Modify Compliance and Violation Policies
You can modify compliance and violation policies individually or several policies at a time, as described here. To do so, you need to be a user with policy write permissions in the Lacework Console.
Change a Policy Configuration
You can modify a custom policy from its Policy Details pane, which you access by finding and clicking on the policy on the Policies page. To modify the policy, click the edit icon and modify the settings as needed.
The configuration page lets you modify any of the policy settings that are available when creating a policy.
Different policy types offer different configuration modification options. For compliance and violation policies, you can update any of its settings, such as the LQL query that determines the policy assessment, except the policy type. The policy type of an existing policy cannot be modified. For more information about creating compliance and violation policies, see Create Custom Policies.
Disable/Enable Policies
Disabling a policy suspends the effects of the policy. Specifically, for compliance and violation policies, disabling means that the Lacework does not scan for violations based on the disabled policies. This results in the following effects in the various Console pages:
- On the Policies page, the disabled policy does not contribute to overall policy metrics on coverage and policy types.
- On the Alerts page, alerts are not generated from any disabled policies.
In addition, for compliance policies:
- On the Cloud Compliance page, disabled policies are unavailable for use in any framework.
- On the Reports page, disabled policies are excluded from reports.
- In the framework builder, you cannot map disabled policies to frameworks.
To enable or disable policies from the Lacework Console:
- Click Policies from the navigation menu.
- Search for the name of the policy you want to disable or enable.
- Find the policy and click the toggle button to disable or enable the policy.
You can also update multiple policies at once, as described in Batch Update Policies.
Delete Policies
To remove a custom policy, open the policy from the Policies page and click the delete icon. The policy is no longer assessed, and no longer appears in reports or generates alerts.
Batch Update Policies
It can take some time to modify many policies individually. If you have many policies that you want to enable or disable at once, you can modify them as a batch.
The policies on which you perform batch updates should be of the same type, for example, Configuration. You can see a policy's type from its Details Pane, next to the Type field.
Vulnerability policies are not currently supported for batch enable/disable operations.
To enable or disable multiple policies at once, select the checkboxes next to each policy and click Enable/Disable. If the operation cannot be applied to any of the selected policies (for example, if a policy cannot be enabled), those policies are listed. You can confirm or cancel the operation as appropriate.
The batch update feature is most useful when used with search filters. By filtering the policy list first, you can quickly select and modify many policies with just a few clicks.
For example, to disable legacy AWS policies only, follow these steps:
In the Policies page, expand the Domain filter options, choose AWS and click Show results.
For the Rule type, choose Legacy and click Show results.
For the Status, choose Enabled. This action filters the listed policies.
You can manually select policies that appear on the page using the multi-select checkbox, or click the down arrow next to the checkbox and choose Select all.
Click Enable/Disable.
Click Disable assessments for all n selected policies and Save changes in the dialog box that appears.
If you have selected any policies to which the operation cannot be applied, they are listed, giving you the option to cancel or proceed to apply the change to the remaining policies.