February 2023 Platform Releases
Release Notes
- Compliance policy update for lacework-global-217 (Lacework AWS Security Addendum 1.0) - This policy will now only check for unencrypted S3 buckets, removing the check for S3 buckets without an SSE policy. This is due to a change by Amazon to automatically encrypt all new object uploads to Amazon S3.
- Kubernetes audit log policy changes - Changes include the following:
- To reduce the number of alerts generated by some policies for Kubernetes audit logs (EKS and GKE), Lacework introduces the following new anomaly policies:
- K8s new registry used
- K8s new sensitive access to pod
- K8s new user access to pod
- New K8s webhook change
- New sensitive configmaps access
- The following policies for K8s audit logs (EKS and GKE) are now disabled by default because they are covered by anomaly policies:
- Cluster role created or modified - lacework-global-194
- Cluster role granting permissions on pods/exec - lacework-global-195
- ClusterRoleBinding created for cluster-admin role - lacework-global-191
- Ephemeral container attached to pod - lacework-global-165
- kubectl attach to container process - lacework-global-164
- Kubernetes namespace creation - lacework-global-177
- Role or cluster role created with access to secrets - lacework-global-193
- Role or cluster role created with wildcarded resources or verbs - lacework-global-192
- Successful command execution on container - lacework-global-158
- Usage of kubernetes Port Forward - lacework-global-163
- To see the mapping of the disabled policies to anomaly policies, see Disabled Policies Mapped to Anomaly Policies.
- To reduce the number of alerts generated by some policies for Kubernetes audit logs (EKS and GKE), Lacework introduces the following new anomaly policies:
- Composite alerts - The composite analysis uses multiple detections to define more specific alert conditions. This technique allows Lacework to accurately raise a composite alert when we suspect an intrusion occurs.
With composite alerts, Lacework further alleviates alert fatigue by automatically correlating disparate events across multiple detection sources into higher-level objects. - New AWS Agentless Workload Scanning integration option for AWS Organizations (using Terraform) - Use the Automatic Snapshot Role Integration (Terraform) for AWS Organizations to automatically pick up and integrate new AWS Accounts that are added to your AWS Organization.
Public Preview
- Linux Agent can now detect active and inactive packages on hosts - Use the Package Status filter in Host Vulnerability to see active or inactive vulnerable packages on hosts. See Host Vulnerability - Package Status for details.
- Additionally, the Package Status filter can be used when downloading a CSV.
- Bulk Update Policy API - The Bulk Update Policy API lets you programmatically change the status or severity of multiple policies at a time. For more information, see Bulk Policy Update.