Skip to main content

Compliance Reports

The Lacework cloud security platform provides continuous compliance monitoring against cloud security best practices and compliance standards such as CIS, PCI DSS, SOC II, and HIPAA benchmark standards.

Compliance reports run automatically within the Lacework platform on a regular basis, typically once a day. You can use the lacework compliance command to interact with the three major cloud providers we support, AWS, Google Cloud, and Azure Cloud.

To integrate one or more cloud accounts, use this command:

lacework cloud-accounts iac [cloud]

To configure the integration via the Lacework Console, log in to your account at:

https://<ACCOUNT>.lacework.net

Then navigate to Settings > Integrations > Cloud Accounts.

Compliance for AWS

List Configured Accounts

To list all AWS accounts configured in your account.

lacework compliance aws list

Get Compliance Report

To visualize a compliance report for an AWS account.

lacework compliance aws get-report <account_id>
  • Extend the details of a compliance report by providing the --details flag
  • Download the report in PDF format by specifying the --pdf flag
  • Output the report in CSV format with the --csv flag
  • Filter the recommendations table with --category, --severity, --status, --service flags
  • To work with a different report type, use the --type flag (default report type is CIS)

To use filtering flags on a compliance report.

lacework compliance aws get-report <account_id> --category s3 --status non-compliant --severity high

To show recommendation details and affected resources for a recommendation ID.

lacework compliance aws get-report <account_id> [recommendation_id]

Run Compliance Assessment

To run an ad-hoc compliance assessment use the command:

lacework compliance aws run-assessment <account_id>

Compliance for Google Cloud

List Configured Organizations/Projects

To list all GCP organizations and projects configured in your account.

lacework compliance gcp list
note

When integrating single GCP projects, this command displays the organization ID as n/a, which must be used as a parameter in subsequent commands as the <organization_id>.

Get Compliance Report

To visualize a compliance report for a GCP project.

lacework compliance gcp get-report <organization_id> <project_id> 
  • Extend the details of a compliance report by providing the --details flag
  • Download the report in PDF format by specifying the --pdf flag
  • Output the report in CSV format with the --csv flag
  • Filter the recommendations table with --category, --severity, --status, --service flags
  • To work with a different report type, use the --type flag (default report type is CIS)

To use filtering flags on a compliance report.

lacework compliance gcp get-report <organization_id> <project_id> --category networking --status non-compliant --severity high

To show recommendation details and affected resources for a recommendation id.

lacework compliance gcp get-report <organization_id> <project_id> [recommendation_id]

Run Compliance Assessment

To run an ad-hoc compliance assessment use the command:

lacework compliance gcp run-assessment <org_or_project_id> 

Compliance for Azure Cloud

List Configured Tenants/Subscriptions

To list all Azure tenants and subscriptions configured in your account.

lacework compliance azure list

Get Compliance Report

To visualize a compliance report for an Azure subscription.

lacework compliance azure get-report <tenant_id> <subscription_id>
  • Extend the details of a compliance report by providing the --details flag
  • Download the report in PDF format by specifying the --pdf flag
  • Output the report in CSV format with the --csv flag
  • Filter the recommendations table with --category, --severity, --status, --service flags
  • To work with a different report type, use the --type flag (default report type is CIS)

To use filtering flags on a compliance report.

lacework compliance azure get-report <tenant_id> <subscription_id> --category storage --status non-compliant --severity high

To show recommendation details and affected resources for a recommendation id.

lacework compliance azure get-report <tenant_id> <subscription_id> [recommendation_id]

Run Compliance Assessment

To run an ad-hoc compliance assessment use the command:

lacework compliance azure run-assessment <tenant_id>