Remediation Templates
The templates in the following table are available for you to leverage:
| ID | Title | Description |
|---|---|---|
| lwcustom-11 | Remove World Writeable Policy for %{bucket} | This remediation template effectively eliminates S3 world-writable access by deleting the bucket policy. |
| lacework-global-37 | Ensure IAM password policy requires minimum length of 14 or greater | To enhance account security and protect against brute force login attempts, ensure that the IAM password policy enforces a minimum length of 14 characters or more. Implementing a password complexity policy further strengthens the account's resilience. |
| lacework-global-38 | Ensure IAM password policy prevents password reuse | IAM password policies can effectively prevent users from reusing the same password. It is strongly recommended to enforce a password policy that prohibits password reuse. |
| lacework-global-40 | Delete non-compliant IAM access key for user | This policy deletes an IAM access key for a given user. |
| lacework-global-41 | Ensure credentials unused for 45 days or greater are disabled | AWS IAM users have various types of credentials, including passwords and access keys, to access AWS resources. It is advisable to deactivate or remove any credentials that have remained unused for 45 days or more. |
| lacework-global-46 | Create a support role to manage incidents with AWS Support | AWS offers a support center to provide technical assistance and incident response. This remediation action involves creating a least-privilege role specifically designed for managing incidents with AWS Support. |
| lacework-global-48 | Create IAM Access Analyzer | This remediation template enables IAM Access analyzer for all regions. |
| lacework-global-49 | Ensure MFA Delete is enabled on S3 buckets | Enabling MFA Delete on your sensitive and classified S3 bucket ensures that users are required to authenticate using two forms of authentication. Note: Enabling MFA Delete will also activate versioning for the bucket. Once versioning is enabled, it cannot be disabled, although you can choose to suspend versioning on the bucket. |
| lacework-global-51 | Enable EBS Encryption | This remediation template ensures the default enablement of EBS encryption across all regions. |
| lacework-global-66 | Ensure a log metric filter and alarm exists for AWS Organization changes | This remediation template adds a metric filter alarm, SNS topic, and subscription for monitoring AWS Organization changes performed in the master AWS Account. |
| lacework-global-73 | Deny HTTP requests to S3 buckets | This remediation template updates the S3 bucket policies to explicitly deny HTTP requests directed towards the respective S3 buckets. |
| lacework-global-76 | Ensures AWS Config is enabled in all regions | This remediation template ensures AWS Config is enabled for all regions. In addition to the config recorder and config delivery channel, the config service requires an S3 bucket, SNS topic, and IAM role. |
| lacework-global-78 | Enable Customer Managed KMS key rotation | This remediation template enables key rotation for Customer Managed KMS keys that do not have it already enabled. |