Posture management policies in Lacework consist of cloud configuration compliance policies, Kubernetes configuration compliance policies, and cloud activity violation policies.
Lacework includes numerous built-in compliance and violation policies. You can view these policies in the Policies dashboard. Select a policy for more information, including a summary, description, and context.
You can use the Lacework CLI or API to work with policies in their YAML format. To view an example policy definition in YAML format, see Create a Policy with the CLI.
The policies discussed here are based on Lacework Query Language (LQL) queries. Not all Lacework policies are LQL-based. Non-LQL policies consist of a rule made up of one or more condition statements. For information on modifying non-LQL policies, see Clone Policies.
To create or modify a policy, you should be familiar with LQL syntax and usage. See the LQL documentation for more information.
View Posture Policies
You can view posture management policies in the Policy page. To quickly filter the view by compliance policies, for example, choose security:compliance as the filtering criteria from the Tags menu. See View Policies for more information on navigating the Policy page.
You can view the results of configuration policy evaluations as reports. Reports are generated from assessments, which is a collection of configuration compliance policies. You can view assessments in the Cloud Compliance and Kubernetes Compliance dashboards.
Create Compliance and Violation Policies
Lacework includes numerous built-in policies, which you can supplement with your own custom policies.
The best way to get started with custom policies is to clone an existing policy that is similar to the one you want to create. Cloning a policy creates a new, independent policy based on the original policy. That is, if the original policy is changed, the change is not propagated to the clone.
Not all policies can be cloned, however, so instead, you can create a new policy. To create a new policy, use the UI, CLI, or API. Whichever method you use, the policy properties are the same: each policy has an ID, field, severity, query, and other properties.
Lacework Query Language
At the core of a compliance or violation policy is a Lacework Query Language (LQL) query.
LQL is a SQL-like query language for specifying the selection, filtering, and manipulation of data from a datasource. Queries let you interactively request information from curated datasources. Currently, LQL can access the integrated resources listed on Manage Integrated AWS Resources, Manage Integrated GCP Resources, and Manage Integrated Azure Resources.
For more information on LQL, see LQL Overview.
You can create custom policies against two types of data sources:
- Data sources that contain configuration information about the supported cloud resources/service type. You can write either compliance or violation policies against data sources that contain configuration information.
- Data sources that contain observability information on events logs and user activities against the cloud resources. You can only write custom violation policies for these data types.
The table below summarizes the behavior:
|Configuration information about cloud resources
|• Configuration information about cloud resources
• Observability (events and audit logs) about cloud resources
|Applied to assessment templates?
|No (alerts only)
|Results in assessment and reports?
|No (alerts only)
|Generate alerts for policy violations?
Use alert profiles to define how your LQL query assessments get consumed into events and alerts. Lacework provides a set of predefined alert profiles to ensure that policy evaluation gives you useful results out of the box. To create your own customized profile, extend an existing alert profile and add custom templates to it.
See Alert Profile Overview for more information.
Use the API or CLI to Create Policies
The topics in this section describe how to create policies in the Lacework Console. Alternatively, you can use these alternative methods to create custom policies:
- The maximum number of records that each policy will return is 1000.
- The maximum number of API calls is 120 per hour for on-demand LQL query executions and LQL policy create, read, update, and delete operations.