Skip to main content

Cloud Compliance Dashboard

Overview

This dashboard provides a consolidated view of your compliance across all cloud providers that are integrated with Lacework.

To go to the Cloud Compliance Dashboard in the Lacework Console, click Compliance > Cloud.

Cloud Compliance Dashboard

To populate the data viewed in this page, you must configure at least one integration to a cloud provider. For more information, see:

Terminology

The Cloud Compliance dashboard uses terminology that differs from variations used in the AWS, Azure, or GCP Compliance Dashboard and Reports pages.

The table below provides comparative guidance on these terminologies:

AWS / Azure / GCP Compliance Dashboard & ReportsCloud Compliance Dashboard
Recommendation
Policy Assessment
Assessment		Policy
Benchmark
Report Type
Report		Assessment
Violated
In-violation
Failed
Non-compliant		Resources: Fail
Policies: Non-compliant
Compliant
Passed		Resources: Pass
Policies: Compliant
AWS: Accounts
Azure: Tenants and Subscriptions
GCP: Organizations and Projects		Accounts
Assessed
Monitored
Analyzed		Assessed
SuppressedException

See Groups and Filters for descriptions of the elements within the Cloud Compliance dashboard.

Groups

By default, the Compliance list displays assessments. Change what group the list displays by selecting a different Group by option from the drop-down:

GroupDescription
PolicyDisplays all policies in the Compliance list (both custom and default).
Assessment (default)Displays all assessments such as CIS Benchmark reports in the Compliance list.
AccountDisplays all integrated cloud accounts.

Filters

Use the following methods to refine what is displayed in the compliance list:

  • Use the search function at the top of the page to find specific text in any of the details available on the page. You can also click the search field to select values and operators to narrow your search.
  • Click the filter dropdowns along the top of the page and check the boxes to make them active. Click an active filter to remove it or click Reset. You can also click on the tags in the table list to use them as filters.

The available filters change depending on what Group by option you have selected:

FilterGroupsDescription
SeverityGroup by PolicyDisplay policies for the specified severity (for example: Critical).
ProviderAllDisplay compliance details for the specified provider: AWS, Azure, or GCP.
StatusGroup by PolicyDisplay policies with the specified status (for example: Non-compliant).
ReportGroup by PolicyDisplay policies for a specified report (for example: GCP PCI Benchmark).
AccountAllDisplay compliance details for a specified integrated cloud account (for example: Organization: 123456789101).
Any fieldAllDisplay results that include a specified value.

Date

To change the assessment date, click Custom from the drop-down, then select a date from the calendar. After a custom date is selected, use the horizontal arrows to move to the next/previous day.

Only information found during assessment on the specified date is reported. For example, if a number of resources were only integrated with Lacework yesterday, the total number of resources shown in the report 7 days ago would differ from the number shown in today's report.

Save View

When the page displays your selected group and filters, save the current view by clicking the Save view icon in the top right corner. This lets you access the saved view later through the Open view icon.

When you open a saved view, its name displays in the page title as Cloud compliance / name. Click the pencil icon adjacent to this name to duplicate or delete the view.

You can also click the Copy link icon to copy the link to the current view. You can then share that link with others, so they can see the same view.

note

Searches and sorting cannot be saved in views or copied as links.

Visible Accounts

Use the AWS Account, Azure Subscription, and GCP Project dropdowns to filter your Compliance results to specific cloud provider accounts.

console-cloud-compliance-visible_accounts.png

Each cloud provider has a dropdown and all integrated accounts are listed within. Use the search bar to find a specific account (or subset). Check the boxes to change whether Compliance details are displayed for that account, then click Show Results.

Visible Accounts Dropdown

info

The number of visible accounts is limited to 100 per cloud provider.

Google Apps Script Projects are hidden by default. Contact Lacework Support if you want to enable visibility of these projects.

On-Demand Compliance Scans

Use on-demand compliance scans to reassess compliance policies, violation alerts, and reports for your chosen cloud service provider.

When using this feature, a resource management collection is made for all integrated cloud accounts within the chosen cloud service provider (such as projects and organizations for GCP, tenants and subscriptions for Azure, or accounts for AWS). Reports are then regenerated using the new data.

info

Scans take 1-2 hours to complete on average. Only one scan can be active at a time per integration.

Run an On-Demand Scan

Click Open adhoc scanning options in the top right corner to view available options:

Refresh compliance scans

Check the cloud service provider that you want to reassess and click Scan now:

Refresh Compliance scan

The cloud service provider option is unselectable if a scan completed within the last hour, or if a scan is currently ongoing.

Once the scan is complete, the Report last run times are updated for assessments, accounts, and services. This includes the reports on the Reports page.

Charts

Dashboard Charts

The Cloud Compliance dashboard contains a number of statistics and charts to help visualize your security posture.

important

All charts and statistics actively update to the group, search, and/or filters that you apply to the page.

Statistics

The statistics display the number of integrated cloud accounts that have been assessed, and the total number of exceptions applied across policies.

cloud-dashboard-stats-accounts-exceptions.png

Policies

The Policies chart displays the total number of policies and splits them into the following categories:

  • Policies that are non-compliant when integrated resources were assessed.
  • Policies that are compliant when integrated resources were assessed.
  • Policies that have not been assessed due to the following reasons:
    • Policies that require manual auditing.
    • Policies that were not assessed due to an error.
    • Policies that have exceptions applied to them.

cloud-dashboard-chart-policies.png

note

The percentage of high severity compliance violations include critical and high severity violations.

Resources

The Resources chart displays the total number of resources and splits them into the following categories:

  • Resources that are non-compliant due to failing a policy assessment (or multiple policy assessments).
  • Resources that are compliant due to passing policy assessments.
  • Resources that have not been assessed due to the following reasons:
    • Resources that were not assessed due to an error.
    • Resources that have exceptions applied to them.

cloud-dashboard-chart-resources.png

Non-compliant policies by severity

This chart splits non-compliant policies into severity levels of Critical, High, Medium, Low, and Info.

cloud-dashboard-chart-non-compliant-policies-severity.png

Compliance List Charts

Each row in the Compliance list has a chart (or charts) associated to that assessment, policy, account, or service. The list displays different chart(s) depending on what group is selected.

Group by Policy Chart

When Group by Policy is selected, the chart displays the total number of resources linked with that policy and splits them into the following categories:

  • Resources that are non-compliant due to failing the policy assessment.
  • Resources that are compliant due to passing the policy assessment.
  • Resources that were not assessed due to errors or exceptions.

cloud-dashboard-chart-groupbypolicy.png

Policy Drawer Chart

Click a policy in the Compliance list to display a drawer with the same chart with additional statistics:

  • Total number of exceptions as of the last reported date and time.
    Click View exceptions to see a detailed list of the exceptions applied to the policy.

cloud-drawer-chart-groupbypolicy-resources.png

Hover over the filter icon to see the active filters influencing the chart.

cloud-drawer-chart-groupbyservice-non-compliant-resources-filter.png

Group by Assessment/Account Charts

When Group by Assessment/Account is selected, the chart displays the total number of non-compliant policies for that assessment/service/account and splits them into severity levels of Critical, High, or Other (being Medium, Low, and Info combined).

cloud-dashboard-chart-groupbyassessment-non-compliant-policies.png

Additionally, another chart displays the total number of resources linked with the policy and splits them into the following categories:

  • Resources that are non-compliant due to failing the policy assessment.
  • Resources that are compliant due to passing the policy assessment.
  • Resources that have not been assessed due to errors or exceptions.

cloud-dashboard-chart-groupbyassessment-non-compliant-resources.png

Assessment/Account Drawer Charts

Click an assessment/account in the Compliance list to display a drawer with the same charts with added statistics:

  • Total number of policies associated with the assessment/account.
  • Percentage of compliant policies associated with the assessment/account.
  • Percentage of high severity compliance violations.
    • In this case, high severity includes both critical and high severity compliance violations.
  • Percentage of resources that have failed one or more policy assessments. The arrow also signifies whether the amount of resources failing policy assessments has increased or decreased since the last report.

cloud-drawer-chart-groupbyservice-non-compliant-resources.png

Hover over the filter icon to see the active filters that are influencing the charts.

cloud-drawer-chart-groupbyservice-non-compliant-resources-filter.png

Click on the filter icon console-compliance-severity-filter-icon.png for a severity level to apply the filter to the table below.

Compliance List

The Compliance list is below the statistics and charts. Each row displays an individual policy, assessment, service, or account depending on what group is selected.

The Compliance list allows you to Download CSV and sort.

Click a tag to reload the Compliance list using the tag as the filter.

Group by Policy

Legacy Policies

All AWS/GCP policies marked as legacy will be deprecated on 28th February 2023. Azure legacy policies will be deprecated on 31st March 2023. See Legacy Policies and Reports for a full list of policies and reports/assessments that will be deprecated.

Lacework advises that you start using the latest available reports/assessments.

When Group by Policy is selected, the Sort by options can order the list by:

  • Number of affected resources
  • Policy name
  • Level of severity

Each row displays compliance details on an individual policy. For example, Ensure access keys are rotated every 90 days or less.

Policy Drawer

Click a policy row to display detailed policy results (click the < icon to expand this to full screen).

tip

For policies associated with a benchmark rule, click View context (if available) underneath the policy title to see detailed information about the benchmark rule.

The policy drawer shows information underneath the title about when the policy assessment was last updated and the most relevant tags associated with the policy.

Underneath the chart, the table displays Failed resources associated with the policy.

cloud-drawer-table-options_policy.png
Click the icons to download the table as a CSV, select columns, and search for specific text in any of the column details.

The table has the following information in each column:

ColumnDescription
ResourceEach row displays an individual resource that has failed the policy assessment.
RegionIf applicable, the cloud region of the resource (example: us-west-2).
StatusThe status of the assessment. This could be either Non-compliant, Could Not Assess, or Exception. Lacework does not list resources that are compliant.
AccountThe cloud account associated with the resource.
console-cloud-compliance-policy-drawer-options.pngClick to see additional options for the resource.
Add Compliance Exceptions

Click the additional options button console-cloud-compliance-policy-drawer-options.png to add a compliance exception for the resource and policy selected.

Group by Assessment

Legacy Assessments

All AWS/GCP assessments marked as legacy will be deprecated on 28th February 2023. Azure legacy assessments will be deprecated on 31st March 2023. See Legacy Policies and Reports for a full list of policies and reports/assessments that will be deprecated.

Lacework advises that you start using the latest available reports/assessments.

When Group by Assessment is selected, the Sort by options can order the list by:

  • Number of affected resources
  • Number of affected policies
  • Report name

Each row displays compliance details on an individual assessment report. For example, Lacework AWS Security Addendum 1.0.

Assessment Drawer

Click an assessment row to display detailed assessment report results (click the < icon to expand this to full screen).

Underneath the title, the assessment drawer displays information about when the report last ran, when the configuration was last updated, and who last updated it. For assessments on a single account, click View report for more information and to download it as a PDF. The most relevant tags to this particular assessment are also displayed.

Underneath the charts, there are two tab options to display Policies or Resources associated with the assessment report.

Policies Tab for Assessments

  • Select the Impacted policies by section subtab to view policies within their associated section (such as Identity and Access Management).

    cloud-drawer-table-options-section.png
    Click the icons to view and enable Severity and Status filters, and search for specific text in any of the column details.

  • Select the All impacted policies subtab to view all policies associated with the assessment report.

    cloud-drawer-table-options.png
    Click the icons to download the table as a CSV, select columns, view and enable Severity and Status filters, and search for specific text in any of the column details.

The tables have the following information in each column:

ColumnDescription
Control IDDisplays the unique identifier for the recommendation. This often corresponds to the CIS Benchmark rule ID that is used for CIS Benchmark reports.
Policy nameEach row displays an individual policy associated with the assessment report. Click a policy name to view the policy assessment details.
ResourcesThe number of resources that have passed or failed the policy assessment. Click on the expand icon Display Resources to view up to 5 non-compliant resources associated with the policy.

Click View failed resources in resources tab to switch to the Failed resources tab with the associated policy selected as a filter.
StatusThe overall compliant status for the policy. One or more resources failing the policy assessment triggers the non-compliant status for the policy.
SeverityThe severity level of the policy.
Number of exceptions (hidden by default)The number of compliance policy exceptions applied to this policy.
Resources Tab for Assessments
  • Select the Failed resources subtab to view all failed resources associated with the assessment report. A resource is defined as failed if it is non-compliant with at least one policy during the last compliance assessment.
  • Select the Excluded resources subtab to view any resources that have a compliance policy exception applied to them.

cloud-drawer-table-options.png
Click the icons to download the table as a CSV, select columns, view and enable Policy filters, and search for specific text in any of the column details.

The tables have the following information in each column:

ColumnDescription
ResourceThe Lacework ARN for the resource.

Failed resources: Each row displays an individual resource that has failed one or more policy assessments.
Excluded resources: Each row displays an individual resource that has been excluded from one or more policy assessments.
RegionIf applicable, the cloud region of the resource (example: us-west-2).
AccountThe cloud account associated with the resource.
Provider (hidden by default)The cloud service provider for the resource.
StatusThe overall compliant status for the resource. One or more policy failures triggers the non-compliant status for the resource.
Impacted policiesThe number of policies triggering a non-compliant status for the resource. Click on the expand icon Display Policies to view up to 5 non-compliant policies associated with the resource.

Group by Account

When Group by Account is selected, the Sort by options can order the list by:

  • Number of affected resources
  • Number of affected policies
  • AWS Account name
  • Azure Tenant name
  • GCP Organization name

Each row displays compliance details on an individual cloud provider account. For example, if it's an Azure cloud account, details are displayed for a Subscription in a given Tenant.

Account Drawer

Click an account row to display detailed account results (click the < icon to expand this to full screen).

The account drawer shows information underneath the title about when the account assessment was last updated and the most relevant tags.

Underneath the charts, there are two tab options to display Policies or Resources associated with the account.

Policies Tab for Accounts

cloud-drawer-table-options.png
Click the icons to download the table as a CSV, select columns, view and enable Severity and Status filters, and search for specific text in any of the column details.

The table has the following information in each column:

ColumnDescription
Control IDDisplays the unique identifier for the recommendation. This often corresponds to the CIS Benchmark rule ID that is used for CIS Benchmark reports.
Policy nameEach row displays an individual policy associated with the account. Click a policy name to view the policy assessment details.
ResourcesThe number of resources that have passed or failed the policy assessment. Click on the expand icon Display Resources to view up to 5 non-compliant resources associated with the policy.

Click View failed resources in resources tab to switch to the Failed resources tab with the associated policy selected as a filter.
StatusThe overall compliant status for the policy. One or more resources failing the policy assessment triggers the non-compliant status for the policy.
SeverityThe severity level of the policy.
Number of exceptions (hidden by default)The number of compliance policy exceptions applied to this policy.
Resources Tab for Accounts
  • Select the Failed resources subtab to view all failed resources associated with the account. A resource is defined as failed if it is non-compliant with at least one policy during the last compliance assessment.
  • Select the Excluded resources subtab to view any resources that have a compliance policy exception applied to them.

cloud-drawer-table-options.png
Click the icons to download the table as a CSV, select columns, view and enable Policy filters, and search for specific text in any of the column details.

The tables have the following information in each column:

ColumnDescription
ResourceThe Lacework ARN for the resource.

Failed resources: Each row displays an individual resource that has failed one or more policy assessments.
Excluded resources: Each row displays an individual resource that has been excluded from one or more policy assessments.
RegionIf applicable, the cloud region of the resource (example: us-west-2).
AccountThe cloud account associated with the resource.
Provider (hidden by default)The cloud service provider for the resource.
StatusThe overall compliant status for the resource. One or more policy failures triggers the non-compliant status for the resource.
Impacted policiesThe number of policies triggering a non-compliant status for the resource. Click on the expand icon Display Policies to view up to 5 non-compliant policies associated with the resource.

Determination of the Could Not Assess Status

In order to assess resources for compliance, Lacework must collect data for each resource. Lacework uses the data collection status to determine which policies have a sufficient amount of quality information to be evaluated, even if there is information for only some resources. An issue collecting data could cause the status to be returned as Could not assess.

Some issues that Lacework could encounter when collecting data include the following:

  • Transient failures, for example: rate limits and timeouts.
  • Incorrect permissions used by the Lacework collector, which were provided during role setup for the integration.

The assess functionality converts a recognition of the many potential problems into the Could not assess result.

Lacework applies the following process to determine if a policy’s status is Could not assess:

  1. At a resource level:
    1. If Lacework can determine non-compliance, then the resource is “non-compliant”.
    2. Else, if Lacework cannot determine non-compliance, and the resource was not successfully fully collected, the resource is Could not assess.
    3. Else, if Lacework can determine that there is no non-compliance, or sufficient conditions for compliance, the resource is “compliant”.
  2. Lacework aggregates resource-level compliance observations and determines the aggregate status for the cloud integration as follows:
    • Non-compliant if any resources are known to be non-compliant.
    • Could not assess if no resources are non-compliant, but some resource evaluations were Could not assess.
    • Compliant if all resources are known to be compliant.

The overall goal of Lacework is to never report a resource as compliant if it is not. Policy queries need adequately reliable information to determine non-compliance, and the methodology used is biased towards determining non-compliance, not compliance. It is possible for Lacework to determine a collection to be Could not assess and a policy using that collection in some way to be non-compliant. The granularity of assessment capability will be refined in later releases.

Use Cases for Cloud Compliance Dashboard

The following sections show how to use the Cloud Compliance Dashboard to view different types of information.

If applicable, they also specify where similar information was found in the deprecated Compliance pages for AWS, Azure, and GCP.

Select a Cloud Provider and View Compliance Details

  1. In the Cloud Provider drop-down, check the boxes of the Provider(s) that you want to display Compliance details for (for example: Azure) then click Show results.
  2. The Compliance details for the chosen cloud provider are displayed. The details vary depending on which Group by option is selected.
Deprecated Method

This method replaces the following deprecated Console pages:

  • Compliance > AWS / Azure / GCP

    compliance-cloud_provider-dropdown.png

Select a Cloud Account and View Compliance Details

  1. Use the cloud provider-specific drop-downs (for example, Azure Subscription) to select the boxes for the Account(s) that you want to display Compliance details for, (for example: Organization: [organization name] and Project: [project name]) then click Show results.
  2. The Compliance details for the chosen account are displayed. The details vary depending on which Group by option is selected.
Deprecated Method

This method replaces the following deprecated Console pages and dropdown options:

  • Compliance > AWS / Azure / GCP > Dashboard / Reports

    • Any Account, Tenant, Subscription, Organization, or Project dropdown.

    aws-compliance-account-dropdown.png

    azure-compliance-tenant-dropdown.png

    gcp-compliance-organization-dropdown.png

View Compliance Summary of a Cloud Account

  1. Select Group by Account to view a Compliance summary for each cloud account integrated with Lacework.

  2. (Optional) In the Cloud Provider drop-down, check the boxes of the Provider(s) that you want to display Compliance details for (for example: Azure) then click Show results.

  3. Use the Sort by dropdown to specify the order of the Accounts list.

    cloud-compliance-accounts-dropdown.png

  4. Click an Account to view more details in the Account Drawer.

Deprecated Method

This method replaces the following deprecated Console pages and sections:

  • Compliance > AWS > Dashboard > Account Summary

    aws-compliance-account_summary.png

  • Compliance > Azure > Dashboard > Subscription Summary

    azure-compliance-subscription_summary.png

  • Compliance > GCP > Dashboard > Project Summary

    gcp-compliance-project_summary.png

View CIS Benchmark Report Overview

  1. Select Group by Assessment to view a Compliance summary for each CIS Benchmark report.

  2. (Optional) Use the cloud provider-specific account drop-downs to select a specific account (for example: Tenant: [tenant name] and Subscription: [subscription name]).

  3. Use the Sort by dropdown to specify the order of the Assessments list.

    cloud-compliance-assessments-dropdown.png

  4. Click an Assessment to view more details in the Assessment Drawer.

Deprecated Method

This method replaces the following deprecated Console pages and sections:

  • Compliance > AWS / Azure / GCP > Dashboard > CIS Benchmark Overview

    gcp-compliance-cis_benchmark_overview.png

  • Compliance > AWS > Summary > Reports

    • Use the Reports page to download and view CIS Benchmark reports.

    aws-compliance-summary-reports.png

View Policy Assessments for a CIS Benchmark Report

  1. Select Group by Policy to view individual policy assessments for all your integrated resources.
  2. Click Show more in the row of filters, then select the report that you want to view (for example: Azure CIS Benchmark) in the Report drop-down. Policies that apply to the selected report are shown.
  3. (Optional) To view the Benchmark report for a specific account, use the cloud provider-specific account drop-downs to select a specific account (for example: Tenant: [tenant name] and Subscription: [subscription name]).
  4. (Optional) The latest assessment is shown by default. Change the date to view past assessments.
  5. Click an Assessment to view more details in the Assessment Drawer. The assessment results for the CIS Benchmark policies are contained within.
tip

Use the Reports page to view and download CIS Benchmark reports.

Deprecated Method

This method replaces the following deprecated Console pages and sections:

  • Compliance > AWS > Summary > Amazon S3 and CIS - Recommendations (From Latest Reports)

    aws-compliance-summary-amazon_s3_and_cis.png

View Compliance KPIs and Data Visualizations for a Benchmark Report

  1. Click Show more in the row of filters, then select the report that you want to view (for example: Azure CIS Benchmark) in the Report drop-down. Policies that apply to the selected report are shown.
  2. (Optional) To view the Benchmark report for a specific account, use the cloud provider-specific account drop-downs to select a specific account (for example: Tenant: [tenant name] and Subscription: [subscription name]).
  3. View the Dashboard Charts at the top to see a visual summary of important statistics and KPIs relating to the Benchmark report on the specified account.
Deprecated Method

This method replaces the following deprecated Console pages and sections:

  • Compliance > AWS / Azure / GCP > Dashboard > Compliance Summary

    azure-compliance-dashboard-compliance_summary.png

  • Compliance > AWS / Azure / GCP > Reports > Non-Compliant Recommendations / Resources / By Severity

    gcp-compliance-reports-non-compliant_recommendations.png

View and Add Exceptions on a Policy

  1. Select Group by Policy to view individual policy assessments.

  2. Under filters, select the Report that you want to view (for example: Azure CIS Benchmark). Policies that apply to the selected report are shown.

  3. (Optional) View policy assessments for a specific account by using the Account filter (for example: Organization: [organization name] and Project: [project name]).

  4. (Optional) The latest assessment is shown by default. Change the date to view past assessments.

  5. Click a Policy to view more details in the Policy Drawer. The assessment results display the total number of exceptions applied to the policy.

  6. Click View exceptions to see details of each exception. You can also add new exceptions here.

    tip

    You can also add exceptions through the Policies page.

Deprecated Method

This method replaces the following deprecated Console pages and options:

  • Compliance > AWS / Azure / GCP > Reports > Recommendation Actions > Advanced Suppression

    aws-compliance-reports-advanced_suppression.png

Add Exceptions for a Specific Resource on a Policy

  1. If you want to add an exception for a resource listed in the Policy Drawer table, click the additional options button console-cloud-compliance-policy-drawer-options.png for the resource.

    console-cloud-compliance-policy-drawer-add_exception.png

  2. Click Add exception to enter the Exceptions tab for the policy. The Key Id/Alias is filled with the resource you selected.

View Critical and Non-Compliant Policies

  1. Select Group by Policy to view individual policy assessments for all your integrated resources.
  2. Click the Severity drop-down filter and select Critical, then click Show results.
  3. Click the Status drop-down filter and select Non-compliant, then click Show results.