Skip to main content

Cloud Compliance Dashboard

Overview

This dashboard provides a consolidated view of your compliance across all cloud providers that are integrated with Lacework.

Navigate to the Cloud Compliance Dashboard in the Lacework Console by selecting Compliance > Cloud.

console-cloud-compliance-dashboard-jun2022.png

To populate the data viewed in this page, you must configure at least one integration to a cloud provider. For more information, see:

Terminology

The Cloud Compliance dashboard uses terminology that differs from variations used in the AWS, Azure, or GCP Compliance Dashboard and Reports pages.

The table below provides comparative guidance on these terminologies:

AWS / Azure / GCP Compliance Dashboard & ReportsCloud Compliance Dashboard
Recommendation
Policy Assessment
Assessment
Policy
Benchmark
Report Type
Report
Assessment
Violated
In-violation
Failed
Non-compliant
Resources: Fail
Policies: Non-compliant
Compliant
Passed
Resources: Pass
Policies: Compliant
AWS: Accounts
Azure: Tenants and Subscriptions
GCP: Organizations and Projects
Accounts
Assessed
Monitored
Analyzed
Assessed
SuppressedException

See Groups and Filters for descriptions of the elements within the Cloud Compliance dashboard.

Groups

By default, the Compliance list displays assessments. Change what group the list displays by selecting a different Group by option from the drop-down:

GroupDescription
PolicyDisplays all policies in the Compliance list (both custom and default).
AssessmentDisplays all assessments such as CIS Benchmark reports in the Compliance list.
ServiceDisplays all integrated cloud provider services such as Identity and Access Management (IAM) and Networking.
AccountDisplays all integrated cloud accounts.

Filters

Use the following methods to refine what is displayed in the compliance list:

  • Use the search function at the top of the page to find specific text in any of the details available on the page.
  • Click filters along the top of the page to make them active. Remove an active filter by clicking on it again or by clicking the Reset filters icon (reset_all_filters.png). You can also click on the tags in the table list to use them as filters.
  • Click the View all filters icon (filter_icon_blue.png) and select the filters you want to use.

The available filters change depending on what Group by option you have selected:

FilterGroupsDescription
SeverityGroup by PolicyDisplay policies for the specified severity (for example: Critical).
ProviderAllDisplay compliance details for the specified provider: AWS, Azure, or GCP.
StatusGroup by PolicyDisplay policies with the specified status (for example: Non-compliant).
ReportGroup by PolicyDisplay policies for a specified report (for example: GCP PCI Benchmark).
AccountAllDisplay compliance details for a specified integrated cloud account (for example: Organization: 123456789101).
Service Categories
or
Service
Group by PolicyDisplay compliance details for the specified service (for example: Storage).
Group by Assessment
Group by Account

Date

To change the assessment date, select a custom date from the drop-down or use the horizontal arrows to move to the next/previous day.

Only information found during assessment on the specified date is reported. For example, if a number of resources were only integrated with Lacework yesterday, the total number of resources shown in the report 7 days ago would differ from the number shown in today's report.

Save View

When the page displays your selected group and filters, save the current view by clicking the Save view icon in the top right corner. This lets you access the saved view later through the Open view icon.

When you open a saved view, its name displays in the page title as Compliance/Cloud/view name. Click the icon adjacent to this name to access additional actions such as update, reset, save as, rename, and delete.

You can also copy the link to the current view by clicking the Copy link icon. You can then share that link with others, so they can see the same view.

note

Searches and sorting cannot be saved in views or copied as links.

Visible Accounts

Use the Visible accounts dropdowns to filter your Compliance results to specific cloud provider accounts.

console-cloud-compliance-visible_accounts.png

Each cloud provider has a dropdown and all integrated accounts are listed within. Use the search bar to find a specific account (or subset). Check the boxes to change whether Compliance details are displayed for that account.

info

The number of visible accounts is limited to 100 per cloud provider.

Charts

Dashboard Charts

The Cloud Compliance dashboard contains a number of statistics and charts to help visualize your security posture.

important

All charts and statistics actively update to the group, search, and/or filters that you apply to the page.

Statistics

The statistics display the number of integrated cloud accounts that have been assessed, and the total number of exceptions applied across policies.

cloud-dashboard-stats-accounts-exceptions.png

Policies

The Policies chart displays the total number of policies and splits them into the following categories:

  • Policies that are non-compliant when integrated resources were assessed.
  • Policies that are compliant when integrated resources were assessed.
  • Policies that have not been assessed due to the following reasons:
    • Policies require manual auditing.
    • Policies were not assessed due to an error.
    • Policies have exceptions applied to them.

cloud-dashboard-chart-policies.png

Resources

The Resources chart displays the total number of resources and splits them into the following categories:

  • Resources that are non-compliant due to failing a policy assessment (or multiple policy assessments).
  • Resources that are compliant due to passing policy assessments.
  • Resources that have not been assessed due to the following reasons:
    • Resources were not assessed due to an error.
    • Resources have exceptions applied to them.

cloud-dashboard-chart-resources.png

Non-compliant policies by severity

This chart splits non-compliant policies into severity levels of Critical, High, Medium, Low, and Info.

cloud-dashboard-chart-non-compliant-policies-severity.png

Hover over any of the bars to get the exact number of non-compliant policies for that severity.

cloud-dashboard-chart-non-compliant-policies-number.png

Compliance List Charts

Each row in the Compliance list has a chart (or charts) associated to that policy, assessment, service, or account. The list displays different chart(s) depending on what group is selected.

Group by Policy Chart

When Group by Policy is selected, the chart displays the total number of resources linked with that policy and splits them into the following categories:

  • Resources that are non-compliant due to failing the policy assessment.
  • Resources that are compliant due to passing the policy assessment.
  • Resources that have not been assessed due to errors or exceptions.

cloud-dashboard-chart-groupbypolicy.png

Policy Drawer Chart

When clicking on a policy in the Compliance list, the drawer displays the same chart with added statistics:

  • Total number of exceptions as of the last reported date and time.
    Click View exceptions to see a detailed list of the exceptions applied to the policy.

cloud-drawer-chart-groupbypolicy-resources.png

Hover over the filter icon to see the active filters that are influencing the chart.

cloud-drawer-chart-groupbyservice-non-compliant-resources-filter.png

Group by Assessment/Service/Account Charts

When Group by Assessment/Service/Account is selected, the chart displays the total number of non-compliant policies for that assessment/service/account and splits them into severity levels of Critical, High, or Other (being Medium, Low, and Info combined).

cloud-dashboard-chart-groupbyassessment-non-compliant-policies.png

Additionally, another chart displays the total number of resources linked with the policy and splits them into the following categories:

  • Resources that are non-compliant due to failing the policy assessment.
  • Resources that are compliant due to passing the policy assessment.
  • Resources that have not been assessed due to errors or exceptions.

cloud-dashboard-chart-groupbyassessment-non-compliant-resources.png

Assessment/Service/Account Drawer Charts

When clicking on an assessment/service/account in the Compliance list, the drawer displays the same charts with added statistics:

  • Total number of policies associated with the assessment/service/account.
  • Percentage of non-compliant policies associated with the assessment/service/account.
  • Percentage of resources that have failed one or more policy assessments. The arrow also signifies whether the amount of resources failing policy assessments has increased or decreased since the last report.

cloud-drawer-chart-groupbyservice-non-compliant-resources.png

Hover over the filter icon to see the active filters that are influencing the charts.

cloud-drawer-chart-groupbyservice-non-compliant-resources-filter.png

Compliance List

The Compliance list is below the statistics and charts. Each row displays an individual policy, assessment, service, or account depending on what group is selected.

The Compliance list allows you to Download CSV, and sort.

Click a tag link to reload the Compliance list with the tag as the filter.

Group by Policy

When Group by Policy is selected, the Sort by options can order the list by:

  • Number of affected resources
  • Policy name
  • Level of severity

Each row displays compliance details on an individual policy. For example, Ensure access keys are rotated every 90 days or less.

Policy Drawer

Click on a policy row to display detailed policy results (expand this to full screen by using the << icon).

tip

For policies associated with a benchmark rule, click Context (if available) underneath the policy title to see detailed information about the benchmark rule.

The policy drawer shows information underneath the title about when the policy assessment was last updated, and the most relevant tags associated with the policy.

Underneath the chart, the table displays Failed resources associated with the policy.

cloud-drawer-table-options.png
Click on the icons to download the table as a CSV, select columns, view and enable filters, and search for specific text in any of the column details.

The table has the following information in each column:

ColumnDescription
ResourceEach row displays an individual resource that has failed the policy assessment.
RegionIf applicable, the region of the resource.
StatusThe status of the assessment. This could be either Non-compliant, Could Not Assess, or Exception. Lacework does not list resources that are compliant.
console-cloud-compliance-policy-drawer-options.pngClick to see additional options for the resource.
Account (hidden by default)The cloud account associated with the resource.
Add Compliance Exceptions

Click the additional options button console-cloud-compliance-policy-drawer-options.png to add a compliance exception for the resource and policy selected.

Group by Assessment

When Group by Assessment is selected, the Sort by options can order the list by:

  • Number of affected resources
  • Number of affected policies
  • Report name

Each row displays compliance details on an individual assessment report. For example, GCP CIS Benchmark 1.2.

Assessment Drawer

Click on an assessment row to display detailed assessment report results (expand this to full screen by using the << icon).

The assessment drawer shows information underneath the title about when the report last ran, when the configuration was last updated, and who last updated it.

Underneath the charts, the table displays policies associated with the assessment report.

cloud-drawer-table-options.png
Click on the icons to download the table as a CSV, select columns, view and enable filters, and search for specific text in any of the column details.

The table has the following information in each column:

ColumnDescription
Control IDDisplays the unique identifier for the recommendation. This often correspond to the CIS Benchmark rule ID that is used for CIS Benchmark reports.
Policy NameEach row displays an individual policy associated with the assessment report. Click on this to view the policy assessment details.
ResourcesThe number of resources that have passed or failed the policy assessment.
AssessmentThe overall compliant status for the policy. One or more resources failing the policy assessment will trigger the non-compliant status for the policy.
SeverityThe severity level of the policy.

Group by Service

When Group by Service is selected, the Sort by options can order the list by:

  • Number of affected resources
  • Number of affected policies
  • Service name

Each row displays compliance details on an individual cloud service. For example, Identity and Access Management.

Service Drawer

Click on a service row to display detailed service results (expand this to full screen by using the << icon).

The service drawer shows information underneath the title about when the service assessment was last updated.

Underneath the charts, the table displays policies associated with the service.

cloud-drawer-table-options.png
Click on the icons to download the table as a CSV, select columns, view and enable filters, and search for specific text in any of the column details.

The table has the following information in each column:

ColumnDescription
Policy NameEach row displays an individual policy associated with the service. Click on this to view the policy assessment details.
ResourcesThe number of resources that have passed or failed the policy assessment.
AssessmentThe overall compliant status for the policy. One or more resources failing the policy assessment will trigger the non-compliant status for the policy.
SeverityThe severity level of the policy.

Group by Account

When Group by Account is selected, the Sort by options can order the list by:

  • Number of affected resources
  • Number of affected policies
  • AWS Account name
  • Azure Tenant name
  • GCP Organization name

Each row displays compliance details on an individual cloud provider account. For example, if it's an Azure cloud account, details are displayed for a Subscription in a given Tenant.

Account Drawer

Click on an account row to display detailed account results (expand this to full screen by using the << icon).

The account drawer shows information underneath the title about when the account assessment was last updated.

Underneath the charts, the table displays policies associated with the account.

cloud-drawer-table-options.png
Click on the icons to download the table as a CSV, select columns, view and enable filters, and search for specific text in any of the column details.

The table has the following information in each column:

ColumnDescription
Policy NameEach row displays an individual policy associated with the account. Click on this to view the policy assessment details.
ResourcesThe number of resources that have passed or failed the policy assessment.
AssessmentThe overall compliant status for the policy. One or more resources failing the policy assessment will trigger the non-compliant status for the policy.
SeverityThe severity level of the policy.

Determination of the Could Not Assess Status

In order to assess resources for compliance, Lacework must collect data for each resource. Lacework uses the data collection status to determine which policies have a sufficient amount of quality information to be evaluated, even if there is information for only some of the resources. An issue collecting data could cause the status to be returned as Could not assess.

Some issues that Lacework could encounter when collecting data include the following:

  • Transient failures, for example: rate limits and timeouts
  • Incorrect permissions used by the Lacework collector, which were provided during role setup for the integration

The assessability functionality converts a recognition of the many potential problems into the Could not assess result.

Lacework applies the following process to determine if a policy’s status is Could not assess:

  1. At a resource level:
    1. If Lacework can determine non-compliance, then the resource is “non-compliant”.
    2. Else, if Lacework cannot determine non-compliance, and the resource was not successfully fully collected, the resource is Could not assess.
    3. Else, (Lacework can determine that there is no non-compliance, or sufficient conditions for compliance) the resource is “compliant”.
  2. Lacework aggregates resource-level compliance observations and determines the aggregate status for the cloud integration as follows:
    • Non-compliant if any resources are known to be non-compliant
    • Could not assess if no resources are non-compliant, but some resource evaluations were Could not assess
    • Compliant if all resources are known to be compliant

The overall goal of Lacework is to never report a resource as compliant if it is not. Policy queries need adequately reliable information to determine non-compliance, and the methodology used is biased towards determining non-compliance, not compliance. It is possible for Lacework to determine a collection to be Could not assess and a policy using that collection in some way to be non-compliant. The granularity of assessment capability will be refined in later releases.

Use Cases for Cloud Compliance Dashboard

The following sections show how to use the Cloud Compliance Dashboard to view different types of information.

If applicable, they also specify where similar information was found in the deprecated Compliance pages for AWS, Azure, and GCP.

Select a Cloud Provider and View Compliance Details

  1. Under filters, select the Provider that you want to display Compliance details for (for example: Azure).
  2. The Compliance details for the chosen cloud provider are displayed. The details vary depending on which Group by option is selected.
Deprecated Method

This method replaces the following deprecated Console pages:

  • Compliance > AWS / Azure / GCP

    compliance-cloud_provider-dropdown.png

Select a Cloud Account and View Compliance Details

  1. Under filters, select the Account that you want to display Compliance details for (for example: Organization: [organization name] and Project: [project name]).
  2. The Compliance details for the chosen account are displayed. The details vary depending on which Group by option is selected.
Deprecated Method

This method replaces the following deprecated Console pages and dropdown options:

  • Compliance > AWS / Azure / GCP > Dashboard / Reports

    • Any Account, Tenant, Subscription, Organization, or Project dropdown.

    aws-compliance-account-dropdown.png

    azure-compliance-tenant-dropdown.png

    gcp-compliance-organization-dropdown.png

View Compliance Summary of a Cloud Account

  1. Select Group by Account to view a Compliance summary for each cloud account integrated with Lacework.

  2. (Optional) Under filters, select the Provider that you want to display Compliance details for (for example: Azure).

  3. Use the Sort by dropdown to specify the order of the Accounts list.

    cloud-compliance-accounts-dropdown.png

  4. Click on an Account to view more details in the Account Drawer.

Deprecated Method

This method replaces the following deprecated Console pages and sections:

  • Compliance > AWS > Dashboard > Account Summary

    aws-compliance-account_summary.png

  • Compliance > Azure > Dashboard > Subscription Summary

    azure-compliance-subscription_summary.png

  • Compliance > GCP > Dashboard > Project Summary

    gcp-compliance-project_summary.png

View CIS Benchmark Report Overview

  1. Select Group by Assessment to view a Compliance summary for each CIS Benchmark report.

  2. (Optional) Use the Account filter to select the specific account (for example: Tenant: [tenant name] and Subscription: [subscription name]).

  3. Use the Sort by dropdown to specify the order of the Assessments list.

    cloud-compliance-assessments-dropdown.png

  4. Click on an Assessment to view more details in the Assessment Drawer.

Deprecated Method

This method replaces the following deprecated Console pages and sections:

  • Compliance > AWS / Azure / GCP > Dashboard > CIS Benchmark Overview

    gcp-compliance-cis_benchmark_overview.png

  • Compliance > AWS > Summary > Reports

    • Use the Reports page to download and view CIS Benchmark reports.

    aws-compliance-summary-reports.png

View Policy Assessments for a CIS Benchmark Report

  1. Select Group by Assessment to view individual policy assessments for all your integrated resources.
  2. Under filters, select the Report that you want to view (for example: Azure CIS Benchmark). Policies that apply to the selected report will then be shown.
  3. (Optional) View the Benchmark report for a specific account by using the Account filter (for example: Tenant: [tenant name] and Subscription: [subscription name]).
  4. (Optional) The latest assessment is shown by default. Change the date to view past assessments.
  5. Click on an Assessment to view more details in the Assessment Drawer. The assessment results for the CIS Benchmark policies are contained within.
tip

Use the Reports page to view and download CIS Benchmark reports.

Deprecated Method

This method replaces the following deprecated Console pages and sections:

  • Compliance > AWS > Summary > Amazon S3 and CIS - Recommendations (From Latest Reports)

    aws-compliance-summary-amazon_s3_and_cis.png

View Compliance KPIs and Data Visualizations for a Benchmark Report

  1. Under filters, select the Report that you want to view (for example: Azure CIS Benchmark). Policies that apply to the selected report will then be shown.
  2. (Optional) Use the Account filter to select the specific account (for example: Tenant: [tenant name] and Subscription: [subscription name]).
  3. View the Dashboard Charts at the top to see a visual summary of important statistics and KPIs relating to the Benchmark report on the specified account.
Deprecated Method

This method replaces the following deprecated Console pages and sections:

  • Compliance > AWS / Azure / GCP > Dashboard > Compliance Summary

    azure-compliance-dashboard-compliance_summary.png

  • Compliance > AWS / Azure / GCP > Reports > Non-Compliant Recommendations / Resources / By Severity

    gcp-compliance-reports-non-compliant_recommendations.png

View Compliance KPIs and Data Visualizations for Cloud Services

  1. Select Group by Service to view compliance details for individual cloud services.
  2. Under filters, select the Provider that you want to view (for example: Azure).
  3. (Optional) Use the Account filter to select the specific account (for example: Tenant: [tenant name] and Subscription: [subscription name]).
  4. Click on a Service to view more details in the Service Drawer.
Deprecated Method

This method replaces the following deprecated Console pages and sections:

  • Compliance > AWS / Azure / GCP > Dashboard > Compliance Summary > Resources in Violation (when clicked)

    azure-compliance-dashboard-resources_in_violation.png

View Policy Assessments for Cloud Services

  1. Select Group by Service to view cloud service assessments.
  2. Under filters, select the Provider that you want to view (for example: GCP). Policies that apply to the selected provider will then be shown.
  3. (Optional) View cloud service assessments for a specific account by using the Account filter (for example: Organization: [organization name] and Project: [project name]).
  4. (Optional) The latest assessment is shown by default. Change the date to view past assessments.
  5. Click on a Service to view more details in the Service Drawer. The assessment results for the service policies are contained within.
Deprecated Method

This method replaces the following deprecated Console pages and sections:

  • Compliance > AWS / Azure / GCP > Reports > Recommendations by Service
    Example gcp-compliance-reports-iam.png

  • Compliance > AWS > Summary > Summary by Service

    aws-compliance-summary-summary_by_service.png

View and Add Exceptions on a Policy

  1. Select Group by Policy to view individual policy assessments.

  2. Under filters, select the Report that you want to view (for example: Azure CIS Benchmark). Policies that apply to the selected report will then be shown.

  3. (Optional) View policy assessments for a specific account by using the Account filter (for example: Organization: [organization name] and Project: [project name]).

  4. (Optional) The latest assessment is shown by default. Change the date to view past assessments.

  5. Click on a Policy to view more details in the Policy Drawer. The assessment results display the total number of exceptions applied to the policy.

  6. Click View exceptions to see details of each exception. You can add new exceptions here.

    tip

    You can also add exceptions through the Policies page.

info

This method replaces the following deprecated Console pages and options:

  • Compliance > AWS / Azure / GCP > Reports > Recommendation Actions > Advanced Suppression

    aws-compliance-reports-advanced_suppression.png

Add Exceptions for a Specific Resource on a Policy

  1. If you want to add an exception for a resource listed in the Policy Drawer table, click the additional options button console-cloud-compliance-policy-drawer-options.png for the resource.

    console-cloud-compliance-policy-drawer-add_exception.png

  2. Click Add exception to enter the Exceptions tab for the policy. The Key Id/Alias will be filled with the resource you selected.

View Critical and Non-Compliant Policies

  1. Select Group by Policy to view individual policy assessments for all your integrated resources.
  2. Use the Severity filter and select Critical.
  3. Use the Status filter and select Non-compliant.