Lacework AWS Security Addendum 1.0
The Lacework AWS Security Addendum 1.0 framework supplements the CIS AWS 1.4.0 Benchmark with policies for AWS S3, IAM, Lambda, networking, analytics, database, and general security.
Once you have integrated your Amazon Web Services (AWS) environment with Lacework, you can check whether your resources are compliant with the framework recommendations.
Visibility and Usage in the Lacework Console
You can use the Lacework AWS Security Addendum 1.0 in the following ways:
- Enable or disable policies through the Policies page (see Lacework AWS Security Addendum Policies).
- Create and manage Compliance Policy Exceptions as and when needed.
- Receive Compliance-related Alerts for enabled Lacework AWS Security Addendum policies (when violations occur).
- The Cloud Compliance Dashboard provides assessment results for each framework, including the Lacework AWS Security Addendum.
- The Reports page lists all reports that are configured for your environment. Create a report configuration with the Lacework AWS Security Addendum as the template to generate a daily report that is retained for up to 90 days.
Prerequisites
Ensure you have integrated your AWS environment with the Lacework Compliance platform. Completing this will prepare your environment for the Lacework AWS Security Addendum 1.0:
- Integrate Lacework with AWS
- A Configuration integration is the minimum requirement for your accounts/organizations to gain access to our Compliance platform functionality.
Previous Integrations using Terraform
If you have previously integrated AWS with Lacework using Terraform before this benchmark was available:
- Enter the directory containing the Terraform files used for the integration.
- Run
terraform init -upgrade
to initialize the working directory (containing the Terraform files). - Run
terraform plan
and review the changes that will be applied. - Once satisfied with the changes that will be applied, run
terraform apply
to upgrade the modules.
Lacework AWS Security Addendum Policies
All policies in the Lacework AWS Security Addendum are enabled by default.
You can enable or disable them using one of the following methods outlined in this section.
Enable or Disable Policies in the Lacework Console
On the Policies page, use the framework:aws-lacework-security-1-0 tag to filter for Lacework AWS Security Addendum policies only.
You can enable or disable each one using the status toggle.
Alternatively, see Batch Update Policies to enable or disable multiple policies at once.
Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Policies.
Enable or Disable Policies using the Lacework CLI
Enable or disable all the Lacework AWS Security Addendum policies using the following commands in the Lacework CLI:
lacework policy enable --tag framework:aws-lacework-security-1-0
lacework policy disable --tag framework:aws-lacework-security-1-0
Enable or disable specific Lacework AWS Security Addendum policies using the following command examples in the Lacework CLI:
lacework policy enable lacework-global-117
lacework policy disable lacework-global-117
Policy Mapping for Lacework AWS Security Addendum Policies
The Lacework AWS Security Addendum policies are listed in the following tables.
Table key:
- Title - The policy/control title.
- Lacework Policy ID - The Lacework policy identifier.
- Severity - The severity of the policy (as determined by Lacework).
All policies in the Lacework AWS Security Addendum are automated. This means the Lacework platform monitors your environment resources to check whether they are compliant with these policies.
- 1: Identity and Access Management (IAM)
- 2: Storage
- 3: Logging
- 4: Networking
- 5: Lambda
- 6: General Security
Title | Lacework Policy ID | Severity |
---|---|---|
Ensure access keys are rotated every 30 days or less | lacework-global-115 | Medium |
Ensure access keys are rotated every 45 days or less | lacework-global-116 | Medium |
Ensure public ssh keys are rotated every 30 days or less | lacework-global-117 | Medium |
Ensure public ssh keys are rotated every 45 days or less | lacework-global-118 | Medium |
Ensure public ssh keys are rotated every 90 days or less | lacework-global-119 | High |
Ensure active access keys are used every 90 days or less | lacework-global-120 | High |
IAM user should not be inactive for more than 30 days | lacework-global-121 | Medium |
Ensure non-root user exists in the account | lacework-global-181 | Medium |
Ensure access keys are rotated every 350 days or less | lacework-global-142 | Medium |
Ensure access keys are rotated every 180 days or less | lacework-global-141 | Critical |
No IAM users with password-based console access should exist | lacework-global-105 | Medium |
Title | Lacework Policy ID | Severity |
---|---|---|
Ensure the bucket ACL does not grant 'Everyone' READ permission [list S3 objects] | lacework-global-130 | Critical |
Ensure the bucket ACL does not grant 'Everyone' WRITE permission [create, overwrite, and delete S3 objects] | lacework-global-131 | Critical |
Ensure the bucket ACL does not grant 'Everyone' READ_ACP permission [read bucket ACL] | lacework-global-132 | Critical |
Ensure the bucket ACL does not grant 'Everyone' WRITE_ACP permission [modify bucket ACL] | lacework-global-133 | Critical |
Ensure the bucket ACL does not grant 'Everyone' FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP] | lacework-global-134 | Critical |
Ensure the bucket ACL does not grant AWS users READ permission [list S3 objects] | lacework-global-135 | Critical |
Ensure the bucket ACL does not grant AWS users WRITE permission [create, overwrite, and delete S3 objects] | lacework-global-136 | Critical |
Ensure the bucket ACL does not grant AWS users READ_ACP permission [read bucket ACL] | lacework-global-137 | Critical |
Ensure the bucket ACL does not grant AWS users WRITE_ACP permission [modify bucket ACL] | lacework-global-138 | Critical |
Ensure the bucket ACL does not grant AWS users FULL_CONTROL [READ, WRITE, READ_ACP, WRITE_ACP] | lacework-global-139 | Critical |
Ensure the attached S3 bucket policy does not grant 'Allow' permission to everyone | lacework-global-140 | Critical |
Ensure the S3 bucket requires MFA to delete objects | lacework-global-94 | Medium |
Ensure the S3 bucket has default server-side encryption enabled | lacework-global-217 | High |
Ensure all data is transported from the S3 bucket securely Deprecated as of 5th December 2023. | lacework-global-96 | High |
Ensure the S3 bucket has versioning enabled | lacework-global-97 | High |
Ensure the attached S3 bucket policy does not grant global 'Get' permission | lacework-global-98 | Critical |
Ensure the attached S3 bucket policy does not grant global 'Delete' permission | lacework-global-99 | Critical |
Ensure the attached S3 bucket policy does not grant global 'List' permission | lacework-global-100 | Critical |
Ensure the attached S3 bucket policy does not grant global 'Put' permission | lacework-global-101 | Critical |
Title | Lacework Policy ID | Severity |
---|---|---|
Ensure the S3 bucket has access logging enabled | lacework-global-95 | Low |
Title | Lacework Policy ID | Severity |
---|---|---|
Security groups are not attached to an in-use network interface | lacework-global-227 | Low |
Network ACLs do not allow unrestricted inbound traffic | lacework-global-145 | Critical |
Network ACLs do not allow unrestricted outbound traffic | lacework-global-146 | Medium |
AWS VPC endpoints should not be exposed | lacework-global-147 | Medium |
Security group inbound traffic should not allow inbound traffic from all | lacework-global-148 | Critical |
Security group inbound traffic should not allow traffic except port 80 and 443 | lacework-global-149 | High |
Security group attached to EC2 instance should not allow inbound traffic from all ports | lacework-global-228 | Critical |
Security group attached to RDS DB instance should not allow inbound traffic from all ports | lacework-global-229 | Critical |
Security group attached to Network Interface should not allow inbound traffic from all ports | lacework-global-230 | Critical |
Security group attached to Elastic Load Balancer should not allow inbound traffic from all ports | lacework-global-231 | Critical |
Security group attached to Application Load Balancer should not allow inbound traffic from all | lacework-global-199 | Critical |
Security Group should not allow inbound traffic from all to TCP port 9200 or 9300 (Opensearch/Elasticsearch) | lacework-global-150 | High |
Security Group should not allow inbound traffic from all to TCP port 5601 (Kibana) | lacework-global-151 | High |
Security Group should not allow inbound traffic from all to TCP port 6379 (Redis) | lacework-global-152 | High |
Security Group should not allow inbound traffic from all to TCP port 2379 (etcd) | lacework-global-153 | High |
ELB SSL Certificate expires in 5 Days | lacework-global-225 | High |
ELB SSL Certificate expires in 45 Days | lacework-global-226 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 23 (Telnet) | lacework-global-154 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 135 (Windows RPC) | lacework-global-155 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 445 (Windows SMB) | lacework-global-156 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 3306 (MySQL) | lacework-global-104 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5432 (PostgreSQL) | lacework-global-106 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 1433 (SQLServer) | lacework-global-107 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 1434 (SQLServer) | lacework-global-108 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 4333 (MSQL) | lacework-global-109 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5500 (VNC Listener) | lacework-global-110 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5900 (VNC Server) | lacework-global-111 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 137 (NetBIOS) | lacework-global-112 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 138 (NetBIOS) | lacework-global-113 | High |
Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 445 (CIFS) | lacework-global-114 | High |
EC2 instance should not allow inbound traffic from all to TCP port 21 | lacework-global-218 | High |
EC2 instance should not allow inbound traffic from all to TCP port 20 | lacework-global-219 | High |
EC2 instance should not allow inbound traffic from all to TCP port 25 | lacework-global-220 | High |
EC2 instance should not allow inbound traffic from all to TCP port 53 | lacework-global-221 | High |
EC2 instance should not allow inbound traffic from all to UDP port 53 | lacework-global-222 | High |
Redshift Cluster should not be Publicly Accessible | lacework-global-102 | High |
ELB Security Group should have Outbound Rules attached to it | lacework-global-223 | High |
ELB should not use insecure Cipher(s) | lacework-global-184 | High |
EC2 instance should be deployed in EC2-VPC platform | lacework-global-103 | High |
CloudFront Origin Protocol Policy should use https-only | lacework-global-125 | High |
CloudFront Origin SSL Protocols should not use insecure Cipher(s) | lacework-global-126 | High |
Security group should not allow inbound traffic from all to all ICMP | lacework-global-127 | High |
Classic LBs should have a valid and secure security group | lacework-global-482 | High |
No Default VPC should be present in an AWS account | lacework-global-157 | Medium |
EC2 instances should not have a Public IP address attached | lacework-global-128 | Medium |
Load Balancers should have Access Logs enabled | lacework-global-159 | Medium |
CloudFront Viewer Protocol Policy should use https-only | lacework-global-129 | High |
ELBs should have a secure security group | lacework-global-483 | High |
RDS should not have a Public Interface | lacework-global-93 | Medium |
EC2 instance should not allow inbound traffic from all to TCP port 27017 or 27018 (MongoDB) | lacework-global-196 | High |
Elastic Load Balancer instance should not allow inbound traffic from all to TCP port 27017 or 27018 (MongoDB) | lacework-global-197 | High |
Application Load Balancer instance should not allow inbound traffic from all to TCP port 27017 or 27018 (MongoDB) | lacework-global-198 | High |
OpenSearch Domain should not be exposed | lacework-global-122 | High |
OpenSearch Domain should be in Virtual Private Cloud (VPC) | lacework-global-123 | High |
Title | Lacework Policy ID | Severity |
---|---|---|
Lambda Function should not have Admin Privileges | lacework-global-179 | Critical |
Lambda Function should not have Cross Account Access | lacework-global-180 | Critical |
Lambda Function should have tracing enabled | lacework-global-143 | High |
Lambda Function should not have VPC access | lacework-global-144 | Low |
Title | Lacework Policy ID | Severity |
---|---|---|
EC2 instance does not have any tags | lacework-global-89 | High |
Encrypt Elastic Block Store (EBS) Volumes | lacework-global-90 | Medium |
Ensure No Public EBS Snapshots | lacework-global-160 | Critical |
Ensure RDS database is encrypted with customer managed KMS key | lacework-global-171 | Critical |
Ensure Redshift Cluster is encrypted | lacework-global-91 | Critical |
Ensure no server certificate has been uploaded before Heartbleed vulnerability | lacework-global-92 | Critical |
Ensure ELB has latest Secure Cipher policies Configured for Session Encryption | lacework-global-182 | Critical |
Ensure ELBv2 has latest Secure Cipher policies Configured for Session Encryption | lacework-global-224 | Critical |
Ensure ELB is not affected by POODLE Vulnerability (CVE-2014-3566) | lacework-global-183 | Critical |
OpenSearch Domain should have Encryption At Rest enabled | lacework-global-124 | High |
OpenSearch Domain should have Encryption with KMS (Customer Managed Keys) | lacework-global-161 | High |