Skip to main content

Cloud Compliance Dashboard

Overview

This dashboard provides a consolidated view of your compliance across all cloud providers that are integrated with Lacework.

This includes the following:

  • Centralized view of compliant and non-compliant resources and policies across all supported cloud providers.
  • Multiple views and filter options to customize the presented data for your regulatory compliance needs.
  • Daily and on-demand assessments of your resources and policies to maintain up-to-date visibility of your changing environment.

To go to the Cloud Compliance Dashboard in the Lacework Console, click Compliance > Cloud.

To populate the data viewed in this page, you must configure at least one integration to a cloud provider. For more information, see:

Terminology

The Cloud Compliance dashboard uses terminology that differs from variations used in past iterations of the Lacework Console.

The table below provides comparative guidance on these terminologies:

Past terminologyCloud Compliance Dashboard
Recommendation
Policy Assessment
Assessment
Policy
Benchmark
Report Type
Report
Framework
Violated
In-violation
Failed
Non-compliant
Resources / Policies: Non-compliant
Compliant
Passed
Resources: Pass
Policies: Compliant
AWS: Accounts
Azure: Tenants and Subscriptions
Google Cloud: Organizations and Projects
Accounts
Assessed
Monitored
Analyzed
Assessed
SuppressedException

See Tabs and Filters for descriptions of the elements within the Cloud Compliance dashboard.

Tabs

By default, the Compliance list displays frameworks. The available tabs are listed below:

TabDescription
Frameworks (default)Displays all frameworks such as CIS Benchmark reports.
PoliciesDisplays all compliance policies (both custom and default).
AccountsDisplays all integrated cloud accounts (see Visible Accounts).

Filters

Use the following methods to refine what is displayed in the compliance list:

  • Use the search function at the top of the page to find specific text in any of the details available on the page. You can also click the search field to select values and operators to narrow your search.
  • Click the filter dropdowns along the top of the page, check/uncheck the boxes, and click Show results to make them active.
  • Click an active filter to remove it or click Reset.
  • You can also click on the tags in the table list to make them active filters.

Global Filters

The following filters are available in all tabs:

  • Resource Group - Display compliance results for the selected resource groups.
  • Cloud Provider - Display compliance results for the selected cloud providers (for example: Azure).
  • Visible Accounts - Displays Compliance results for the selected cloud provider accounts.
Filter Hierarchy

Resource Group serves as the top-level filter, Cloud Provider as the second level filter, and Visible Accounts are the third-level filters.

In this hierarchy, the evaluation of these filters is considered as follows:

  • Resource Group(s)
    AND
    • Cloud Provider(s)
      AND
      • AWS Account(s) OR Azure Subscription(s) OR GCP Project(s) OR OCI Compartment(s)

Visible Accounts

Disabled account visibility

Disabled cloud account integrations are not shown in the visible account filters.

Use the following filters to display Compliance results for your selected cloud provider accounts:

  • AWS Account
  • Azure Subscription
  • GCP Project
  • OCI Compartment
    • This filter has a nested view where you can drill down through and select parent/child compartments.

All integrated accounts are listed within the relevant filter. Select the account(s) to filter, and then click Show Results.

Alternatively, use the search bar to find a specific account (or subset).

Tab Specific Filters

Some filters are only available when a specific tab is active. These are described in the following sections.

Date

To change the assessment date, click Custom from the drop-down, then select a date from the calendar. After a custom date is selected, use the horizontal arrows to move to the next/previous day.

Only information found during assessment on the specified date is reported. For example, if a number of resources were only integrated with Lacework yesterday, the total number of resources shown in the report 7 days ago would differ from the number shown in today's report.

Save View

When the page displays your desired compliance data, click Save or Create view in the top right corner. This allows you to access the saved view later.

You can also copy the link to a saved view by opening the list of saved views and clicking the Share view icon of the view you want to share. You can then send that link to others, so they can see the same view.

For more details about saved views, refer to Views Management.

note

Searches and sorting cannot be saved in views or copied as links.

On-Demand Compliance Scans

Use on-demand compliance scans to reassess compliance policies, violation alerts, and reports for your chosen cloud service provider.

When using this feature, a resource management collection is made for all integrated cloud accounts within the chosen cloud service provider (such as projects and organizations for Google Cloud, tenants and subscriptions for Azure, etc). Reports are then regenerated using the new data.

info

Most scans take 1 to 2 hours to complete, and begin at the collection hour of the day configured here. If you change the time to a collection hour that has already passed for today, the scan will start the next day. (For example, if you set the collection hour to 08:00 at 10:00, the collection will start on the next day at 08:00 hours.) Only one scan can be active at a time per integration. If you submit a scan request while a scan is already underway, it is not executed.

Run an On-Demand Scan

Click Open adhoc scanning options in the top right corner to view available options:

Refresh compliance scans

Check the cloud service provider that you want to reassess and click Scan now:

The cloud service provider option is not selectable if a scan completed within the last hour, or if a scan is currently ongoing.

Once the scan is complete, the Report last run times are updated for frameworks, accounts, and services. This includes the reports on the Reports page.

Dashboard Charts

The Cloud Compliance dashboard contains a number of statistics and charts to help visualize your security posture.

info

All dashboard charts and statistics actively update to the tab, search, and/or filters that you apply to the page.

The only exception to this is the Framework title filter.

Statistics

The statistics display the number of integrated cloud accounts that have been assessed.

Each of the following is counted as a cloud account:

  • AWS Account
  • Google Cloud Project
  • Azure Subscription
  • OCI Compartment

Policies Chart

The Policies chart displays the total number of policies and splits them into the following categories:

  • Policies that are non-compliant when resources were assessed.
  • Policies that are compliant when resources were assessed.
  • Policies that require manual auditing.

Additional statistics are also shown:

  • The total number of compliance policies enabled for your environment (including manual policies).
  • The percentage of compliant policies versus non-compliant (manual policies are not included in this percentage). All resources associated with the policy need to be assessed as compliant before the policy is deemed compliant.
  • The percentage of High severity compliance violations includes both critical and high severity policy violations.

Resources Chart

The Resources chart displays the total number of distinct resources that have been evaluated against all Framework policies and splits them into the following categories:

  • Resources that are non-compliant due to failing a policy assessment (or multiple policy assessments).
  • Resources that are compliant due to passing policy assessments.
  • Resources that could not be assessed.

Additional statistics are also shown:

  • The total number of resources that been discovered through your integrations with Lacework (including those not assessed).
  • The percentage of total resources that are non-compliant with one or more policy assessments.

How are Resources Counted as Non-compliant?

A resource is non-compliant if it is non-compliant with one or more policy assessments.

For example, if a resource is associated with three policy assessments, and one of the policy assessments has determined that resource is non-compliant, the resource is then marked as non-compliant.

Non-compliant Policies by Severity Chart

This chart splits non-compliant policies into severity levels of Critical, High, Medium, Low, and Info.

Compliance List Charts

Each row in the Compliance list has a chart (or charts) associated to that framework, policy, or account. The list displays different chart(s) depending on what tab is selected.

Policies Tab Chart

When the Policy tab is active, the chart displays the total number of resources linked with that policy and splits them into the following categories:

  • Resources that are non-compliant due to failing the policy assessment.
  • Resources that are compliant due to passing the policy assessment.
  • Resources that could not be assessed.

Policies Drawer Chart

Click a policy in the Compliance list to display a drawer with the same chart with additional statistics:

  • Percentage of non-compliant resources associated with the policy.

Hover over the filter icon to see the active filters influencing the chart.

Frameworks/Accounts Tab Charts

When the Frameworks/Accounts tab is selected, the chart displays the total number of non-compliant policies for that framework/account and splits them into severity levels of:

  • Critical
  • High
  • Other (Medium, Low, and Info combined)

Additionally, another chart displays the total number of resources linked with the policy and splits them into the following categories:

  • Resources that are non-compliant due to failing the policy assessment.
  • Resources that are compliant due to passing the policy assessment.
  • Resources that could not be assessed.

Framework/Account Drawer Charts

Click a framework/account in the Compliance list to open a drawer. In the drawer, the Policies tab displays the same chart with added statistics:

  • Total number of policies associated with the framework/account.
  • Percentage of compliant policies associated with the framework/account.
  • The percentage of High severity compliance violations includes both critical and high severity policy violations associated with the framework/account.

Hover over the filter icon to see the active filters that are influencing the charts.

Compliance List

The Compliance list is below the statistics and charts. Each row displays an individual policy, framework, or account depending on what tab is selected.

Available actions:

  • Click Refresh data to refresh the table.
  • Click Download to download the table in CSV format.
  • Use the sort options to adjust how you want the data presented (the options will vary for each tab).
  • Click a tag to reload the Compliance list using the tag as the filter.

Frameworks Tab

When the Frameworks tab is active, the Sort by options can order the list by:

  • Number of affected resources
  • Framework name

Each row displays compliance details for an individual framework. For example, Lacework AWS Security Addendum 1.0.

Framework Drawer

Click a framework row to display detailed framework report results (click the < icon to expand this to full screen).

Underneath the title, the framework drawer displays the following information:

  • When the framework was last evaluated.
  • When the framework configuration was created and last updated, and by whom.
  • The associated tags for this framework.

Underneath the charts, there are two tab options to display Policies or Resources associated with the framework report.

  • Select the By section tab to view policies within their associated section (such as Identity and Access Management).

    Available actions:

    • Click Filter to adjust the Severity and Status filters that influence the table.
    • Click Search to filter for specific text in any of the column details.
  • Select the All tab to view all policies associated with the framework report.

    Available actions:

    • Click Download to download the table in CSV format.
    • Click Select columns to show/hide the table columns.
    • Click Filter to adjust the Severity and Status filters that influence the table.
    • Click Search to filter for specific text in any of the column details.

The tables have the following information in each column:

ColumnDescription
Policy IDDisplays the Lacework unique identifier for the policy.
Policy titleEach row displays an individual policy associated with the framework report.
ResourcesThe number of resources related to the policy, split by assessment status (fail, pass, excepted, or not assessed). Click to expand and view all resources associated with the policy.
See also Context Panels for Resources and Cloud Accounts in Non-Compliant Status.
StatusThe overall compliant status for the policy. One or more resources failing the policy assessment triggers the non-compliant status for the policy. If a compliance policy exception exists for all associated resources, then the policy is counted as compliant.
SeverityThe severity level of the policy.
View report

Click View report to view a PDF formatted version of the framework. You can then click Download report to download it as a PDF (if desired).

Policies Tab

When the Policies tab is active, the Sort by options can order the list by:

  • Number of affected resources
  • Policy title
  • Level of severity (of the policy)

Each row displays compliance details of an individual policy that is included in at least one framework. For example, Ensure access keys are rotated every 90 days or less.

Policy Drawer

Click a policy row to display detailed policy results (click the < icon to expand this to full screen).

Underneath the title, the policy drawer displays the following information:

  • When the policy assessment was last updated.
  • The associated tags for this policy.
tip

For policies associated with a benchmark control, click View context (if available) underneath the policy title to see detailed information about the benchmark control.

Underneath the chart, the table displays resources associated with the policy.

  • Select the Compliant tab to view all compliant resources associated with the policy.
  • Select the Non-compliant tab to view all non-compliant resources associated with the policy.
  • Select the Excepted tab to view any resources that have a compliance policy exception applied to them.
  • Select the Not assessed tab to view resources that are not assessed.

Available actions:

  • Click Download to download the table in CSV format.
  • Click Select columns to show/hide the table columns.
  • Click Search to filter for specific text in any of the column details.

The tables have the following information in each column:

ColumnDescription
ResourceThe unique resource name (URN) for the resource.

Non-compliant: Each row displays an individual resource that is non-compliant with one or more policy assessments.

Compliant: Each row displays an individual resource that is compliant with all relevant policy assessments.

Excepted: Each row displays an individual resource that has been excluded from one or more policy assessments.

Not assessed: Each row displays an individual resource that was not assessed.
See also Context Panels for Resources and Cloud Accounts in Non-Compliant Status.
RegionIf applicable, the cloud region of the resource (example: us-west-2).
AccountThe cloud account associated with the resource.
StatusThe status of the assessment. This could be either Non-compliant, Compliant, or blank if the resource could not be assessed.

Accounts Tab

When the Accounts tab is active, the Sort by options can order the list by:

  • Number of affected resources
  • Number of affected policies
  • GCP Organization name
  • AWS Account name
  • Azure Subscription name
  • OCI Compartment name

Each row displays compliance details on an individual cloud provider account. For example, if it's an Azure cloud account, details are displayed for a Subscription in a given Tenant.

Account Drawer

Click an account row to display detailed account results (click the < icon to expand this to full screen).

Underneath the title, the account drawer displays the following information:

  • When the account assessment was last updated.
  • The associated tags for this policy.

Underneath the charts, there are two tab options to display Policies or Resources associated with the account.

Available actions:

  • Click Download to download the table in CSV format.
  • Click Select columns to show/hide the table columns.
  • Click Filter to adjust the Severity and Status filters that influence the table.
  • Click Search to filter for specific text in any of the column details.

The table has the following information in each column:

ColumnDescription
Policy IDDisplays the Lacework unique identifier for the policy.
Policy titleEach row displays an individual policy associated with the cloud account.
ResourcesThe number of resources related to the policy, split by assessment status (fail, pass, excepted, or not assessed). Click to expand and view all resources associated with the policy.
See also Context Panels for Resources and Cloud Accounts in Non-Compliant Status.
StatusThe overall compliant status for the policy. One or more non-compliant policy assessments for a resource triggers the non-compliant status. If a compliance policy exception exists for all associated resources, then the policy is counted as compliant.
SeverityThe severity level of the policy.

Context Panels for Resources

When in the policy, framework, or account drawer, you can click Resource Preview next to a resource name to see additional context about the resource.

Click See full details to go to the Resource Inventory entry for the resource.

OCI Resources

OCI resources are not currently supported for context panels.

Cloud Accounts in Non-Compliant Status (Resources Tab)

When there is a non-compliant resource within a cloud account, that resource is listed in the Resources tab when viewing the tables in the Frameworks/Policies/Accounts drawers.

However, cloud accounts can be also listed as a non-compliant resource if there is no specific resource within the account that can be assessed for compliance.

This will only occur if the cloud account is missing a resource that is required to ensure compliance of the account.

For example, lacework-global-65 requires that a log metric filter and alarm exist for VPC changes. If neither the filter nor alarm exist, then the AWS account is marked as non-compliant.

Moveable Table Columns

Change the order of the table columns in the Frameworks/Policies/Accounts drawers by clicking and dragging them to your preferred location.

Determination of the Could Not Assess Status

In order to assess resources for compliance, Lacework must collect data for each resource. Lacework uses the data collection status to determine which policies have a sufficient amount of quality information to be evaluated, even if there is information for only some resources. An issue collecting data could cause the status to be returned as Could not assess.

Some issues that Lacework could encounter when collecting data include the following:

  • Transient failures, for example: rate limits and timeouts.
  • Incorrect permissions used by the Lacework collector, which were provided during role setup for the integration (for example: AWS cross-account IAM role).

The assess functionality converts a recognition of the many potential problems into the Could not assess result.

Lacework applies the following process to determine if a policy’s status is Could not assess:

  1. At a resource level:
    1. If Lacework can determine non-compliance, then the resource is “non-compliant”.
    2. Else, if Lacework cannot determine non-compliance, and the resource was not successfully fully collected, the resource is Could not assess.
    3. Else, if Lacework can determine that there is no non-compliance, or sufficient conditions for compliance, the resource is “compliant”.
  2. Lacework aggregates resource-level compliance observations and determines the aggregate status for the cloud integration as follows:
    • Non-compliant if any resources are known to be non-compliant.
    • Could not assess if no resources are non-compliant, but some resource evaluations were Could not assess.
    • Compliant if all resources are known to be compliant.

The overall goal of Lacework is to never report a resource as compliant if it is not. Policy queries need adequately reliable information to determine non-compliance, and the methodology used is biased towards determining non-compliance, not compliance. It is possible for Lacework to determine a collection to be Could not assess and a policy using that collection in some way to be non-compliant. The granularity of assessment capability will be refined in later releases.

Use Cases for Cloud Compliance Dashboard

The following sections show how to use the Cloud Compliance Dashboard to view different types of information.

If applicable, they also specify where similar information was found in the deprecated Compliance pages for AWS, Azure, and GCP.

Select a Cloud Provider and View Compliance Details
  1. In the Cloud Provider drop-down, check the boxes of the providers that you want to display Compliance details for (for example: AZURE), and click Show results.
  2. The Compliance details for the chosen cloud provider are displayed. The details vary depending on which tab is selected.
Select a Cloud Account and View Compliance Details
  1. Use the visible account filters (for example, Azure Subscription) to select the boxes for the cloud accounts that you want to display Compliance details for, and click Show results.
  2. The Compliance details for the chosen account are displayed. The details vary depending on which tab is selected.
View Compliance Summary of a Cloud Account
  1. Select the Accounts tab to view a Compliance summary for each cloud account integrated with Lacework.
  2. (Optional) In the Cloud Provider drop-down, check the boxes of the providers that you want to display Compliance details for (for example: AWS) then click Show results.
  3. Use the Sort by dropdown to specify the order of the Accounts list.
  4. Click an Account to view more details in the Account Drawer.
View CIS Benchmark Report Overview
  1. Select the Frameworks tab to view a Compliance summary for each CIS Benchmark report.
  2. (Optional) Use the visible account filters to select a specific account.
  3. Use the Sort by dropdown to specify the order of the Frameworks list.
  4. Click a Framework to view more details in the Framework Drawer.
View Policy Assessments for a CIS Benchmark Report
  1. Select the Policies tab to view individual policy assessments for all your integrated resources.
  2. Use the Report filter and select the report that you want to view (for example: GCP CIS Benchmark 1.3) in the Report drop-down. Policies that apply to the selected report are shown.
  3. (Optional) To view the Benchmark report for a specific account, use the visible account filters to select a specific account.
  4. (Optional) The latest assessment is shown by default. Change the date to view past assessments.
  5. Click a Framework to view more details in the Framework Drawer. The assessment results for the CIS Benchmark policies are contained within.
tip

Use the Reports page to view and download CIS Benchmark reports.

View Compliance KPIs and Data Visualizations for a Benchmark Report
  1. Select the Policies tab to view individual policy assessments for all your integrated resources.
  2. Use the Report filter and select the report that you want to view (for example: GCP CIS Benchmark 1.3) in the Report drop-down. Policies that apply to the selected report are shown.
  3. (Optional) To view the Benchmark report for a specific account, use the visible account filters to select a specific account.
  4. View the Dashboard Charts at the top to see a visual summary of important statistics and KPIs relating to the Benchmark report on the specified account.
View and Add Exceptions on a Policy
View Critical and Non-Compliant Policies
  1. Select the Policies tab.
  2. Click the Severity filter and select Critical, then click Show results.
  3. Click the Status filter and select Non-compliant, then click Show results.

Add and Edit Custom Frameworks

PREVIEW FEATURE

This section describes functionality that is currently in preview.

Create a custom framework by choosing an existing framework to serve as the basis for your framework. In your custom framework, you can remove and rearrange policies and add new ones, including your own custom compliance policies. After you have created a custom framework, you can use it as the basis for report configurations.

When choosing a basis for your custom framework, keep in mind that Lacework provides hundreds of compliance policies with which to build frameworks. These policies are rooted in industry benchmarks, including PCI, ISO27001, SOC2, HIPAA, and more. Before starting, consider the target audience for the reports to be generated from your custom framework. Usually cloud security teams care about CIS for Security Posture baseline, while compliance teams usually care about one or two industry benchmarks, but not all of them. By being aware of the existing frameworks and the intended audience for your reports, you can determine the best basis for your customization.

note

Currently, a custom report can only contain compliance policy frameworks of the same cloud type (that is, only AWS, GCP, or Azure compliance policies).

To create a custom framework:

  1. Click Configure framework.
  2. Choose the existing framework that you want to serve as the template for your custom framework and click Next.
  3. Provide a unique name for your framework.
  4. To customize and refine the composition of your framework, expand existing framework sections in the left-side panel and click Add / Edit policies to change the policies in that section. Alternatively, modify them from the list below, where you can modify existing properties or add or remove policies from your framework.
  5. To add a section, click Add section and configure the new section as follows:
    1. Provide the following properties
      • Section id: Provide a unique section identifier.
      • Section name: Provide a descriptive name for the section.
      • Section description: Add an optional description for the section.
    2. Click Save.
    3. Add policies to the new section using the section controls.
  6. Click Save to complete the custom framework creation.

After you create a compliance framework or modify an existing one, the Pending changes status message may appear next to the framework title in the list. This status indicates that policies in the new or modified framework have changed or have been added or updated since they were last evaluated. Changes that can trigger this status include, for example, a change to the policy query, to its activity state, or to its severity. The status clears after the next evaluation.

It may take up to 24 hours for the results to reflect the framework configuration changes.