lacework-global-32Ensure security contact information is registeredRegister security contact information
lacework-global-33Ensure security questions are registered in the AWS accountRegister security questions in the AWS account
lacework-global-35Ensure MFA is enabled for the 'root' user accountEnable Multi-Factor Authentication (MFA) for the 'root' user account
lacework-global-37Ensure IAM password policy requires minimum length of 14 or greaterEnsure Identity and Access Management (IAM) password policy requires minimum length of 14 or greater
lacework-global-38Ensure IAM password policy prevents password reuseEnsure Identity and Access Management (IAM) password policy prevents password reuse
lacework-global-39Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console passwordEnable Multi-Factor Authentication (MFA) for all Identity and Access Management (IAM) users that have a console password
lacework-global-40Do not setup access keys during initial user setup for all IAM users that have a console passwordDo not setup access keys during initial user setup for all Identity and Access Management (IAM) users that have a console password
lacework-global-41Ensure credentials unused for 45 days or greater are disabledDisable credentials unused for 45 days or greater
lacework-global-42Ensure there is only one active access key available for any single IAM userEnsure there is only one active access key available for any single Identity and Access Management (IAM) user
lacework-global-43Ensure access keys are rotated every 90 days or lessRotate access keys every 90 days or less
lacework-global-45Ensure IAM policies that allow full "*:*" administrative privileges are not attached to usersEnsure Identity and Access Management (IAM) policies that allow full "*:*" administrative privileges are not attached to users
lacework-global-46Ensure a support role has been created to manage incidents with AWS SupportCreate a support role to manage incidents with AWS Support
lacework-global-47Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removedRemove all the expired SSL/Transport Layer Security (TLS) certificates stored in AWS Identity and Access Management (IAM)
lacework-global-48Ensure that IAM Access analyzer is enabled for all regionsEnable Identity and Access Management (IAM) Access analyzer for all regions
lacework-global-50Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'Configure S3 Buckets with 'Block public access (bucket settings)'
lacework-global-51Ensure EBS volume encryption is enabledEnable volume encryption for Elastic Block Store (EBS)
lacework-global-52Ensure that encryption is enabled for RDS InstancesEnable encryption for Relational Database Service (RDS) Instances
lacework-global-53Ensure CloudTrail is enabled in all regionsEnable CloudTrail in all regions
lacework-global-56Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucketEnable S3 bucket access logging on the CloudTrail S3 bucket
lacework-global-58Ensure a log metric filter and alarm exist for Management Console sign-in without MFAEnsure a log metric filter and alarm exist for Management Console sign-in without Multi-Factor Authentication (MFA)
lacework-global-60Ensure a log metric filter and alarm exist for IAM policy changesEnsure a log metric filter and alarm exist for Identity and Access Management (IAM) policy changes
lacework-global-65Ensure a log metric filter and alarm exist for VPC changesEnsure a log metric filter and alarm exist for Virtual Private Cloud (VPC) changes
lacework-global-67Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration portsEnsure no Network Access Control Lists (ACL) allow ingress from 0.0.0.0/0 to remote server administration ports
lacework-global-69Ensure hardware MFA is enabled for the 'root' user accountEnable hardware Multi-Factor Authentication (MFA) for the 'root' user account
lacework-global-70Ensure IAM instance roles are used for AWS resource access from instancesUse Identity and Access Management (IAM) instance roles for AWS resource access from instances
lacework-global-71Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environmentsManage Identity and Access Management (IAM) users centrally via identity federation or AWS Organizations for multi-account environments
lacework-global-73Ensure S3 Bucket Policy is set to deny HTTP requestsDeny HTTP requests in S3 Bucket Policies
lacework-global-74Ensure all data in Amazon S3 has been discovered, classified and secured when requiredDiscover, classify, and secure all data in Amazon S3 when required
lacework-global-75Ensure CloudTrail log file validation is enabledEnable CloudTrail log file validation
lacework-global-76Ensure AWS Config is enabled in all regionsEnable AWS Config in all regions
lacework-global-77Ensure CloudTrail logs are encrypted at rest using KMS CMKsEncrypt CloudTrail logs at rest using Customer-Managed Key Management Service (KMS) Keys
lacework-global-78Ensure rotation for customer created CMKs is enabledEnable rotation for Key Management Service (KMS) Keys
lacework-global-79Ensure VPC flow logging is enabled in all VPCsEnable Virtual Private Cloud (VPC) flow logging in all VPCs
lacework-global-80Ensure that Object-level logging for write events is enabled for S3 bucketEnable Object-level logging for write events on S3 buckets
lacework-global-81Ensure that Object-level logging for read events is enabled for S3 bucketEnable Object-level logging for read events on S3 buckets
lacework-global-83Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKsEnsure a log metric filter and alarm exist for disabling or scheduled deletion of Key Management Service (KMS) Keys
lacework-global-88Ensure routing tables for VPC peering are "least access"Ensure routing tables for Virtual Private Cloud (VPC) peering are "least access"
lacework-global-91Ensure Redshift Cluster is encryptedEncrypt Redshift Clusters
lacework-global-92Ensure no server certificate has been uploaded before Heartbleed vulnerabilityDo not use server certificates uploaded before Heartbleed vulnerability
lacework-global-93RDS should not have a Public InterfaceRelational Database Service (RDS) should not have a Public Interface
lacework-global-94Ensure the S3 bucket requires MFA to delete objectsEnsure the S3 bucket requires Multi-Factor Authentication (MFA) to delete objects
lacework-global-103EC2 instance should be deployed in EC2-VPC platformDeploy EC2 instances in EC2-VPC platform
lacework-global-105No IAM users with password-based console access should existNo Identity and Access Management (IAM) users with password-based console access should exist
lacework-global-108Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 1434 (SQLServer)Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 1434 (SQLServer)
lacework-global-109Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 4333 (MSQL)Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 4333 (Mini SQL (mSQL))
lacework-global-110Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5500 (VNC Listener)Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5500 (Virtual Network Computing (VNC) Listener)
lacework-global-111Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5900 (VNC Server)Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5900 (Virtual Network Computing (VNC) Server)
lacework-global-112Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 137 (NetBIOS)Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 137 (NetBIOS)
lacework-global-113Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 138 (NetBIOS)Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 138 (NetBIOS)
lacework-global-114Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 445 (CIFS)Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 445 (Common Internet File System (CIFS))
lacework-global-115Ensure access keys are rotated every 30 days or lessRotate access keys every 30 days or less
lacework-global-116Ensure access keys are rotated every 45 days or lessRotate access keys every 45 days or less
lacework-global-117Ensure public ssh keys are rotated every 30 days or lessRotate public ssh keys every 30 days or less
lacework-global-118Ensure public ssh keys are rotated every 45 days or lessRotate public ssh keys every 45 days or less
lacework-global-119Ensure public ssh keys are rotated every 90 days or lessRotate public ssh keys every 90 days or less
lacework-global-120Ensure active access keys are used every 90 days or lessDeactivate access keys not used in 90 days
lacework-global-121IAM user should not be inactive for more than 30 daysIdentity and Access Management (IAM) user should not be inactive for more than 30 days
lacework-global-122OpenSearch Domain should not be exposedExposed OpenSearch Domain
lacework-global-127Security group should not allow inbound traffic from all to all ICMPSecurity group should not allow inbound traffic from all to all Internet Control Message Protocol (ICMP)
lacework-global-130Ensure the bucket ACL does not grant 'Everyone' READ permission [list S3 objects]Ensure the bucket Access Control List (ACL) does not grant 'Everyone' READ permission [list S3 objects]
lacework-global-131Ensure the bucket ACL does not grant 'Everyone' WRITE permission [create, overwrite, and delete S3 objects]Ensure the bucket Access Control List (ACL) does not grant 'Everyone' write permission [create, overwrite, and delete S3 objects]
lacework-global-132Ensure the bucket ACL does not grant 'Everyone' READ_ACP permission [read bucket ACL]Ensure the bucket Access Control List (ACL) does not grant 'Everyone' READ_ACP permission [read bucket ACL]
lacework-global-133Ensure the bucket ACL does not grant 'Everyone' WRITE_ACP permission [modify bucket ACL]Ensure the bucket Access Control List (ACL) does not grant 'Everyone' WRITE_ACP permission [modify bucket ACL]
lacework-global-134Ensure the bucket ACL does not grant 'Everyone' FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP]Ensure the bucket Access Control List (ACL) does not grant 'Everyone' FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP]
lacework-global-135Ensure the bucket ACL does not grant AWS users READ permission [list S3 objects]Ensure the bucket Access Control List (ACL) does not grant AWS users READ permission [list S3 objects]
lacework-global-136Ensure the bucket ACL does not grant AWS users WRITE permission [create, overwrite, and delete S3 objects]Ensure the bucket Access Control List (ACL) does not grant AWS users WRITE permission [create, overwrite, and delete S3 objects]
lacework-global-137Ensure the bucket ACL does not grant AWS users READ_ACP permission [read bucket ACL]Ensure the bucket Access Control List (ACL) does not grant AWS users READ_ACP permission [read bucket ACL]
lacework-global-138Ensure the bucket ACL does not grant AWS users WRITE_ACP permission [modify bucket ACL]Ensure the bucket Access Control List (ACL) does not grant AWS users WRITE_ACP permission [modify bucket ACL]
lacework-global-139Ensure the bucket ACL does not grant AWS users FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP]Ensure the bucket Access Control List (ACL) does not grant AWS users FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP]
lacework-global-141Ensure access keys are rotated every 180 days or lessRotate access keys every 180 days or less
lacework-global-142Ensure access keys are rotated every 350 days or lessRotate access keys every 350 days or less
lacework-global-144Lambda Function should not have VPC accessLambda Function should not have Virtual Private Cloud (VPC) access
lacework-global-145Network ACLs do not allow unrestricted inbound trafficNetwork Access Control Lists (ACL) do not allow unrestricted inbound traffic
lacework-global-146Network ACLs do not allow unrestricted outbound trafficNetwork Access Control Lists (ACL) do not allow unrestricted outbound traffic
lacework-global-147AWS VPC endpoints should not be exposedExposed AWS Virtual Private Cloud (VPC) endpoints
lacework-global-155Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 135 (Windows RPC)Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 135 (Windows Remote Procedure Call (RPC))
lacework-global-156Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 445 (Windows SMB)Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 445 (Windows Server Message Block (SMB))
lacework-global-157No Default VPC should be present in an AWS accountNo Default Virtual Private Cloud (VPC) should be present in an AWS account
lacework-global-160Ensure No Public EBS SnapshotsEnsure No Public Elastic Block Store (EBS) Snapshots
lacework-global-161OpenSearch Domain should have Encryption with KMS (Customer Managed Keys)OpenSearch Domain should have Encryption with Customer-Managed Key Management Service (KMS) Keys
lacework-global-171Ensure RDS database is encrypted with customer managed KMS keyEncrypt Relational Database Service (RDS) database with customer managed Key Management Service (KMS) key
lacework-global-182Ensure ELB has latest Secure Cipher policies Configured for Session EncryptionEnsure Elastic Load Balancer (ELB) has latest Secure Cipher policies Configured for Session Encryption
lacework-global-183Ensure ELB is not affected by POODLE Vulnerability (CVE-2014-3566)Ensure Elastic Load Balancer (ELB) is not affected by POODLE Vulnerability (CVE-2014-3566)
lacework-global-184ELB should not use insecure CiphersElastic Load Balancer (ELB) should not use insecure Ciphers
lacework-global-207VCN has Internet Gateway attachedVirtual Cloud Network (VCN) has Internet Gateway attached
lacework-global-211IAM group has too few membersIdentity and Access Management (IAM) group has too few members
lacework-global-212IAM group has too many membersIdentity and Access Management (IAM) group has too many members
lacework-global-222EC2 instance should not allow inbound traffic from all to UDP port 53EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 53
lacework-global-223ELB Security Group should have Outbound Rules attached to itElastic Load Balancer (ELB) Security Group should have Outbound Rules attached to it
lacework-global-224Ensure ELBv2 has latest Secure Cipher policies Configured for Session EncryptionEnsure Elastic Load Balancer V2 (ELBV2) has latest Secure Cipher policies Configured for Session Encryption
lacework-global-225ELB SSL Certificate expires in 5 DaysElastic Load Balancer (ELB) SSL Certificate expires in 5 Days
lacework-global-226ELB SSL Certificate expires in 45 DaysElastic Load Balancer (ELB) SSL Certificate expires in 45 Days
lacework-global-229Security group attached to RDS DB instance should not allow inbound traffic from all portsSecurity group attached to Relational Database Service (RDS) DB instance should not allow inbound traffic from all ports
lacework-global-232Ensure that Corporate Login Credentials are UsedUse Corporate Login Credentials
lacework-global-236Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project LevelEnsure That Identity and Access Management (IAM) Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
lacework-global-237Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or FewerRotate User-Managed/External Keys for Service Accounts Every 90 Days or Fewer
lacework-global-238Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly AccessibleEnsure That Cloud Key Management Service (KMS) Cryptokeys Are Not Anonymously or Publicly Accessible
lacework-global-239Ensure KMS Encryption Keys Are Rotated Within a Period of 90 DaysRotate Key Management Service (KMS) Encryption Keys Within a Period of 90 Days
lacework-global-241Ensure API Keys Are Restricted to Only APIs That Application Needs AccessRestrict API Keys to Only APIs That Application Needs Access
lacework-global-242Ensure API Keys Are Rotated Every 90 DaysRotate API Keys Every 90 Days
lacework-global-243Ensure Essential Contacts is Configured for OrganizationConfigure Essential Contacts for Organization
lacework-global-245Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a ProjectConfigure Cloud Audit Logging Properly Across All Services and All Users From a Project
lacework-global-246Ensure That Sinks Are Configured for All Log EntriesConfigure Sinks for All Log Entries
lacework-global-250Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule ChangesEnsure That the Log Metric Filter and Alerts Exist for Virtual Private Cloud (VPC) Network Firewall Rule Changes
lacework-global-252Ensure That the Log Metric Filter and Alerts Exist for VPC Network ChangesEnsure That the Log Metric Filter and Alerts Exist for Virtual Private Cloud (VPC) Network Changes
lacework-global-253Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission ChangesEnsure That the Log Metric Filter and Alerts Exist for Cloud Storage Identity and Access Management (IAM) Permission Changes
lacework-global-255Ensure That Cloud DNS Logging Is Enabled for All VPC NetworksEnable Cloud Domain Name System (DNS) Logging for All Virtual Private Cloud (VPC) Networks
lacework-global-259Ensure That DNSSEC Is Enabled for Cloud DNSEnable DNSSEC for Cloud Domain Name System (DNS)
lacework-global-260Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSECEnsure That RSASHA1 Is Not Used for the Key-Signing Key (KSK) in Cloud Domain Name System (DNS) DNSSEC
lacework-global-261Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSECEnsure That RSASHA1 Is Not Used for the Zone-Signing Key (ZSK) in Cloud Domain Name System (DNS) DNSSEC
lacework-global-262Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC NetworkEnable Virtual Private Cloud (VPC) Flow Logs for Every Subnet in a VPC Network
lacework-global-266Ensure Block Project-Wide SSH Keys Is Enabled for VM InstancesEnable Block Project-Wide SSH Keys for VM Instances
lacework-global-267Ensure Oslogin Is Enabled for a ProjectEnable Oslogin for a Project
lacework-global-273Ensure That Cloud SQL Database Instances Are Configured With Automated BackupsConfigure Cloud SQL Database Instances With Automated Backups
lacework-global-275Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'Set 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance to 'On'
lacework-global-276Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'Set the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance to 'Off'
lacework-global-278Ensure That the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'Set the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance to 'On'
lacework-global-279Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set AppropriatelySet 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Appropriately
lacework-global-280Ensure 'Log_hostname' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'on'Set 'Log_hostname' Database Flag for Cloud SQL PostgreSQL Instance to 'on'
lacework-global-281Ensure That the 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance Is Set to at least 'Warning'Set the 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance to at least 'Warning'
lacework-global-282Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or StricterSet 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance to 'Error' or Stricter
lacework-global-283Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' (Disabled)Set the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance to '-1' (Disabled)
lacework-global-284Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized LoggingSet 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance to 'on' For Centralized Logging
lacework-global-286Ensure that the 'cross db ownership chaining' database flag for Cloud SQL on SQL Server instance is set to 'off'Set the 'cross db ownership chaining' database flag for Cloud SQL on SQL Server instance to 'off'
lacework-global-287Ensure 'user Connections' Database Flag for Cloud SQL on SQL Server Instance Is Set to a Non-limiting ValueSet 'user Connections' Database Flag for Cloud SQL on SQL Server Instance to a Non-limiting Value
lacework-global-288Ensure 'user options' database flag for Cloud SQL on SQL Server instance is not configuredDo not configure 'user options' database flag for Cloud SQL on SQL Server instance
lacework-global-289Ensure 'remote access' database flag for Cloud SQL on SQL Server instance is set to 'off'Set 'remote access' database flag for Cloud SQL on SQL Server instance to 'off'
lacework-global-290Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'off'Set '3625 (trace flag)' database flag for all Cloud SQL Server instances to 'off'
lacework-global-291Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'Set the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance to 'off'
lacework-global-293Ensure that Security Key Enforcement is Enabled for All Admin AccountsEnable Security Key Enforcement for All Admin Accounts
lacework-global-294Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to UsersEnforce Separation of Duties While Assigning Service Account Related Roles to Users
lacework-global-295Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to UsersEnforce Separation of Duties While Assigning Key Management Service (KMS) Related Roles to Users
lacework-global-297Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption KeyEncrypt Dataproc Cluster using Customer-Managed Encryption Key (CMEK)
lacework-global-298Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket LockConfigure Retention Policies on Cloud Storage Buckets Used for Exporting Logs Using Bucket Lock
lacework-global-301Ensure That SSH Access Is Restricted From the InternetRestrict SSH Access From the Internet
lacework-global-302Ensure That RDP Access Is Restricted From the InternetRestrict Remote Desktop Protocol (RDP) Access From the Internet
lacework-global-304Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)Encrypt VM Disks for Critical VMs With Customer-Supplied Encryption Keys (CSEK)
lacework-global-305Ensure Compute Instances Are Launched With Shielded VM EnabledLaunch Compute Instances With Shielded VM Enabled
lacework-global-309Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All ProjectsInstall the Latest Operating System Updates On Your Virtual Machines in All Projects
lacework-global-312Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or StricterSet 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance to 'DEFAULT' or Stricter
lacework-global-314Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data SetsSpecify a Default Customer-Managed Encryption Key (CMEK) for All BigQuery Data Sets
lacework-global-316Ensure that the kubeconfig file permissions are set to 644 or more restrictiveSet the kubeconfig file permissions to 644 or more restrictive
lacework-global-317Ensure that the kubelet kubeconfig file ownership is set to root:rootSet the kubelet kubeconfig file ownership to root:root
lacework-global-319Ensure that the kubelet configuration file ownership is set to root:rootSet the kubelet configuration file ownership to root:root
lacework-global-320Ensure that the --anonymous-auth argument is set to falseSet the --anonymous-auth argument to false
lacework-global-322Ensure that the --client-ca-file argument is set as appropriateSet the --client-ca-file argument as appropriate
lacework-global-323Ensure that the --read-only-port is securedSecure the --read-only-port
lacework-global-325Ensure that the --protect-kernel-defaults argument is set to trueSet the --protect-kernel-defaults argument to true
lacework-global-326Ensure that the --make-iptables-util-chains argument is set to trueSet the --make-iptables-util-chains argument to true
lacework-global-328Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event captureSet the --eventRecordQPS argument to 0 or a level which ensures appropriate event capture
lacework-global-330Ensure that the RotateKubeletServerCertificate argument is set to trueSet the RotateKubeletServerCertificate argument to true
lacework-global-346Ensure latest CNI version is usedUse latest Container Network Interface (CNI) version
lacework-global-352The default namespace should not be usedDo not use default namespace
lacework-global-353Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party providerEnsure Image Vulnerability Scanning using Amazon Elastic Container Registry (ECR) image scanning or a third party provider
lacework-global-354Minimize user access to Amazon ECRMinimize user access to Amazon Elastic Container Registry (ECR)
lacework-global-355Minimize cluster access to read-only for Amazon ECRMinimize cluster access to read-only for Amazon Elastic Container Registry (ECR)
lacework-global-361Ensure clusters are created with Private NodesCreate clusters with Private Nodes
lacework-global-362Ensure Network Policy is Enabled and set as appropriateEnable Network Policy and set as appropriate
lacework-global-363Encrypt traffic to HTTPS load balancers with TLS certificatesEncrypt traffic to HTTPS load balancers with Transport Layer Security (TLS) certificates
lacework-global-364Manage Kubernetes RBAC users with AWS IAM Authenticator for KubernetesManage Kubernetes Role-Based Access Control (RBAC) users with AWS Identity and Access Management (IAM) Authenticator for Kubernetes
lacework-global-483ELBs should have a secure security groupElastic Load Balancers (ELB) should have a secure security group
lacework-global-485Ensure IAM policies that allow full "*:*" administrative privileges are not attached to groupsEnsure Identity and Access Management (IAM) policies that allow full "*:*" administrative privileges are not attached to groups
lacework-global-486Ensure IAM policies that allow full "*:*" administrative privileges are not attached to rolesEnsure Identity and Access Management (IAM) policies that allow full "*:*" administrative privileges are not attached to roles
lacework-global-487Ensure That Cloud Audit Logging Is Configured Properly Across All Users From a FolderConfigure Cloud Audit Logging Properly Across All Users From a Folder
lacework-global-488Ensure That Cloud Audit Logging Is Configured Properly Across All Users From an OrganizationConfigure Cloud Audit Logging Properly Across All Users From an Organization
lacework-global-499Ensure Guest Users Are Reviewed on a Regular BasisReview Guest Users on a Regular Basis
lacework-global-501Ensure That 'Number of methods required to reset' is set to '2'Set 'Number of methods required to reset' to '2'
lacework-global-502Ensure that a Custom Bad Password List is set to 'Enforce' for your OrganizationSet a Custom Bad Password List to 'Enforce' for your Organization
lacework-global-504Ensure that 'Notify users on password resets?' is set to 'Yes'Set 'Notify users on password resets?' to 'Yes'
lacework-global-505Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'Set 'Notify all admins when other admins reset their password?' to 'Yes'
lacework-global-506Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'Set 'Users can consent to apps accessing company data on their behalf' to 'No'
lacework-global-507Ensure that 'Users can add gallery apps to My Apps' is set to 'No'Set 'Users can add gallery apps to My Apps' to 'No'
lacework-global-508Ensure That 'Users Can Register Applications' Is Set to 'No'Set 'Users Can Register Applications' to 'No'
lacework-global-509Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'Set 'Guest users access restrictions' to 'Guest user access is restricted to properties and memberships of their own directory objects'
lacework-global-510Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'Set 'Restrict access to Azure AD administration portal' to 'Yes'
lacework-global-511Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'Set 'Require Multi-Factor Authentication to register or join devices with Azure AD' to 'Yes'
lacework-global-513Ensure Security Defaults is enabled on Azure Active DirectoryEnable Security Defaults on Azure Active Directory
lacework-global-515Ensure that 'Restore multi-factor authentication on all remembered devices' is EnabledEnable 'Restore multi-factor authentication on all remembered devices'
lacework-global-516Ensure Trusted Locations Are DefinedDefine Trusted Locations
lacework-global-517Ensure that an exclusionary Geographic Access Policy is consideredConsider an exclusionary Geographic Access Policy
lacework-global-520Ensure Multi-factor Authentication is Required for Risky Sign-insRequire Multi-factor Authentication for Risky Sign-ins
lacework-global-521Ensure Multi-factor Authentication is Required for Azure ManagementRequire Multi-factor Authentication for Azure Management
lacework-global-523Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'Ensure Any of the Azure Security Center (ASC) Default Policy Settings are Not Set to 'Disabled'
lacework-global-524Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'Set Auto provisioning of 'Log Analytics agent for Azure VMs' to 'On'
lacework-global-525Ensure That 'All users with the following roles' is set to 'Owner'Set 'All users with the following roles' to 'Owner'
lacework-global-526Ensure 'Additional email addresses' is Configured with a Security Contact EmailConfigure 'Additional email addresses' with a Security Contact Email
lacework-global-527Ensure That 'Notify about alerts with the following severity' is Set to 'High'Set 'Notify about alerts with the following severity' to 'High'
lacework-global-528Ensure that 'Secure transfer required' is set to 'Enabled'Set 'Secure transfer required' to 'Enabled'
lacework-global-529Ensure that 'Enable key rotation reminders' is enabled for each Storage AccountEnable 'Enable key rotation reminders' for each Storage Account
lacework-global-532Ensure that 'Public access level' is disabled for storage accounts with blob containersDisable 'Public access level' for storage accounts with blob containers
lacework-global-533Ensure Default Network Access Rule for Storage Accounts is Set to DenySet Default Network Access Rule for Storage Accounts to Deny
lacework-global-535Ensure Soft Delete is Enabled for Azure Containers and Blob StorageEnable Soft Delete for Azure Containers and Blob Storage
lacework-global-536Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"Set the "Minimum Transport Layer Security (TLS) version" for storage accounts to "Version 1.2"
lacework-global-537Ensure that 'Auditing' is set to 'On'Set 'Auditing' to 'On'
lacework-global-538Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (any IP)
lacework-global-539Ensure that Azure Active Directory Admin is Configured for SQL ServersConfigure Azure Active Directory Admin for SQL Servers
lacework-global-540Ensure that 'Data encryption' is set to 'On' on a SQL DatabaseSet 'Data encryption' to 'On' on a SQL Database
lacework-global-542Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL ServerSet Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' for each SQL Server
lacework-global-544Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database ServerSet Server Parameter 'log_checkpoints' to 'ON' for PostgreSQL Database Server
lacework-global-545Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database ServerSet server parameter 'log_connections' to 'ON' for PostgreSQL Database Server
lacework-global-546Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database ServerSet server parameter 'log_disconnections' to 'ON' for PostgreSQL Database Server
lacework-global-547Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database ServerSet server parameter 'connection_throttling' to 'ON' for PostgreSQL Database Server
lacework-global-549Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabledDisable 'Allow access to Azure services' for PostgreSQL Database Server
lacework-global-551Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database ServerSet 'Enforce SSL connection' to 'Enabled' for Standard MySQL Database Server
lacework-global-552Ensure 'TLS Version' is set to at least 'TLSV1.2' for Azure Database for MySQL Flexible ServerSet 'Transport Layer Security (TLS) Version' to at least 'TLSV1.2' for Azure Database for MySQL Flexible Server
lacework-global-553Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support itEnable Azure Monitor Resource Logging for All Services that Support it
lacework-global-568Ensure that RDP access from the Internet is evaluated and restrictedEvaluate and restrict Remote Desktop Protocol (RDP) access from the Internet
lacework-global-570Ensure that UDP access from the Internet is evaluated and restrictedEvaluate and restrict User Datagram Protocol (UDP) access from the Internet
lacework-global-571Ensure that HTTP(S) access from the Internet is evaluated and restrictedEvaluate and restrict HTTP(S) access from the Internet
lacework-global-572Ensure that Public IP addresses are Evaluated on a Periodic BasisEvaluate Public IP addresses on a Periodic Basis
lacework-global-574Ensure that Only Approved Extensions Are InstalledInstall Only Approved Extensions
lacework-global-581Ensure Web App is using the latest version of TLS encryptionEnsure Web App is using the latest version of Transport Layer Security (TLS) encryption
lacework-global-582Ensure that Register with Azure Active Directory is enabled on App ServiceEnable Register with Azure Active Directory on App Service
lacework-global-587Ensure FTP deployments are DisabledDisable File Transfer Protocol (FTP) deployments
lacework-global-588Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity ManagementSet Up Access Review for External Users in Azure AD Privileged Identity Management
lacework-global-589Ensure That 'Users Can Consent to Apps Accessing Company Data on Their Behalf' Is Set To 'Allow for Verified Publishers'Set 'Users Can Consent to Apps Accessing Company Data on Their Behalf' To 'Allow for Verified Publishers'
lacework-global-590Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"Set 'Guest invite restrictions' to "Only users assigned to specific admin roles can invite guest users"
lacework-global-591Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'Set 'Restrict user ability to access groups features in the Access Pane' to 'Yes'
lacework-global-592Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'Set 'Users can create security groups in Azure portals, API or PowerShell' to 'No'
lacework-global-593Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'Set 'Owners can manage group membership requests in the Access Panel' to 'No'
lacework-global-594Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'Set 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' to 'No'
lacework-global-595Ensure a Custom Role is Assigned Permissions for Administering Resource LocksAssign Permissions for Administering Resource Locks to a Custom Role
lacework-global-596Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'Set 'Subscription Entering Azure Active Directory (AAD) Directory' and 'Subscription Leaving AAD Directory' To 'Permit No One'
lacework-global-598Ensure That Microsoft Defender for Servers Is Set to 'On'Set Microsoft Defender for Servers to 'On'
lacework-global-599Ensure That Microsoft Defender for App Services Is Set To 'On'Set Microsoft Defender for App Services To 'On'
lacework-global-600Ensure That Microsoft Defender for Databases Is Set To 'On'Set Microsoft Defender for Databases To 'On'
lacework-global-601Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'Set Microsoft Defender for Azure SQL Databases To 'On'
lacework-global-602Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'Set Microsoft Defender for SQL Servers on Machines To 'On'
lacework-global-603Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'Set Microsoft Defender for Open-Source Relational Databases To 'On'
lacework-global-604Ensure That Microsoft Defender for Storage Is Set To 'On'Set Microsoft Defender for Storage To 'On'
lacework-global-605Ensure That Microsoft Defender for Containers Is Set To 'On'Set Microsoft Defender for Containers To 'On'
lacework-global-606Ensure That Microsoft Defender for Cosmos DB Is Set To 'On'Set Microsoft Defender for Cosmos DB To 'On'
lacework-global-607Ensure That Microsoft Defender for Key Vault Is Set To 'On'Set Microsoft Defender for Key Vault To 'On'
lacework-global-608Ensure That Microsoft Defender for DNS Is Set To 'On'Set Microsoft Defender for Domain Name System (DNS) To 'On'
lacework-global-609Ensure That Microsoft Defender for IoT Is Set To 'On'Set Microsoft Defender for IoT To 'On'
lacework-global-610Ensure That Microsoft Defender for Resource Manager Is Set To 'On'Set Microsoft Defender for Resource Manager To 'On'
lacework-global-611Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'Set Auto provisioning of 'Vulnerability assessment for machines' to 'On'
lacework-global-612Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'Set Auto provisioning of 'Microsoft Defender for Containers components' to 'On'
lacework-global-613Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is SelectedSelect Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud
lacework-global-614Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selectedSelect Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud
lacework-global-615Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'Set 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage to 'enabled'
lacework-global-616Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requestsEnable Storage Logging for Queue Service for 'Read', 'Write', and 'Delete' requests
lacework-global-617Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account AccessEnable 'Allow Azure services on the trusted services list to access this storage account' for Storage Account Access
lacework-global-618Ensure Storage for Critical Data are Encrypted with Customer Managed KeysEncrypt Storage for Critical Data with Customer Managed Keys
lacework-global-619Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requestsEnable Storage logging for Blob Service for 'Read', 'Write', and 'Delete' requests
lacework-global-620Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' RequestsEnable Storage Logging for Table Service for 'Read', 'Write', and 'Delete' Requests
lacework-global-621Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed keyEncrypt SQL server's Transparent Data Encryption (TDE) protector with Customer-managed key
lacework-global-623Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage AccountEnable Vulnerability Assessment (VA) on a SQL server by setting a Storage Account
lacework-global-624Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL serverSet Vulnerability Assessment (VA) setting 'Periodic recurring scans' to 'on' for each SQL server
lacework-global-625Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL serverConfigure Vulnerability Assessment (VA) setting 'Send scan reports to' for a SQL server
lacework-global-626Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database ServerSet server parameter 'audit_log_enabled' to 'ON' for MySQL Database Server
lacework-global-628Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All NetworksLimit 'Firewalls & Networks' to Use Selected Networks Instead of All Networks
lacework-global-629Ensure That Private Endpoints Are Used Where PossibleUse Private Endpoints Where Possible
lacework-global-630Ensure the storage account containing the container with activity logs is encrypted with Customer Managed KeyEncrypt the storage account containing the container with activity logs with Customer Managed Key
lacework-global-631Ensure that Network Security Group Flow logs are captured and sent to Log AnalyticsCapture Network Security Group (NSG) Flow logs and send to Log Analytics
lacework-global-632Ensure that logging for Azure AppService 'HTTP logs' is enabledEnable logging for Azure AppService 'HTTP logs'
lacework-global-633Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'Ensure that Network Security Group (NSG) Flow Log retention period is 'greater than 90 days'
lacework-global-635Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)Encrypt 'OS and Data' disks with Customer Managed Key (CMK)
lacework-global-636Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)Encrypt 'Unattached disks' with Customer Managed Key (CMK)
lacework-global-637Ensure that Endpoint Protection for all Virtual Machines is installedInstall Endpoint Protection for all Virtual Machines
lacework-global-638(Legacy) Ensure that VHDs are Encrypted(Legacy) Encrypt Virtual Hard Disks (VHD)
lacework-global-641Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported ServicesEnable Automatic Key Rotation Within Azure Key Vault for the Supported Services
lacework-global-642Ensure App Service Authentication is set up for apps in Azure App ServiceSet up App Service Authentication for apps in Azure App Service
lacework-global-644Ensure Azure Key Vaults are Used to Store SecretsUse Azure Key Vaults to Store Secrets
lacework-global-645Ensure that Resource Locks are set for Mission-Critical Azure ResourcesSet Resource Locks for Mission-Critical Azure Resources
lacework-global-669Ensure permissions on all resources are given only to the tenancy administrator groupGive permissions on all resources only to the tenancy administrator group
lacework-global-674Ensure MFA is enabled for all users with console password capabilityEnable Multi-Factor Authentication (MFA) for all users with console password capability
lacework-global-690Ensure audit log retention period is set to 365 daysSet audit log retention period to 365 days
lacework-global-709Ensure Versioning is Enabled for Object Storage BucketsEnable Versioning for Object Storage Buckets
lacework-global-715AWS ElastiCache Replication Group encryption-at-rest should be enabledEnable encryption-at-rest on AWS ElastiCache Replication Groups
lacework-global-716AWS ElastiCache Replication Group encryption-at-rest should use a Customer Managed KeyAWS ElastiCache Replication Group encryption-at-rest should use a Customer-Managed Key Management Service (KMS) Key
12th April 2024

Changed

A query improvement has been made for the following policy, to include container registries beginning with ghcr.io in the list of default allowed registries:

4th April 2024

Changed

A query improvement has been made for the following policy, to also check for GCP API keys with API restrictions set to Google Cloud APIs, allowing access to all services:

3rd April 2024

Changed

A query improvement has been made for the following policy, fixing an issue with identifying rules in AWS VPC default security groups:

27th March 2024

Added

Changed

There have been content and title improvements made to 25 compliance policies.

note

Only wording of the policies will have been updated, with no impact on functionality of the underlying query.

Click to display the compliance policies with old and new titles
Policy IDOld TitleNew Title
lacework-global-44Ensure IAM Users Receive Permissions Only Through GroupsEnsure Identity and Access Management (IAM) Users Receive Permissions Only Through Groups
lacework-global-49Ensure MFA Delete is enabled on S3 bucketsEnable Multi-Factor Authentication (MFA) Delete on S3 buckets
lacework-global-55Ensure CloudTrail trails are integrated with CloudWatch LogsIntegrate CloudTrail trails with CloudWatch Logs
lacework-global-87Ensure the default security group of every VPC restricts all trafficEnsure the default security group of every Virtual Private Cloud (VPC) restricts all traffic
lacework-global-90Ensure EBS Volumes are EncryptedEncrypt Elastic Block Store (EBS) Volumes
lacework-global-240Ensure API Keys Are Restricted To Use by Only Specified Hosts and AppsRestrict API Keys To Use by Only Specified Hosts and Apps
lacework-global-256Ensure Cloud Asset Inventory Is EnabledEnable Cloud Asset Inventory
lacework-global-277Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'Set the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance to 'On'
lacework-global-285Ensure 'external scripts enabled' database flag for Cloud SQL on SQL Server instance is set to 'off'Set 'external scripts enabled' database flag for Cloud SQL on SQL Server instance to 'off'
lacework-global-313Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)Encrypt All BigQuery Tables With Customer-Managed Encryption Key (CMEK)
lacework-global-339Minimize the admission of containers wishing to share the host IPC namespaceMinimize the admission of containers wishing to share the host Inter-Process Communication (IPC) namespace
lacework-global-358Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMSEncrypt Kubernetes Secrets using Customer Managed Keys (CMKs) managed in AWS Key Management Service (KMS)
lacework-global-360Ensure clusters are created with Private Endpoint Enabled and Public Access DisabledCreate clusters with Private Endpoint Enabled and Public Access Disabled
lacework-global-534Ensure Private Endpoints are used to access Storage AccountsUse Private Endpoints to access Storage Accounts
lacework-global-543Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database ServerSet 'Enforce SSL connection' to 'ENABLED' for PostgreSQL Database Server
lacework-global-569Ensure that SSH access from the Internet is evaluated and restrictedEvaluate and restrict SSH access from the Internet
lacework-global-622Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL ServersSet Microsoft Defender for SQL to 'On' for critical SQL Servers
lacework-global-640Ensure that Private Endpoints are Used for Azure Key VaultUse Private Endpoints for Azure Key Vault
lacework-global-650Minimize the execution of container workloads sharing the host IPC namespaceMinimize the execution of container workloads sharing the host Inter-Process Communication (IPC) namespace
lacework-global-652Minimize the execution of container workloads that can escalate their privileges above those of their parent processMinimize the execution of container workloads that can escalate their privileges beyond those of their parent process
lacework-global-670Ensure IAM administrators cannot update tenancy Administrators groupEnsure Identity and Access Management (IAM) administrators cannot update tenancy Administrators group
lacework-global-686Ensure the default security list of every VCN restricts all traffic except ICMPEnsure the default security list of every Virtual Cloud Network (VCN) restricts all traffic except Internet Control Message Protocol (ICMP)
lacework-global-691Ensure default tags are used on resourcesUse default tags on resources
lacework-global-708Ensure Object Storage Buckets are encrypted with a Customer Managed Key (CMK)Encrypt Object Storage Buckets with a Customer Managed Key (CMK)
lacework-global-710Ensure Block Volumes are encrypted with Customer Managed Keys (CMK)Encrypt Block Volumes with Customer Managed Keys (CMK)
20th March 2024

Changed

Query improvements have been made to the following policies, which will fix an issue where some non-compliant S3 buckets were being flagged as compliant: