Create a Custom Compliance Policy
Compliance policies assess the configuration of Cloud and Kubernetes infrastructure. The result of compliance policy assessments are typically consumed in the form of reports, which you can customize and schedule for regular delivery. A compliance policy may also generate an alert.
Every resource that violates a policy can have multiple reasons for non-compliance. Compliance policies generate one alert per policy. For example, if three S3 buckets violate a policy, Lacework generates one alert that lists the non-compliant resources. A compliance policy must return a reason for the compliance violation.
This topic describes how to create a custom compliance policy and include it in reports. To present the assessments for a custom policy in reports, you need to add it to a custom report framework. A framework specifies the policies included in a report, and defines the order and organization of the report.
There are two create custom compliance policies and custom reports, as described in this topic:
For information on creating a violation policy, see Create a Custom Violation Policy.
Before Starting
At the core of each compliance policy is an LQL query. Before creating a policy, you should be familiar with LQL and compose and test your LQL query with the Lacework CLI. As a short cut, you can start with an existing query that comes close to what you'd like to achieve with your custom policy. You can see existing queries by viewing policy details from the Policies dashboard. For information on developing queries with the CLI, see LQL Queries in the LQL documentation.
Configuration compliance policies inspect the configuration of cloud assets, including configuration information on supported IaaS and PaaS services of supported cloud service providers. Kubernetes configuration compliance support includes Amazon EKS and Google Kubernetes Engine (GKE) configuration support.
To learn more about the datasources and fields you can query, see Datasource Information.
To perform these steps, you need to be a user with policy write permissions in the Lacework Console.
Create a Custom Compliance Policy Using the Lacework Console
This section describes functionality that is currently in preview.
This section takes you through the steps to create a custom compliance policy as a cloned policy or as a new policy and adding it to reports with the Lacework Console. Note that cloning a compliance policy creates a new, independent policy; changing the original policy do not affect the cloned policy, and vice versa.
Users with Policies write permission can create or clone policies in the Lacework Console.
Create the Policy
There are two ways to create a custom compliance policy in the Lacework Console. If an existing policy closely matches the policy that you want to create, the easiest way is to clone the existing policy and modify it to fit your needs. Alternatively, you can create a new policy manually, from scratch. Both methods are described below:
Create the Policy by Cloning
To create a policy by cloning and modifying an existing policy, follow these steps:
- As a user with write permissions for policies, click Policies from the left navigation menu.
- Find the policy on which you want to base your custom compliance policy, and click on the policy to open its details pane.
- Click the clone icon, which appears below the policy name.
- Click the edit icon next to the name or descriptions to edit the default values for your new policy.
- Click the Query tab and click the edit icon next to the query ID.
- Provide a new query ID and modify the LQL query in the query pane. See LQL Queries for more information about LQL.
- Click the Context tab and review and optionally modify the remediation steps.
- Click Save.
Create the Policy Manually
To create the sample custom compliance policy, follow these steps:
As a user with write permissions for policies, click Policies from the left navigation menu.
Click Configure policy.
Choose the status of the policy, draft or live. A draft policy can appear in assessment reports, but do not generate alerts and are not considered in overall assessment results. Using draft status for new policies allows you to test and troubleshoot a new policy, and understand its impact before promoting it to live status.
Configure the general policy settings, as illustrated by the following sample configuration:
- Policy title: A title for the policy. The title appears in the policy list, so it should distinguish this policy from others.
- Policy description: A description of the policy.
- Policy type: For a compliance policy, choose Compliance. Compliance policies can generate alerts and appear in reports, while violation policies only generate alerts.
- Severity: The severity associated with a failure in compliance with this policy.
For Query ID, enter a unique, descriptive name for the query that uses numbers, letters, and underscores.
For the query, enter your LQL query. In most cases, this should be a query that you have already developed and tested with the Lacework CLI, such as the following:
{
source {
LW_CFG_AWS_EC2_SECURITY_GROUPS securityGroup,
array_to_rows(securityGroup.RESOURCE_CONFIG:IpPermissions) as ip_permissions,
array_to_rows(ip_permissions:IpRanges) as ip_ranges
}
filter {
ip_permissions:IpProtocol = 'tcp'
and ip_permissions:FromPort = 3349
and ip_permissions:ToPort = 3349
and ip_ranges:CidrIp = '0.0.0.0/0'
}
return distinct {
'This is the compliance reason' as COMPLIANCE_FAILURE_REASON
}
}If your query has any syntax errors, the interface will say so and identify the error. You can proceed only with a valid query.
Optionally, enter remediation steps. The steps should provide directions for addressing the issue identified by the policy.
Click Save.
The policy list appears. You should now be able to find your custom policy in the list.
Add the Policy to a Custom Framework
The policy you just created is not a part of any report yet. To have assessments of the custom policy appear in reports, create a custom framework based on an existing one. You can then see the assessments of your new policy in a report, and optionally, distribute it on a schedule.
Lacework provides hundreds of compliance policies, grouped by industry benchmarks (PCI, ISO27001, SOC2, HIPAA, and more), which get assessed daily. Choose the existing framework on which you want to base your custom framework.
When choosing a framework, consider that cloud security teams usually care about CIS for Security Posture baseline; compliance teams often care about just one or two industry benchmarks, but not all of them. You can have reports generated for those benchmarks sent to the teams interested in them in your organization.
A custom report can only contain compliance policies based on the same type of cloud (that is, only AWS, GCP, or Azure compliance policies).
To add your policy to a custom framework, follow these steps:
- Click Compliance > Cloud.
- Click Configure framework.
- Choose an existing assessment on which you want to base your new framework and click Next.
- In the Framework name field, type a unique name for the framework or accept the default.
- In the Framework structure section, modify the structure, name, and policies. Here are some navigation tips for modifying a framework:
- Click the edit icon to the right of a section to remove it, add policies or remove them from the section, or edit the section's ID and name.
- Use the outline on the left to quickly navigate to a section.
- Expand a section and click Manage policy selection for section to view available policies.
- While modifying policy mappings, click Quick view next to a policy to get more information on that policy.
- Click Save.
Create Custom Compliance Policies Using the Lacework CLI
This section takes you through the steps to create a custom compliance policy as a cloned policy or as a brand new policy and adding it to a custom framework with the Lacework CLI. Note that cloning a policy creates a new, independent policy; changes to the original policy do not affect it, and vice versa.
Create a Query
Open your text editor, create a new file, and add your query, such as the following example:
Compliance queryqueryId: LW_Custom_UnrestrictedIngressToTCP3349
queryText: |-
{
source {
LW_CFG_AWS_EC2_SECURITY_GROUPS securityGroup,
array_to_rows(securityGroup.RESOURCE_CONFIG:IpPermissions) as ip_permissions,
array_to_rows(ip_permissions:IpRanges) as ip_ranges
}
filter {
ip_permissions:IpProtocol = 'tcp'
and ip_permissions:FromPort = 3349
and ip_permissions:ToPort = 3349
and ip_ranges:CidrIp = '0.0.0.0/0'
}
return distinct {
'This is the compliance reason' as COMPLIANCE_FAILURE_REASON
}
}Save the file as YAML with the filename LW_Custom_UnrestrictedIngressToTCP3349.yaml. Note the file's location.
In the Lacework CLI, run this command:
lacework query create -f <path_to>/LW_Custom_UnrestrictedIngressToTCP3349.yaml
The following response appears:
The query LW_Custom_UnrestrictedIngressToTCP3349 was created.
Create a Policy
In your text editor, create a new file, and add the following content:
Compliance policy---
title: Security Groups Should Not Allow Unrestricted Ingress to TCP Port 3349
enabled: true
policyType: Compliance
alertEnabled: true
queryId: LW_Custom_UnrestrictedIngressToTCP3349
description: Security groups should not allow unrestricted ingress to TCP port 3349
remediation: Policy remediation
severity: mediumSave the file as YAML with the filename LW_Custom_UnrestrictedIngressToTCP3349_Policy.yaml. Note the file's location.
In the Lacework CLI, run this command:
lacework policy create -f <path_to>/LW_Custom_UnrestrictedIngressToTCP3349_Policy.yaml
The following response appears:
The policy dev-default-75 was created.
Add the Policy to a Framework
The lacework report-definition
command described in this section is deprecated and will be replaced soon. For now, Lacework recommends that you add custom compliance policies to a framework in the Lacework Console, as described in Create a Custom Compliance Policy Using the Lacework Console.
The policy you just created is not a part of any report yet. To have your policy appear in a report using the Lacework CLI, create a custom framework based on an existing one or create a new framework.
Lacework provides hundreds of compliance policies, grouped by industry benchmarks (PCI, ISO27001, SOC2, HIPAA, and more), which get assessed daily. Choose the framework on which you want to base your custom framework with your custom policy.
When choosing a framework, consider that cloud security teams usually care about CIS for Security Posture baseline; compliance teams often care about just one or two industry benchmarks, but not all of them. You can have reports generated for those benchmarks sent to the teams interested in them in your organization.
Currently, a custom report can only contain compliance policies of the same cloud type (that is, only AWS, Google Cloud, or Azure compliance policies).
To add the policy to a custom framework, follow these steps:
- Enter the following command from the command line:
lacework report-definition create
tipIn these steps, you create the custom framework interactively. Alternatively, you can create a custom framework by passing its definition to the command as a file, in the following format:
lacework report-definition create --file my_framework.yml
- At the prompt asking whether you want to create a report definition from a blank template or from an existing template, either add your policy to an existing template or create a new framework, as follows:
- To add your policy to an existing template, enter
y
and follow these steps:- Use arrows to scroll through the list of frameworks and choose one to serve as your template by highlighting it and pressing the enter key.
- In your text editor, modify the
reportName
,displayName
, and add your custom policy by name,dev-default-75
, to a section in the template. Your framework should look similar to the following:reportName: My Custom AWS NIST 800-171 Report
displayName: My Custom AWS NIST 800-171 Report
reportType: COMPLIANCE
subReportType: AWS
reportDefinition:
sections:
- category: ACCESS CONTROL
title: 3.1.1. Limit system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
policies:
- dev-default-75
- AWS_CIS_1_1
- AWS_CIS_1_3
- AWS_CIS_1_12
- AWS_CIS_1_24
- AWS_CIS_2_1
- AWS_CIS_2_2
- AWS_CIS_4_4
- LW_AWS_NETWORKING_2
- LW_AWS_NETWORKING_3
- LW_AWS_NETWORKING_5
- LW_AWS_NETWORKING_7
- LW_AWS_NETWORKING_8
- LW_AWS_NETWORKING_9
- LW_AWS_NETWORKING_10
- LW_AWS_NETWORKING_11
- category: ACCESS CONTROL
title: 3.1.2. Limit system access to the types of transactions and functions that authorized users are permitted to execute.
policies:
- AWS_CIS_1_1
- AWS_CIS_1_3
... - Save and close the file.
- To add your policy to a new framework, enter
N
and follow the steps as prompted by the CLI.
- To add your policy to an existing template, enter
When you finish the custom configuration, the CLI displays a command for inspecting your new report definition with its unique ID. The compliance policy is now listed in the cloud compliance page, and appears in the next daily compliance report: