Skip to main content

Lacework Compliance Policy Catalog

Lacework offers a range of out-of-the-box compliance policies for Cloud Providers and Kubernetes.

These compliance policies form our built-in Compliance Frameworks.

You can view individual policy information in this section (grouped by framework).

note

This catalog will continue to grow as new frameworks and policies are added.

Upcoming Changes

No upcoming changes.

Latest Changes

tip

View the Compliance Policy Changelog for a history of all changes.

27th March 2024

Added

Changed

There have been content and title improvements made to 25 compliance policies.

note

Only wording of the policies will have been updated, with no impact on functionality of the underlying query.

Click to display the compliance policies with old and new titles
Policy IDOld TitleNew Title
lacework-global-44Ensure IAM Users Receive Permissions Only Through GroupsEnsure Identity and Access Management (IAM) Users Receive Permissions Only Through Groups
lacework-global-49Ensure MFA Delete is enabled on S3 bucketsEnable Multi-Factor Authentication (MFA) Delete on S3 buckets
lacework-global-55Ensure CloudTrail trails are integrated with CloudWatch LogsIntegrate CloudTrail trails with CloudWatch Logs
lacework-global-87Ensure the default security group of every VPC restricts all trafficEnsure the default security group of every Virtual Private Cloud (VPC) restricts all traffic
lacework-global-90Ensure EBS Volumes are EncryptedEncrypt Elastic Block Store (EBS) Volumes
lacework-global-240Ensure API Keys Are Restricted To Use by Only Specified Hosts and AppsRestrict API Keys To Use by Only Specified Hosts and Apps
lacework-global-256Ensure Cloud Asset Inventory Is EnabledEnable Cloud Asset Inventory
lacework-global-277Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'Set the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance to 'On'
lacework-global-285Ensure 'external scripts enabled' database flag for Cloud SQL on SQL Server instance is set to 'off'Set 'external scripts enabled' database flag for Cloud SQL on SQL Server instance to 'off'
lacework-global-313Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)Encrypt All BigQuery Tables With Customer-Managed Encryption Key (CMEK)
lacework-global-339Minimize the admission of containers wishing to share the host IPC namespaceMinimize the admission of containers wishing to share the host Inter-Process Communication (IPC) namespace
lacework-global-358Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMSEncrypt Kubernetes Secrets using Customer Managed Keys (CMKs) managed in AWS Key Management Service (KMS)
lacework-global-360Ensure clusters are created with Private Endpoint Enabled and Public Access DisabledCreate clusters with Private Endpoint Enabled and Public Access Disabled
lacework-global-534Ensure Private Endpoints are used to access Storage AccountsUse Private Endpoints to access Storage Accounts
lacework-global-543Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database ServerSet 'Enforce SSL connection' to 'ENABLED' for PostgreSQL Database Server
lacework-global-569Ensure that SSH access from the Internet is evaluated and restrictedEvaluate and restrict SSH access from the Internet
lacework-global-622Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL ServersSet Microsoft Defender for SQL to 'On' for critical SQL Servers
lacework-global-640Ensure that Private Endpoints are Used for Azure Key VaultUse Private Endpoints for Azure Key Vault
lacework-global-650Minimize the execution of container workloads sharing the host IPC namespaceMinimize the execution of container workloads sharing the host Inter-Process Communication (IPC) namespace
lacework-global-652Minimize the execution of container workloads that can escalate their privileges above those of their parent processMinimize the execution of container workloads that can escalate their privileges beyond those of their parent process
lacework-global-670Ensure IAM administrators cannot update tenancy Administrators groupEnsure Identity and Access Management (IAM) administrators cannot update tenancy Administrators group
lacework-global-686Ensure the default security list of every VCN restricts all traffic except ICMPEnsure the default security list of every Virtual Cloud Network (VCN) restricts all traffic except Internet Control Message Protocol (ICMP)
lacework-global-691Ensure default tags are used on resourcesUse default tags on resources
lacework-global-708Ensure Object Storage Buckets are encrypted with a Customer Managed Key (CMK)Encrypt Object Storage Buckets with a Customer Managed Key (CMK)
lacework-global-710Ensure Block Volumes are encrypted with Customer Managed Keys (CMK)Encrypt Block Volumes with Customer Managed Keys (CMK)
20th March 2024

Changed

Query improvements have been made to the following policies, which will fix an issue where some non-compliant S3 buckets were being flagged as compliant: