AWS Foundational Security Best Practices (FSBP) Standard
Lacework provides compliance policies based on AWS Foundational Security Best Practices (FSBP) Standard (or AWS FSBP Standard for short).
Once you have integrated your Amazon Web Services (AWS) environment with Lacework, you can check whether your resources are compliant with the framework policies.
Revision History
This initial release contains critical severity policies only.
Visibility and Usage in the Lacework Console
You can use the AWS FSBP Standard in the following ways:
Prerequisites
Ensure you have integrated your AWS environment with the Lacework Compliance platform. Completing this will prepare your environment for the AWS FSBP Standard:
- Integrate Lacework with AWS
- A Configuration integration is the minimum requirement for your accounts/organizations to gain access to our Compliance platform functionality.
If you have previously integrated AWS with Lacework using Terraform before this framework was available:
- Enter the directory containing the Terraform files used for the integration.
- Run
terraform init -upgrade
to initialize the working directory (containing the Terraform files). - Run
terraform plan
and review the changes that will be applied. - Once satisfied with the changes that will be applied, run
terraform apply
to upgrade the modules.
AWS FSBP Standard Policies
All policies in the AWS FSBP Standard are disabled by default.
You can enable or disable them using one of the following methods outlined in this section.
Enable or Disable Policies in the Lacework Console
On the Policies page, use the framework:aws-fsbp-2023H2 tag to filter for AWS FSBP Standard policies only.
You can enable or disable each one using the status toggle.
Alternatively, see Batch Update Policies to enable or disable multiple policies at once.
Enable or Disable Policies using the Lacework CLI
If you have not set up the Lacework CLI before, see the Lacework CLI guide to get started.
Enable or disable all the AWS FSBP Standard policies using the following commands in the Lacework CLI:
Enable all policies
lacework policy enable --tag framework:aws-fsbp-2023H2
Disable all policies
lacework policy disable --tag framework:aws-fsbp-2023H2
Enable or disable specific AWS FSBP Standard policies using the following command examples in the Lacework CLI:
Enable lacework-global-807
lacework policy enable lacework-global-807
Disable lacework-global-807
lacework policy disable lacework-global-807
Policy Mapping for AWS FSBP Standard
The AWS FSBP Standard controls are mapped to Lacework policies, as listed in the following tables.
Table key:
- Control ID - The AWS FSBP Standard control identifier.
- Title - The policy/control title.
- Lacework Policy ID - The Lacework policy identifier.
- Lacework Assessment - Whether Lacework have determined that the security control can be assessed automatically or if it requires manual verification.
- Severity - The severity of the policy (as determined by Lacework).
- AWS Certificate Manager (ACM)
- AutoScaling
- CloudFront
- CloudTrail
- CodeBuild
- Database Migration Service (DMS)
- Elastic Container Registry (ECR)
- Elastic Container Service (ECS)
- Elastic Compute Cloud (EC2)
- Elasticsearch (ES)
- Elastic Kubernetes Service (EKS)
- ElastiCache
- ElasticBeanstalk
- Elastic Map Reduce (EMR)
- GuardDuty
- Identity and Access Management (IAM)
- Key Management Service (KMS)
- Lambda
- Neptune
- OpenSearch Service
- Relational Database Service (RDS)
- Redshift
- SageMaker
- Simple Storage Service (S3)
- Systems Manager (SSM)
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
ACM.2 | Rivest-Shamir-Adleman (RSA) certificates managed by AWS Certificate Manager (ACM) should use a key length of at least 2,048 bits | lacework-global-382 | Automated | High |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
AutoScaling.3 | Auto Scaling group launch configurations should configure Elastic Compute Cloud (EC2) instances to require Instance Metadata Service Version 2 (IMDSv2) | lacework-global-384 | Automated | High |
AutoScaling.5 | Amazon Elastic Compute Cloud (EC2) instances launched using Auto Scaling group launch configurations should not have Public IP addresses | lacework-global-385 | Automated | High |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
CloudFront.1 | CloudFront distributions should have a default root object configured | lacework-global-378 | Automated | Critical |
CloudFront.12 | CloudFront distributions should not point to non-existent Amazon S3 origins | lacework-global-387 | Automated | High |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
CloudTrail.1 | Enable CloudTrail in all regions | lacework-global-53 | Automated | High |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
CodeBuild.1 | CodeBuild Bitbucket source repository URLs should not contain sensitive credentials | lacework-global-380 | Automated | Critical |
CodeBuild.2 | CodeBuild project environment variables should not contain clear text credentials | lacework-global-379 | Automated | Critical |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
DMS.1 | Database Migration Service (DMS) replication instances should not be public | lacework-global-369 | Automated | Critical |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
ECR.1 | Elastic Container Registry (ECR) private repositories should have image scanning configured | lacework-global-805 | Automated | High |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
ECS.2 | Elastic Container Service (ECS) services should not have public IP addresses assigned to them automatically | lacework-global-804 | Automated | High |
ECS.3 | Elastic Container Service (ECS) task definitions should not share the host's process namespace | lacework-global-374 | Manual | High |
ECS.4 | Elastic Container Service (ECS) containers should run as non-privileged | lacework-global-375 | Manual | High |
ECS.5 | Limit Elastic Container Service (ECS) containers to read-only access to root filesystems | lacework-global-376 | Manual | High |
ECS.8 | Do not pass secrets as container environment variables | lacework-global-377 | Manual | High |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
EC2.1 | Ensure No Public EBS Snapshots | lacework-global-160 | Automated | Critical |
EC2.2 | Ensure the default security group of every Virtual Private Cloud (VPC) restricts all traffic | lacework-global-87 | Automated | High |
EC2.8 | EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) | lacework-global-810 | Automated | High |
EC2.9 | EC2 instances should not have a Public IP address attached | lacework-global-128 | Automated | High |
EC2.18 | Security group inbound traffic should not allow inbound traffic from all | lacework-global-148 | Automated | High |
EC2.19 | Security groups should not allow unrestricted access to ports with high risk | lacework-global-215 | Automated | Critical |
EC2.23 | Amazon EC2 Transit Gateways should not automatically accept Virtual Private Cloud (VPC) attachment requests | lacework-global-806 | Automated | High |
EC2.25 | Amazon Elastic Compute Cloud (EC2) launch templates should not assign public IPs to network interfaces | lacework-global-395 | Manual | High |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
ES.2 | ElasticSearch Domain should be in Virtual Private Cloud (VPC) | lacework-global-809 | Automated | Critical |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
EKS.1 | Elastic Kubernetes Service (EKS) cluster endpoints should not be publicly accessible | lacework-global-371 | Automated | High |
EKS.2 | Elastic Kubernetes Service (EKS) clusters should run on a supported Kubernetes version | lacework-global-372 | Automated | High |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
ElastiCache.1 | ElastiCache Redis clusters should have automatic backup enabled | lacework-global-390 | Automated | High |
ElastiCache.2 | ElastiCache for Redis cache clusters should have auto minor version upgrade enabled | lacework-global-391 | Automated | High |
ElastiCache.7 | ElastiCache clusters should not use the default subnet group | lacework-global-393 | Automated | High |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
ElasticBeanstalk.2 | Elastic Beanstalk should have managed platform updates enabled | lacework-global-821 | Automated | High |
ElasticBeanstalk.3 | Elastic Beanstalk should stream logs to CloudWatch | lacework-global-822 | Automated | High |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
EMR.1 | Amazon Elastic Map Reduce (EMR) cluster primary nodes should not have public IP addresses | lacework-global-392 | Automated | High |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
GuardDuty.1 | GuardDuty not enabled in account | lacework-global-827 | Automated | High |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
KMS.3 | Do not unintentionally delete AWS Key Management Service (KMS) keys | lacework-global-216 | Automated | Critical |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
Lambda.1 | Lambda function policies should prohibit public access | lacework-global-368 | Automated | Critical |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
Neptune.3 | Neptune DB cluster snapshots should not be public | lacework-global-367 | Automated | Critical |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
Opensearch.2 | OpenSearch Domain should be in Virtual Private Cloud (VPC) | lacework-global-123 | Automated | Critical |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
RDS.1 | RDS snapshot should be private | lacework-global-370 | Automated | Critical |
RDS.2 | RDS should not have a Public Interface | lacework-global-93 | Automated | Critical |
RDS.3 | Enable encryption for Relational Database Service (RDS) Instances | lacework-global-52 | Automated | High |
RDS.13 | Enable automatic minor version upgrades for Relational Database Service (RDS) instances | lacework-global-383 | Automated | High |
RDS.18 | Deploy Relational Database Service (RDS) instances within a Virtual Private Cloud (VPC) | lacework-global-386 | Automated | High |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
Redshift.1 | Redshift Cluster should not be Publicly Accessible | lacework-global-102 | Automated | Critical |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
SageMaker.1 | Amazon SageMaker notebook instances should not have direct internet access | lacework-global-388 | Automated | High |
SageMaker.2 | Launch SageMaker notebook instances in a custom Virtual Private Cloud (VPC) | lacework-global-394 | Automated | High |
SageMaker.3 | Users should not have root access to SageMaker notebook instances | lacework-global-389 | Automated | High |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
S3.2 | S3 general purpose buckets should block public read access | lacework-global-807 | Automated | Critical |
S3.3 | S3 general purpose buckets should block public write access | lacework-global-808 | Automated | Critical |
S3.6 | Restrict S3 bucket policy permissions granted to other AWS accounts | lacework-global-811 | Automated | High |
S3.8 | Configure S3 Buckets with 'Block public access (bucket settings)' | lacework-global-50 | Automated | High |
Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
---|
SSM.2 | Amazon EC2 instances managed by Systems Manager (SSM) should have a patch compliance status of COMPLIANT after a patch installation | lacework-global-396 | Manual | High |
SSM.4 | Systems Manager (SSM) documents should not be public | lacework-global-381 | Automated | Critical |
Automated vs Manual Policies
Lacework automates compliance policies where possible. This allows the Lacework platform to monitor your environment resources to check whether they are compliant with the benchmark recommendations.
For some benchmark recommendations, it is not possible to automate the policy checks in an Azure environment. These policies are manual, and you must verify such policies manually. Lacework provides the manual remediation steps for these policies (when available).
Adjusted Controls
IAM.1 - IAM policies should not allow full "*" administrative privileges
This control has been split into three policies to monitor users, groups, and roles.
The following table lists each policy and their new title:
Click to expand
Control ID | Lacework Policy ID | Title |
---|
IAM.1 | lacework-global-45 | Ensure Identity and Access Management (IAM) policies that allow full "*:*" administrative privileges are not attached to users |
IAM.1 | lacework-global-485 | Ensure IAM policies that allow full "*:*" administrative privileges are not attached to groups. |
IAM.1 | lacework-global-486 | Ensure IAM policies that allow full "*:*" administrative privileges are not attached to roles. |