AWS Foundational Security Best Practices (FSBP) Standard

Lacework provides compliance policies based on AWS Foundational Security Best Practices (FSBP) Standard (or AWS FSBP Standard for short).

Once you have integrated your Amazon Web Services (AWS) environment with Lacework, you can check whether your resources are compliant with the framework policies.

Revision History

Revision 2
Revision 1

This revision adds high severity policies. See the Compliance Policy Changelog for details on what was added or changed.

Visibility and Usage in the Lacework Console

You can use the AWS FSBP Standard in the following ways:

Enable or disable policies through the Policies page (see AWS FSBP Standard Policies).
- Create and manage Compliance Policy Exceptions as and when needed.
Receive Compliance-related Alerts for enabled AWS FSBP Standard policies (when violations occur).
The Cloud Compliance Dashboard provides assessment results for each framework, including the AWS FSBP Standard.
The Reports page lists all reports that are configured for your environment. Create a report configuration with the AWS FSBP Standard as the template to generate a daily report that is retained for up to 90 days.

Prerequisites

Ensure you have integrated your AWS environment with the Lacework Compliance platform. Completing this will prepare your environment for the AWS FSBP Standard:

Integrate Lacework with AWS
- A Configuration integration is the minimum requirement for your accounts/organizations to gain access to our Compliance platform functionality.

Previous Integrations using Terraform

If you have previously integrated AWS with Lacework using Terraform before this framework was available:

Enter the directory containing the Terraform files used for the integration.
Run terraform init -upgrade to initialize the working directory (containing the Terraform files).
Run terraform plan and review the changes that will be applied.
Once satisfied with the changes that will be applied, run terraform apply to upgrade the modules.

AWS FSBP Standard Policies

All policies in the AWS FSBP Standard are disabled by default.

You can enable or disable them using one of the following methods outlined in this section.

Enable or Disable Policies in the Lacework Console

On the Policies page, use the framework:aws-fsbp-2023H2 tag to filter for AWS FSBP Standard policies only.

You can enable or disable each one using the status toggle.

Alternatively, see Batch Update Policies to enable or disable multiple policies at once.

Enable or Disable Policies using the Lacework CLI

tip

If you have not set up the Lacework CLI before, see the Lacework CLI guide to get started.

Enable or disable all the AWS FSBP Standard policies using the following commands in the Lacework CLI:

Enable all policies

lacework policy enable --tag framework:aws-fsbp-2023H2

Disable all policies

lacework policy disable --tag framework:aws-fsbp-2023H2

Enable or disable specific AWS FSBP Standard policies using the following command examples in the Lacework CLI:

Enable lacework-global-807

lacework policy enable lacework-global-807

Disable lacework-global-807

lacework policy disable lacework-global-807

Policy Mapping for AWS FSBP Standard

The AWS FSBP Standard controls are mapped to Lacework policies, as listed in the following tables.

Table key:

Control ID - The AWS FSBP Standard control identifier.
Title - The policy/control title.
Lacework Policy ID - The Lacework policy identifier.
Lacework Assessment - Whether Lacework have determined that the security control can be assessed automatically or if it requires manual verification.
Severity - The severity of the policy (as determined by Lacework).

note

This framework uses Lacework AWS Security Addendum policies when there is an overlap with the AWS FSBP Standard.

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
ACM.2	Rivest-Shamir-Adleman (RSA) certificates managed by AWS Certificate Manager (ACM) should use a key length of at least 2,048 bits	lacework-global-382	Automated	High

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
AutoScaling.3	Auto Scaling group launch configurations should configure Elastic Compute Cloud (EC2) instances to require Instance Metadata Service Version 2 (IMDSv2)	lacework-global-384	Automated	High
AutoScaling.5	Amazon Elastic Compute Cloud (EC2) instances launched using Auto Scaling group launch configurations should not have Public IP addresses	lacework-global-385	Automated	High

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
CloudFront.1	CloudFront distributions should have a default root object configured	lacework-global-378	Automated	Critical
CloudFront.12	CloudFront distributions should not point to non-existent Amazon S3 origins	lacework-global-387	Automated	High

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
CloudTrail.1	Enable CloudTrail in all regions	lacework-global-53	Automated	High

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
CodeBuild.1	CodeBuild Bitbucket source repository URLs should not contain sensitive credentials	lacework-global-380	Automated	Critical
CodeBuild.2	CodeBuild project environment variables should not contain clear text credentials	lacework-global-379	Automated	Critical

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
DMS.1	Database Migration Service (DMS) replication instances should not be public	lacework-global-369	Automated	Critical

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
ECR.1	Elastic Container Registry (ECR) private repositories should have image scanning configured	lacework-global-805	Automated	High

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
ECS.2	Elastic Container Service (ECS) services should not have public IP addresses assigned to them automatically	lacework-global-804	Automated	High
ECS.3	Elastic Container Service (ECS) task definitions should not share the host's process namespace	lacework-global-374	Manual	High
ECS.4	Elastic Container Service (ECS) containers should run as non-privileged	lacework-global-375	Manual	High
ECS.5	Limit Elastic Container Service (ECS) containers to read-only access to root filesystems	lacework-global-376	Manual	High
ECS.8	Do not pass secrets as container environment variables	lacework-global-377	Manual	High

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
EC2.1	Ensure No Public EBS Snapshots	lacework-global-160	Automated	Critical
EC2.2	Ensure the default security group of every Virtual Private Cloud (VPC) restricts all traffic	lacework-global-87	Automated	High
EC2.8	EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)	lacework-global-810	Automated	High
EC2.9	EC2 instances should not have a Public IP address attached	lacework-global-128	Automated	High
EC2.18	Security group inbound traffic should not allow inbound traffic from all	lacework-global-148	Automated	High
EC2.19	Security groups should not allow unrestricted access to ports with high risk	lacework-global-215	Automated	Critical
EC2.23	Amazon EC2 Transit Gateways should not automatically accept Virtual Private Cloud (VPC) attachment requests	lacework-global-806	Automated	High
EC2.25	Amazon Elastic Compute Cloud (EC2) launch templates should not assign public IPs to network interfaces	lacework-global-395	Manual	High

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
ES.2	ElasticSearch Domain should be in Virtual Private Cloud (VPC)	lacework-global-809	Automated	Critical

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
EKS.1	Elastic Kubernetes Service (EKS) cluster endpoints should not be publicly accessible	lacework-global-371	Automated	High
EKS.2	Elastic Kubernetes Service (EKS) clusters should run on a supported Kubernetes version	lacework-global-372	Automated	High

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
ElastiCache.1	ElastiCache Redis clusters should have automatic backup enabled	lacework-global-390	Automated	High
ElastiCache.2	ElastiCache for Redis cache clusters should have auto minor version upgrade enabled	lacework-global-391	Automated	High
ElastiCache.7	ElastiCache clusters should not use the default subnet group	lacework-global-393	Automated	High

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
ElasticBeanstalk.2	Elastic Beanstalk should have managed platform updates enabled	lacework-global-821	Automated	High
ElasticBeanstalk.3	Elastic Beanstalk should stream logs to CloudWatch	lacework-global-822	Automated	High

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
EMR.1	Amazon Elastic Map Reduce (EMR) cluster primary nodes should not have public IP addresses	lacework-global-392	Automated	High

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
GuardDuty.1	GuardDuty not enabled in account	lacework-global-827	Automated	High

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
IAM.1	IAM policies should not allow full "*" administrative privileges	lacework-global-45 (Users) lacework-global-485 (Groups) lacework-global-486 (Roles)	Automated	High
IAM.4	Ensure no 'root' user account access key exists	lacework-global-34	Automated	Critical
IAM.6	Ensure hardware MFA is enabled for the 'root' user account	lacework-global-69	Automated	Critical

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
KMS.3	Do not unintentionally delete AWS Key Management Service (KMS) keys	lacework-global-216	Automated	Critical

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
Lambda.1	Lambda function policies should prohibit public access	lacework-global-368	Automated	Critical

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
Neptune.3	Neptune DB cluster snapshots should not be public	lacework-global-367	Automated	Critical

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
Opensearch.2	OpenSearch Domain should be in Virtual Private Cloud (VPC)	lacework-global-123	Automated	Critical

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
RDS.1	RDS snapshot should be private	lacework-global-370	Automated	Critical
RDS.2	RDS should not have a Public Interface	lacework-global-93	Automated	Critical
RDS.3	Enable encryption for Relational Database Service (RDS) Instances	lacework-global-52	Automated	High
RDS.13	Enable automatic minor version upgrades for Relational Database Service (RDS) instances	lacework-global-383	Automated	High
RDS.18	Deploy Relational Database Service (RDS) instances within a Virtual Private Cloud (VPC)	lacework-global-386	Automated	High

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
Redshift.1	Redshift Cluster should not be Publicly Accessible	lacework-global-102	Automated	Critical

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
SageMaker.1	Amazon SageMaker notebook instances should not have direct internet access	lacework-global-388	Automated	High
SageMaker.2	Launch SageMaker notebook instances in a custom Virtual Private Cloud (VPC)	lacework-global-394	Automated	High
SageMaker.3	Users should not have root access to SageMaker notebook instances	lacework-global-389	Automated	High

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
S3.2	S3 general purpose buckets should block public read access	lacework-global-807	Automated	Critical
S3.3	S3 general purpose buckets should block public write access	lacework-global-808	Automated	Critical
S3.6	Restrict S3 bucket policy permissions granted to other AWS accounts	lacework-global-811	Automated	High
S3.8	Configure S3 Buckets with 'Block public access (bucket settings)'	lacework-global-50	Automated	High

Control ID	Title	Lacework Policy ID	Lacework Assessment	Severity
SSM.2	Amazon EC2 instances managed by Systems Manager (SSM) should have a patch compliance status of COMPLIANT after a patch installation	lacework-global-396	Manual	High
SSM.4	Systems Manager (SSM) documents should not be public	lacework-global-381	Automated	Critical

Automated vs Manual Policies

Lacework automates compliance policies where possible. This allows the Lacework platform to monitor your environment resources to check whether they are compliant with the benchmark recommendations.

For some benchmark recommendations, it is not possible to automate the policy checks in an Azure environment. These policies are manual, and you must verify such policies manually. Lacework provides the manual remediation steps for these policies (when available).

Adjusted Controls

IAM.1 - IAM policies should not allow full "*" administrative privileges

This control has been split into three policies to monitor users, groups, and roles.

The following table lists each policy and their new title:

Click to expand

Control ID	Lacework Policy ID	Title
IAM.1	lacework-global-45	Ensure Identity and Access Management (IAM) policies that allow full ":" administrative privileges are not attached to users
IAM.1	lacework-global-485	Ensure IAM policies that allow full ":" administrative privileges are not attached to groups.
IAM.1	lacework-global-486	Ensure IAM policies that allow full ":" administrative privileges are not attached to roles.

note

The policy catalog only retains one entry for this control, which is lacework-global-45.

Revision History​

Visibility and Usage in the Lacework Console​

Prerequisites​

Previous Integrations using Terraform​

AWS FSBP Standard Policies​

Enable or Disable Policies in the Lacework Console​

Enable or Disable Policies using the Lacework CLI​

Policy Mapping for AWS FSBP Standard​

Automated vs Manual Policies​

Adjusted Controls​

IAM.1 - IAM policies should not allow full "*" administrative privileges​