Skip to main content

Lacework AWS Security Addendum 1.0

The Lacework AWS Security Addendum 1.0 framework supplements the CIS AWS 1.4.0 Benchmark with policies for AWS S3, IAM, Lambda, networking, analytics, database, and general security.

Once you have integrated your Amazon Web Services (AWS) environment with Lacework, you can check whether your resources are compliant with the framework recommendations.

Visibility and Usage in the Lacework Console

You can use the Lacework AWS Security Addendum 1.0 in the following ways:

Prerequisites

Ensure you have integrated your AWS environment with the Lacework Compliance platform. Completing this will prepare your environment for the Lacework AWS Security Addendum 1.0:

  • Integrate Lacework with AWS
    • A Configuration integration is the minimum requirement for your accounts/organizations to gain access to our Compliance platform functionality.

Previous Integrations using Terraform

If you have previously integrated AWS with Lacework using Terraform before this benchmark was available:

  1. Enter the directory containing the Terraform files used for the integration.
  2. Run terraform init -upgrade to initialize the working directory (containing the Terraform files).
  3. Run terraform plan and review the changes that will be applied.
  4. Once satisfied with the changes that will be applied, run terraform apply to upgrade the modules.

Lacework AWS Security Addendum Policies

All policies in the Lacework AWS Security Addendum are enabled by default.

You can enable or disable them using one of the following methods outlined in this section.

Enable or Disable Policies in the Lacework Console

On the Policies page, use the framework:aws-lacework-security-1-0 tag to filter for Lacework AWS Security Addendum policies only.

You can enable or disable each one using the status toggle.

Alternatively, see Batch Update Policies to enable or disable multiple policies at once.

note

Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Policies.

Enable or Disable Policies using the Lacework CLI

Enable or disable all the Lacework AWS Security Addendum policies using the following commands in the Lacework CLI:

Enable all policies
lacework policy enable --tag framework:aws-lacework-security-1-0
Disable all policies
lacework policy disable --tag framework:aws-lacework-security-1-0

Enable or disable specific Lacework AWS Security Addendum policies using the following command examples in the Lacework CLI:

Enable lacework-global-117
lacework policy enable lacework-global-117
Disable lacework-global-117
lacework policy disable lacework-global-117

Policy Mapping for Lacework AWS Security Addendum Policies

The Lacework AWS Security Addendum policies are listed in the following tables.

Table key:

  • Title - The policy/control title.
  • Lacework Policy ID - The Lacework policy identifier.
  • Severity - The severity of the policy (as determined by Lacework).
note

All policies in the Lacework AWS Security Addendum are automated. This means the Lacework platform monitors your environment resources to check whether they are compliant with these policies.

TitleLacework Policy IDSeverity
Ensure access keys are rotated every 30 days or lesslacework-global-115Medium
Ensure access keys are rotated every 45 days or lesslacework-global-116Medium
Ensure public ssh keys are rotated every 30 days or lesslacework-global-117Medium
Ensure public ssh keys are rotated every 45 days or lesslacework-global-118Medium
Ensure public ssh keys are rotated every 90 days or lesslacework-global-119High
Ensure active access keys are used every 90 days or lesslacework-global-120High
IAM user should not be inactive for more than 30 dayslacework-global-121Medium
Ensure non-root user exists in the accountlacework-global-181Medium
Ensure access keys are rotated every 350 days or lesslacework-global-142Medium
Ensure access keys are rotated every 180 days or lesslacework-global-141Critical
No IAM users with password-based console access should existlacework-global-105Medium