AWS Foundational Security Best Practices (FSBP) Standard
Lacework provides compliance policies based on AWS Foundational Security Best Practices (FSBP) Standard (or AWS FSBP Standard for short).
Once you have integrated your Amazon Web Services (AWS) environment with Lacework, you can check whether your resources are compliant with the framework policies.
Revision History
- Revision 1
This initial release contains critical severity policies only.
Visibility and Usage in the Lacework Console
You can use the AWS FSBP Standard in the following ways:
- Enable or disable policies through the Policies page (see AWS FSBP Standard Policies).
- Create and manage Compliance Policy Exceptions as and when needed.
- Receive Compliance-related Alerts for enabled AWS FSBP Standard policies (when violations occur).
- The Cloud Compliance Dashboard provides assessment results for each framework, including the AWS FSBP Standard.
- The Reports page lists all reports that are configured for your environment. Create a report configuration with the AWS FSBP Standard as the template to generate a daily report that is retained for up to 90 days.
Prerequisites
Ensure you have integrated your AWS environment with the Lacework Compliance platform. Completing this will prepare your environment for the AWS FSBP Standard:
- Integrate Lacework with AWS
- A Configuration integration is the minimum requirement for your accounts/organizations to gain access to our Compliance platform functionality.
Previous Integrations using Terraform
If you have previously integrated AWS with Lacework using Terraform before this framework was available:
- Enter the directory containing the Terraform files used for the integration.
- Run
terraform init -upgradeto initialize the working directory (containing the Terraform files). - Run
terraform planand review the changes that will be applied. - Once satisfied with the changes that will be applied, run
terraform applyto upgrade the modules.
AWS FSBP Standard Policies
All policies in the AWS FSBP Standard are disabled by default.
You can enable or disable them using one of the following methods outlined in this section.
Enable or Disable Policies in the Lacework Console
On the Policies page, use the framework:aws-fsbp-2023H2 tag to filter for AWS FSBP Standard policies only.
You can enable or disable each one using the status toggle.
Alternatively, see Batch Update Policies to enable or disable multiple policies at once.
Enable or Disable Policies using the Lacework CLI
If you have not set up the Lacework CLI before, see the Lacework CLI guide to get started.
Enable or disable all the AWS FSBP Standard policies using the following commands in the Lacework CLI:
lacework policy enable --tag framework:aws-fsbp-2023H2
lacework policy disable --tag framework:aws-fsbp-2023H2
Enable or disable specific AWS FSBP Standard policies using the following command examples in the Lacework CLI:
lacework policy enable lacework-global-807
lacework policy disable lacework-global-807
Policy Mapping for AWS FSBP Standard
The AWS FSBP Standard controls are mapped to Lacework policies, as listed in the following tables.
Table key:
- Control ID - The AWS FSBP Standard control identifier.
- Title - The policy/control title.
- Lacework Policy ID - The Lacework policy identifier.
- Lacework Assessment - Whether Lacework have determined that the security control can be assessed automatically or if it requires manual verification.
- Severity - The severity of the policy (as determined by Lacework).
All policies in the AWS FSBP Standard are automated. This means the Lacework platform monitors your environment resources to check whether they are compliant with these policies.
This framework uses Lacework AWS Security Addendum policies when there is an overlap with the AWS FSBP Standard.
- CloudFront
- CodeBuild
- Database Migration Service (DMS)
- Elastic Compute Cloud (EC2)
- Elasticsearch (ES)
- Identity and Access Management (IAM)
- Key Management Service (KMS)
- Lambda
- Neptune
- OpenSearch Service
- Relational Database Service (RDS)
- Redshift
- Simple Storage Service (S3)
- Systems Manager (SSM)
| Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|---|
| CloudFront.1 | CloudFront distributions should have a default root object configured | lacework-global-378 | Automated | Critical |
| Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|---|
| CodeBuild.1 | CodeBuild Bitbucket source repository URLs should not contain sensitive credentials | lacework-global-380 | Automated | Critical |
| CodeBuild.2 | CodeBuild project environment variables should not contain clear text credentials | lacework-global-379 | Automated | Critical |
| Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|---|
| DMS.1 | Database Migration Service (DMS) replication instances should not be public | lacework-global-369 | Automated | Critical |
| Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|---|
| EC2.1 | Ensure No Public EBS Snapshots | lacework-global-160 | Automated | Critical |
| EC2.19 | Security groups should not allow unrestricted access to ports with high risk | lacework-global-215 | Automated | Critical |
| Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|---|
| ES.2 | ElasticSearch Domain should be in Virtual Private Cloud (VPC) | lacework-global-809 | Automated | Critical |
| Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|---|
| IAM.4 | Ensure no 'root' user account access key exists | lacework-global-34 | Automated | Critical |
| IAM.6 | Ensure hardware MFA is enabled for the 'root' user account | lacework-global-69 | Automated | Critical |
| Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|---|
| KMS.3 | Do not unintentionally delete AWS Key Management Service (KMS) keys | lacework-global-216 | Automated | Critical |
| Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|---|
| Lambda.1 | Lambda function policies should prohibit public access | lacework-global-368 | Automated | Critical |
| Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|---|
| Neptune.3 | Neptune DB cluster snapshots should not be public | lacework-global-367 | Automated | Critical |
| Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|---|
| Opensearch.2 | OpenSearch Domain should be in Virtual Private Cloud (VPC) | lacework-global-123 | Automated | Critical |
| Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|---|
| RDS.1 | RDS snapshot should be private | lacework-global-370 | Automated | Critical |
| RDS.2 | RDS should not have a Public Interface | lacework-global-93 | Automated | Critical |
| Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|---|
| Redshift.1 | Redshift Cluster should not be Publicly Accessible | lacework-global-102 | Automated | Critical |
| Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|---|
| S3.2 | S3 general purpose buckets should block public read access | lacework-global-807 | Automated | Critical |
| S3.3 | S3 general purpose buckets should block public write access | lacework-global-808 | Automated | Critical |
| Control ID | Title | Lacework Policy ID | Lacework Assessment | Severity |
|---|---|---|---|---|
| SSM.4 | Systems Manager (SSM) documents should not be public | lacework-global-381 | Automated | Critical |