Create Policies

You can supplement the Lacework default with your own custom policy, as described here.

Overview

Lacework includes numerous built in policies for a range of scenarios. However, you may have additional requirements that aren't addressed by an existing policy. In this case, you can create a custom policy.

The best way to get started with custom policies is to clone an existing policy that is similar to the one you want to create. Not all policies can be cloned, so alternatively, you can create a new policy that is closely modeled on an existing one, including using its LQL query as a starting point.

To view all the policies in your Lacework instance, click Policies in the left navigation panel. To view the LQL query associated with a policy, click the policy name.

For example, to view the VPC Change LQL policy, select Policies and enter VPC Change in the search field. To view the LQL query that is called by VPC Change, click VPC Change in the list.

Note that not all Lacework policies rely on LQL. A policy can be either:

An LQL policy, which uses the Lacework Query Language to query Lacework datasources.
A non-LQL policy, which specifies a rule made up of one or more condition statements.

For more information on cloning policies, including non-LQL policies, see Clone Policies. For information on creating LQL policies, see Create Custom Policies.

Limitations

The maximum number of records that each policy will return is 1000.
The maximum number of API calls is 120 per hour for on-demand LQL query executions and LQL policy create, read, update, and delete operations.

Lacework Query Language

LQL is a SQL-like query language for specifying the selection, filtering, and manipulation of data. Queries let you interactively request information from specified curated datasources. Queries have a defined structure for authoring detections.

For general information on LQL, see LQL Overview.

note

LQL syntax may change.

Supported Datasources

Datasources are structured collections of related sets of information. Currently, LQL can access the integrated resources listed on Manage Integrated AWS Resources, Manage Integrated Google Cloud Resources, and Manage Integrated Azure Resources.

Example Query

The following example shows a query that finds VPCs with flow logging not enabled:

Example query
 {
     source {
         LW_CFG_AWS_EC2_VPCS vpc
         with LW_CFG_AWS_EC2_VPC_FLOW_LOGS log
     }
     filter {
         not value_exists(log.RESOURCE_CONFIG)
         or log.RESOURCE_CONFIG:FlowLogStatus <> 'ACTIVE'
     }
     return distinct {
         vpc.ACCOUNT_ALIAS,
         vpc.ACCOUNT_ID,
         vpc.ARN as RESOURCE_KEY,
         vpc.RESOURCE_REGION,
         vpc.RESOURCE_TYPE,
         vpc.SERVICE,
         case when not value_exists(log.RESOURCE_CONFIG) then 'VPCFlowLoggingNotEnabled'
         else 'VPCFlowLoggingNotActive' end as COMPLIANCE_FAILURE_REASON
     }
 }

Alert Profiles

Use alert profiles to define how your LQL queries get consumed into events and alerts. Lacework provides a set of predefined alert profiles to ensure that policy evaluation gives you useful results out of the box. To create your own customized profile, extend an existing alert profile and add custom templates to it.

LW_CFG_AWS_DEFAULT_PROFILE details (truncated)
{
    "data": {
        "alertProfileId": "LW_CFG_AWS_DEFAULT_PROFILE",
        "extends": "LW_LPP_BaseProfile",
        "fields": [
            {
                "name": "_PRIMARY_TAG"
            },
            {
                "name": "RESOURCE_ID"
            }, ...
        ],
        "descriptionKeys": [
            {
                "name": "_OCCURRENCE",
                "spec": "{{_OCCURRENCE}}"
            },
            {
                "name": "RESOURCE_ID",
                "spec": "{{RESOURCE_ID}}"
            }, ...
        ],
        "alerts": [
            {
                "name": "CFG_AWS_PolicyChanged",
                "eventName": "LW Configuration AWS Violation Alert",
                "description": "{{_OCCURRENCE}} Violation for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}",
                "subject": "{{_OCCURRENCE}} violation detected for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}"
            },
            {
                "name": "CFG_AWS_NewViolation",
                "eventName": "LW Configuration AWS Violation Alert",
                "description": "{{_OCCURRENCE}} Violation for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}",
                "subject": "{{_OCCURRENCE}} violation detected for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}"
            },
            {
                "name": "CFG_AWS_Violation",
                "eventName": "LW Configuration AWS Violation Alert",
                "description": "{{_OCCURRENCE}} Violation for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}",
                "subject": "{{_OCCURRENCE}} violation detected for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}"
            }
        ]
    }
}

Policies

Policies add annotated metadata to queries for improving the context of alerts, reports, and information displayed in the Lacework Console. Use the following methods to create custom policies:

note

To create custom non-LQL-based policies, use the steps described in Clone Policies.

Example Policy

The following shows a custom policy that uses the above query to alert about VPC flow logging:

Example policy
{
    "title": "Ensure VPC flow logging is enabled in all VPCs",
    "enabled": false,
    "policyType": "Violation",
    "alertEnabled": false,
    "alertProfile": "LW_CFG_AWS_DEFAULT_PROFILE.CFG_AWS_Violation",
    "evalFrequency": "Hourly",
    "queryId": "Example_Global_AWS_Config_VPCFlowLoggingNotEnabled",
    "severity": "medium",
    "description": "VPC Flow Logs is a feature that enables you to capture information\nabout the IP traffic going to and from network interfaces in your VPC. After\nyou've created a flow log, you can view and retrieve its data in Amazon CloudWatch\nLogs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for\nVPCs.",
    "remediation": "Perform the following to determine if VPC Flow logs is enabled:\nFrom Console:\n1. Sign into the management console\n2. Select Services then VPC\n3. In the left navigation pane, select Your VPCs\n4. Select a VPC\n5. In the right pane, select the Flow Logs tab.\n6. If no Flow Log exists, click Create Flow Log\n7. For Filter, select Reject\n8. Enter in a Role and Destination Log Group\n9. Click Create Log Flow\n10. Click on CloudWatch Logs Group\nNote: Setting the filter to \"Reject\" will dramatically reduce the logging data accumulation for this recommendation\nand provide sufficient information for the purposes of breach detection, research and remediation. However,\nduring periods of least privilege security group engineering, setting this the filter to \"All\" can be very helpful in discovering\nexisting traffic flows required for proper operation of an already running environment.",
    "tags": [
        "domain:AWS",
        "subdomain:Configuration"        
    ]
}

For the types of policies you can create, see Custom Policy Types.

Overview​

Limitations​

Lacework Query Language​

Supported Datasources​

Example Query​

Alert Profiles​

Policies​

Example Policy​