April 2024 Platform Releases

Generally Available

• The AWS Foundational Security Best Practices (FSBP) Standard is now available as a compliance framework - See our AWS FSBP Standard guide for details.

  • This initial release contains critical severity policies only.

• Compliance dashboard updates - The details view for a framework, which you can access by clicking a framework from the list at the bottom of the Frameworks tab of the Cloud Compliance dashboard, has been improved as follows:

  • In the Policies tab, the assessment results for resources (as shown in the Resources column) now shows four possible results. Instead of just pass and fail, it now shows the number of resources that are non-compliant (formerly failed), compliant (formerly passed), not assessed, and excepted.
  • If you expand the result details in the Resources column, you can now filter visible resources based on the same status results: non-compliant, compliant, not assessed, and excepted. This enables you to quickly view resources based on a status, such as those that were not assessed.
  • In the Resources tab, the sub-tab labels have been renamed to Non-compliant, Compliant, and Excluded.

• Compliance policy title and content updates - See Latest Changes (15th April 2024) in the Compliance Policy Catalog for details.

• Violation policy title updates - Title improvements have been made to 9 AWS CloudTrail policies and 1 Kubernetes Audit Log policy.

  Click to display the violation policies with old and new titles

  Policy ID	Old Title	New Title
  lacework-global-3	NACL Change	Network Access Control List (NACL) Change
  lacework-global-6	New VPN Connection	New Virtual Private Network (VPN) Connection
  lacework-global-7	VPN Gateway Change	Virtual Private Network (VPN) Gateway Change
  lacework-global-13	IAM Access Key Change	Identity and Access Management (IAM) Access Key Change
  lacework-global-15	New Customer Master Key	New Key Management Service (KMS) Key
  lacework-global-16	New Customer Master Key Alias	New Key Management Service (KMS) Key Alias
  lacework-global-17	Customer Master Key Disabled	Key Management Service (KMS) Key Disabled
  lacework-global-19	New Grant Added to Customer Master Key	New Grant Added to Key Management Service (KMS) Key
  lacework-global-28	New VPC	New Virtual Private Cloud (VPC)
  lacework-global-202	Ingress created without TLS	Ingress created without Transport Layer Security (TLS)

• New datasource support - We’ve recently added datasource support for these additional AWS services:

  • AWS API Gateway
  • Application Autoscaling
  • EventBridge
  • Glue

  In addition, we’ve expanded support for these services: RDS, WAF, SSM, ELB, EC2 Elastic Beanstalk, CloudTrail, and CloudFormation.

  For details, see Datasource Metadata. Note that the introduction of new services may require you to modify the privileges of the Lacework user in your cloud accounts. For more information, see Maintain Cloud Integrations with Terraform.

• Context panels for resources in the Cloud Compliance Dashboard are now available - See Context Panels for Resources for details.

• New composite alert - The Potential penetration test alert enables faster response to Lacework detection of suspected penetration testing (red/blue/purple team) type activity by providing specific and detailed context. The provided details help you discern real penetration testing activity from actual malicious activity.

Limited Availability

• Update to Code Security Infrastructure as Code (IaC) Terraform scanning - we've introduced fixes to how our IaC scanner resolves Terraform module references; as well as fixes to some Terraform checks. These fixes mean you may see a change in the number of findings for Terraform assessments; including the addition of valid true positive violations and the removal of false negative violations.