Lacework AWS Security Addendum 1.0
The Lacework AWS Security Addendum 1.0 framework supplements the CIS AWS 1.4.0 Benchmark with policies for AWS S3, IAM, Lambda, networking, analytics, database, and general security.
Once you have integrated your Amazon Web Services (AWS) environment with Lacework, you can check whether your resources are compliant with the framework recommendations.
Visibility and Usage in the Lacework Console
You can use the Lacework AWS Security Addendum 1.0 in the following ways:
- Enable or disable policies through the Policies page (see Lacework AWS Security Addendum Policies).
- Create and manage Compliance Policy Exceptions as and when needed.
- Receive Compliance-related Alerts for enabled Lacework AWS Security Addendum policies (when violations occur).
- The Cloud Compliance Dashboard provides assessment results for each framework, including the Lacework AWS Security Addendum.
- The Reports page lists all reports that are configured for your environment. Create a report configuration with the Lacework AWS Security Addendum as the template to generate a daily report that is retained for up to 90 days.
Prerequisites
Ensure you have integrated your AWS environment with the Lacework Compliance platform. Completing this will prepare your environment for the Lacework AWS Security Addendum 1.0:
- Integrate Lacework with AWS
- A Configuration integration is the minimum requirement for your accounts/organizations to gain access to our Compliance platform functionality.
Previous Integrations using Terraform
If you have previously integrated AWS with Lacework using Terraform before this benchmark was available:
- Enter the directory containing the Terraform files used for the integration.
- Run
terraform init -upgrade
to initialize the working directory (containing the Terraform files). - Run
terraform plan
and review the changes that will be applied. - Once satisfied with the changes that will be applied, run
terraform apply
to upgrade the modules.
Lacework AWS Security Addendum Policies
All policies in the Lacework AWS Security Addendum are enabled by default.
You can enable or disable them using one of the following methods outlined in this section.
Enable or Disable Policies in the Lacework Console
On the Policies page, use the framework:aws-lacework-security-1-0 tag to filter for Lacework AWS Security Addendum policies only.
You can enable or disable each one using the status toggle.
Alternatively, see Batch Update Policies to enable or disable multiple policies at once.
Manual policies do not have a status toggle as there is no functional check to enable.
Enable or Disable Policies using the Lacework CLI
Enable or disable all the Lacework AWS Security Addendum policies using the following commands in the Lacework CLI:
lacework policy enable --tag framework:aws-lacework-security-1-0
lacework policy disable --tag framework:aws-lacework-security-1-0
Enable or disable specific Lacework AWS Security Addendum policies using the following command examples in the Lacework CLI:
lacework policy enable lacework-global-117
lacework policy disable lacework-global-117
Policy Mapping for Lacework AWS Security Addendum Policies
The Lacework AWS Security Addendum policies are listed in the following tables.
Table key:
- Title - The policy/control title.
- Lacework Policy ID - The Lacework policy identifier.
- Severity - The severity of the policy (as determined by Lacework).
All policies in the Lacework AWS Security Addendum are automated. This means the Lacework platform monitors your environment resources to check whether they are compliant with these policies.
- 1: Identity and Access Management (IAM)
- 2: Storage
- 3: Logging
- 4: Networking
- 5: Lambda
- 6: General Security
Title | Lacework Policy ID | Severity |
---|---|---|
Rotate access keys every 30 days or less | lacework-global-115 | Medium |
Rotate access keys every 45 days or less | lacework-global-116 | Medium |
Rotate public ssh keys every 30 days or less | lacework-global-117 | Medium |
Rotate public ssh keys every 45 days or less | lacework-global-118 | Medium |
Rotate public ssh keys every 90 days or less | lacework-global-119 | High |
Deactivate access keys not used in 90 days | lacework-global-120 | High |
Identity and Access Management (IAM) user should not be inactive for more than 30 days | lacework-global-121 | Medium |
Ensure non-root user exists in the account | lacework-global-181 | Medium |
Rotate access keys every 350 days or less | lacework-global-142 | Medium |
Rotate access keys every 180 days or less | lacework-global-141 | Critical |
No Identity and Access Management (IAM) users with password-based console access should exist | lacework-global-105 | Medium |
Title | Lacework Policy ID | Severity |
---|---|---|
Ensure the bucket Access Control List (ACL) does not grant 'Everyone' READ permission [list S3 objects] | lacework-global-130 | Critical |
Ensure the bucket Access Control List (ACL) does not grant 'Everyone' write permission [create, overwrite, and delete S3 objects] | lacework-global-131 | Critical |
Ensure the bucket Access Control List (ACL) does not grant 'Everyone' READ_ACP permission [read bucket ACL] | lacework-global-132 | Critical |
Ensure the bucket Access Control List (ACL) does not grant 'Everyone' WRITE_ACP permission [modify bucket ACL] | lacework-global-133 | Critical |
Ensure the bucket Access Control List (ACL) does not grant 'Everyone' FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP] | lacework-global-134 | Critical |
Ensure the bucket Access Control List (ACL) does not grant AWS users READ permission [list S3 objects] | lacework-global-135 | Critical |
Ensure the bucket Access Control List (ACL) does not grant AWS users WRITE permission [create, overwrite, and delete S3 objects] | lacework-global-136 | Critical |
Ensure the bucket Access Control List (ACL) does not grant AWS users READ_ACP permission [read bucket ACL] | lacework-global-137 | Critical |
Ensure the bucket Access Control List (ACL) does not grant AWS users WRITE_ACP permission [modify bucket ACL] | lacework-global-138 | Critical |
Ensure the bucket Access Control List (ACL) does not grant AWS users FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP] | lacework-global-139 | Critical |
Ensure the attached S3 bucket policy does not grant 'Allow' permission to everyone | lacework-global-140 | Critical |
Ensure the S3 bucket requires Multi-Factor Authentication (MFA) to delete objects | lacework-global-94 | Medium |
Ensure the S3 bucket has default server-side encryption enabled | lacework-global-217 | High |
Ensure all data is transported from the S3 bucket securely Deprecated as of 5th December 2023. | lacework-global-96 | High |
Ensure the S3 bucket has versioning enabled | lacework-global-97 | High |
Ensure the attached S3 bucket policy does not grant global 'Get' permission | lacework-global-98 | Critical |
Ensure the attached S3 bucket policy does not grant global 'Delete' permission | lacework-global-99 | Critical |
Ensure the attached S3 bucket policy does not grant global 'List' permission | lacework-global-100 | Critical |
Ensure the attached S3 bucket policy does not grant global 'Put' permission | lacework-global-101 | Critical |
Title | Lacework Policy ID | Severity |
---|---|---|
Ensure the S3 bucket has access logging enabled | lacework-global-95 | Low |
Title | Lacework Policy ID | Severity |
---|---|---|
Security groups are not attached to an in-use network interface | lacework-global-227 | Low |
Network Access Control Lists (ACL) do not allow unrestricted inbound traffic | lacework-global-145 | Critical |
Network Access Control Lists (ACL) do not allow unrestricted outbound traffic | lacework-global-146 | Medium |
Exposed AWS Virtual Private Cloud (VPC) endpoints | lacework-global-147 | Medium |
Security group inbound traffic should not allow inbound traffic from all | lacework-global-148 | High |
Security group inbound traffic should not allow traffic except port 80 and 443 | lacework-global-149 | High |
Security group attached to EC2 instance should not allow inbound traffic from all ports | lacework-global-228 | Critical |
Security group attached to Relational Database Service (RDS) DB instance should not allow inbound traffic from all ports | lacework-global-229 | Critical |
Security group attached to Network Interface should not allow inbound traffic from all ports | lacework-global-230 | Critical |
Security group attached to Elastic Load Balancer should not allow inbound traffic from all ports | lacework-global-231 | Critical |
Security group attached to Application Load Balancer should not allow inbound traffic from all | lacework-global-199 | Critical |
Security Group should not allow inbound traffic from all to TCP port 9200 or 9300 (Opensearch/Elasticsearch) | lacework-global-150 | High |
Security Group should not allow inbound traffic from all to TCP port 5601 (Kibana) | lacework-global-151 | High |
Security Group should not allow inbound traffic from all to TCP port 6379 (Redis) | lacework-global-152 | High |
Security Group should not allow inbound traffic from all to TCP port 2379 (etcd) | lacework-global-153 | High |
Elastic Load Balancer (ELB) SSL Certificate expires in 5 Days | lacework-global-225 | High |
Elastic Load Balancer (ELB) SSL Certificate expires in 45 Days | lacework-global-226 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 23 (Telnet) | lacework-global-154 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 135 (Windows Remote Procedure Call (RPC)) | lacework-global-155 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 445 (Windows Server Message Block (SMB)) | lacework-global-156 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 3306 (MySQL) | lacework-global-104 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5432 (PostgreSQL) | lacework-global-106 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 1433 (SQLServer) | lacework-global-107 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 1434 (SQLServer) | lacework-global-108 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 4333 (Mini SQL (mSQL)) | lacework-global-109 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5500 (Virtual Network Computing (VNC) Listener) | lacework-global-110 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5900 (Virtual Network Computing (VNC) Server) | lacework-global-111 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 137 (NetBIOS) | lacework-global-112 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 138 (NetBIOS) | lacework-global-113 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 445 (Common Internet File System (CIFS)) | lacework-global-114 | High |
EC2 instance should not allow inbound traffic from all to TCP port 21 | lacework-global-218 | High |
EC2 instance should not allow inbound traffic from all to TCP port 20 | lacework-global-219 | High |
EC2 instance should not allow inbound traffic from all to TCP port 25 | lacework-global-220 | High |
EC2 instance should not allow inbound traffic from all to TCP port 53 | lacework-global-221 | High |
EC2 instance should not allow inbound traffic from all to User Datagram Protocol (UDP) port 53 | lacework-global-222 | High |
Redshift Cluster should not be Publicly Accessible | lacework-global-102 | High |
Elastic Load Balancer (ELB) Security Group should have Outbound Rules attached to it | lacework-global-223 | High |
Elastic Load Balancer (ELB) should not use insecure Ciphers | lacework-global-184 | High |
Deploy EC2 instances in EC2-VPC platform | lacework-global-103 | High |
CloudFront Origin Protocol Policy should should explicitly set https-only or reflect the viewer policy configuration | lacework-global-125 | High |
CloudFront Origin SSL Protocols should not use insecure Ciphers | lacework-global-126 | High |
Security group should not allow inbound traffic from all to all Internet Control Message Protocol (ICMP) | lacework-global-127 | High |
Classic LBs should have a valid and secure security group | lacework-global-482 | High |
No Default Virtual Private Cloud (VPC) should be present in an AWS account | lacework-global-157 | Medium |
EC2 instances should not have a Public IP address attached | lacework-global-128 | Medium |
Load Balancers should have Access Logs enabled | lacework-global-159 | Medium |
CloudFront Viewer Protocol Policy should use https-only or redirect-to-https | lacework-global-129 | High |
Elastic Load Balancer (ELB) security group should restrict egress and ingress (Automated) | lacework-global-483 | High |
Relational Database Service (RDS) should not have a Public Interface | lacework-global-93 | Medium |
EC2 instance should not allow inbound traffic from all to TCP port 27017 or 27018 (MongoDB) | lacework-global-196 | High |
Elastic Load Balancer instance should not allow inbound traffic from all to TCP port 27017 or 27018 (MongoDB) | lacework-global-197 | High |
Application Load Balancer instance should not allow inbound traffic from all to TCP port 27017 or 27018 (MongoDB) | lacework-global-198 | High |
Exposed OpenSearch Domain | lacework-global-122 | High |
OpenSearch Domain should be in Virtual Private Cloud (VPC) | lacework-global-123 | High |
Title | Lacework Policy ID | Severity |
---|---|---|
Lambda Function should not have Admin Privileges | lacework-global-179 | Critical |
Lambda Function should not have Cross Account Access | lacework-global-180 | Critical |
Lambda Function should have tracing enabled | lacework-global-143 | High |
Lambda Function should not have Virtual Private Cloud (VPC) access | lacework-global-144 | Low |
Title | Lacework Policy ID | Severity |
---|---|---|
EC2 instance does not have any tags | lacework-global-89 | High |
Encrypt Elastic Block Store (EBS) Volumes | lacework-global-90 | Medium |
Ensure No Public Elastic Block Store (EBS) Snapshots | lacework-global-160 | Critical |
Encrypt Relational Database Service (RDS) database with customer managed Key Management Service (KMS) key | lacework-global-171 | Medium |
Encrypt Redshift Clusters | lacework-global-91 | Critical |
Do not use server certificates uploaded before Heartbleed vulnerability | lacework-global-92 | Critical |
Ensure Elastic Load Balancer (ELB) has latest Secure Cipher policies Configured for Session Encryption | lacework-global-182 | Critical |
Ensure Elastic Load Balancer V2 (ELBV2) has latest Secure Cipher policies Configured for Session Encryption | lacework-global-224 | Critical |
Ensure Elastic Load Balancer (ELB) is not affected by POODLE Vulnerability (CVE-2014-3566) | lacework-global-183 | Critical |
OpenSearch Domain should have Encryption At Rest enabled | lacework-global-124 | High |
OpenSearch Domain should have Encryption with Customer-Managed Key Management Service (KMS) Keys | lacework-global-161 | High |