Manage Alerts with CLI Commands
Use the commands listed in this page to effectively manage and resolve compliance alerts within your AWS infrastructure.
Discover Fixable Alerts
Get all fixable alerts by running the below command:
lacework alert list --fixable
Below is what you will see on the CLI:
❯ lacework alert list --fixable
ALERT ID | TYPE | NAME | SEVERITY | START TIME | END TIME | STATUS
-----------+-------------------+--------------------+----------+--------------------------+--------------------------+---------
222172 | ComplianceChanged | Compliance changed | Medium | 2023-01-30T08:00:00.000Z | 2023-01-30T09:00:00.000Z | Open
Use 'lacework alert show <alert_id>' to see details for a specific alert.
Use 'lacework remediate alert <alert_id>' to fix a specific alert.
Fix an Alert
The remediation of an alert consists of several steps (initialization, resource selection, plan, apply, etc.). These steps are represented as flags for the lacework remediate alert command.
Initialization:
When issuing this command without any flags, Lacework will initialize (persist to disk) the remediation package. This prepares the remediation package without executing any automation (making changes).lacework remediate alert 12345Planning:
Use--planto generate an execution plan. This shows Lacework's actions to apply the remediation (without making changes).lacework remediate alert 12345 --planResource Selection:
Use
--resourcesto select and deselect resources.lacework remediate alert 12345 --resourcesApplication:
Use--applyto apply the remediation.lacework remediate alert 12345 --applyRollback:
Use
--rollbackto roll back the remediation (if supported).lacework remediate alert 12345 --rollback
Passing Credentials
The remediate component leverages the AWS CLI. When invoking the CLI, environment variables from the current environment are passed through to the component and the aws commands.
A specific profile from your AWS credential file can be specified using the --aws-profile flag. Below is an example command:
lacework remediate alert 12345 --apply --aws-profile security-engineering-admin
You can also use AWS Vault, a tool to securely store and access AWS credentials in a development environment. Below is an example command:
aws-vault exec security-engineering-admin -- lacework remediate alert 12345 --apply
Passing User Data
Use --userdata to specify user-defined variables inline.
lacework remediate alert 12345 --userdata user=someuser --userdata other=someother
Starting Over
Use --clean to start over (delete the local remediation package).
lacework remediate alert 12345 --clean
Setting a dedicated AWS IAM role
By default, AWS Remediations are set to assume the IAM role lacework-remediation before executing any actions. This ensures that all actions performed by the Lacework CLI tool can be traced back to the role. If you want to bypass the role assumption step, use the --no-assume-role flag.
lacework remediate alert 12345 --no-assume-role
You can also define the name of the role to assume with the --aws-role-name flag:
lacework remediate alert 12345 --aws-role-name my-iam-role
Least Privilege
You can access least privilege IAM policies through the show-policy subcommand. These policies include only the essential permissions required to carry out the activities specified in the comprehensive set of remediation templates.
Below is an example:
lacework remediate show-policy aws-iam
Configuration
The Lacework remediate component offers persistence mechanisms for frequently used flags, such as aws-profile and aws-role-name. These mechanisms ensure that these flags are retained and readily available when needed.
For more information about these mechanisms, run the following command:
lacework remediate configure -h