Skip to main content

Custom Policy Overview

In addition to a comprehensive set of out-of-the-box policies, Lacework provides a highly scalable platform for creating, customizing, and managing custom policies against any datasource that is exposed via the Lacework Query Language (LQL).

Here are concepts to be familiar with when creating and using the Lacework Policy Platform (LPP):

  • LQL
  • Alert profiles
  • Policies

Limitations

  • The maximum number of records that each policy will return is 1000.
  • The maximum number of API calls is 120 per hour for on-demand LQL query executions and LQL policy create, read, update, and delete operations.
note

LQL syntax may change.

Lacework Query Language

LQL is a SQL-like query language for specifying the selection, filtering, and manipulation of data. Queries let you interactively request information from specified curated datasources. Queries have a defined structure for authoring detections.

For general information on LQL, see LQL Overview.

Supported Datasources

Datasources are structured collections of related sets of information. Currently, LQL can access the integrated resources listed on Manage Integrated AWS Resources and Manage Integrated GCP Resources.

Example Query

The following example shows a query that finds VPCs with flow logging not enabled:

Example query
 {
source {
LW_CFG_AWS_EC2_VPCS vpc
with LW_CFG_AWS_EC2_VPC_FLOW_LOGS log
}
filter {
not value_exists(log.RESOURCE_CONFIG)
or log.RESOURCE_CONFIG:FlowLogStatus <> 'ACTIVE'
}
return distinct {
vpc.ACCOUNT_ALIAS,
vpc.ACCOUNT_ID,
vpc.ARN as RESOURCE_KEY,
vpc.RESOURCE_REGION,
vpc.RESOURCE_TYPE,
vpc.SERVICE,
case when not value_exists(log.RESOURCE_CONFIG) then 'VPCFlowLoggingNotEnabled'
else 'VPCFlowLoggingNotActive' end as COMPLIANCE_FAILURE_REASON
}
}

Alert Profiles

Use alert profiles to define how your LQL queries get consumed into events and alerts. Lacework provides a set of predefined alert profiles to ensure that policy evaluation gives you useful results out of the box. To create your own customized profile, extend an existing alert profile and add custom templates to it.

LW_CFG_AWS_DEFAULT_PROFILE details (truncated)
{
"data": {
"alertProfileId": "LW_CFG_AWS_DEFAULT_PROFILE",
"extends": "LW_LPP_BaseProfile",
"fields": [
{
"name": "_PRIMARY_TAG"
},
{
"name": "RESOURCE_ID"
}, ...
],
"descriptionKeys": [
{
"name": "_OCCURRENCE",
"spec": "{{_OCCURRENCE}}"
},
{
"name": "RESOURCE_ID",
"spec": "{{RESOURCE_ID}}"
}, ...
],
"alerts": [
{
"name": "CFG_AWS_PolicyChanged",
"eventName": "LW Configuration AWS Violation Alert",
"description": "{{_OCCURRENCE}} Violation for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}",
"subject": "{{_OCCURRENCE}} violation detected for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}"
},
{
"name": "CFG_AWS_NewViolation",
"eventName": "LW Configuration AWS Violation Alert",
"description": "{{_OCCURRENCE}} Violation for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}",
"subject": "{{_OCCURRENCE}} violation detected for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}"
},
{
"name": "CFG_AWS_Violation",
"eventName": "LW Configuration AWS Violation Alert",
"description": "{{_OCCURRENCE}} Violation for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}",
"subject": "{{_OCCURRENCE}} violation detected for AWS Resource {{RESOURCE_TYPE}}:{{RESOURCE_ID}} in account {{ACCOUNT_ID}} region {{RESOURCE_REGION}}"
}
]
}
}

Policies

Policies add annotated metadata to queries for improving the context of alerts, reports, and information displayed in the Lacework Console. Use the following methods to create custom policies:

note

To create custom non-LQL-based policies, use the steps described in Create Policies.

Example Policy

The following shows a custom policy that uses the above query to alert about VPC flow logging:

Example policy
{
"title": "Ensure VPC flow logging is enabled in all VPCs",
"enabled": false,
"policyType": "Violation",
"alertEnabled": false,
"alertProfile": "LW_CFG_AWS_DEFAULT_PROFILE.CFG_AWS_Violation",
"evalFrequency": "Hourly",
"queryId": "Example_Global_AWS_Config_VPCFlowLoggingNotEnabled",
"severity": "medium",
"description": "VPC Flow Logs is a feature that enables you to capture information\nabout the IP traffic going to and from network interfaces in your VPC. After\nyou've created a flow log, you can view and retrieve its data in Amazon CloudWatch\nLogs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for\nVPCs.",
"remediation": "Perform the following to determine if VPC Flow logs is enabled:\nFrom Console:\n1. Sign into the management console\n2. Select Services then VPC\n3. In the left navigation pane, select Your VPCs\n4. Select a VPC\n5. In the right pane, select the Flow Logs tab.\n6. If no Flow Log exists, click Create Flow Log\n7. For Filter, select Reject\n8. Enter in a Role and Destination Log Group\n9. Click Create Log Flow\n10. Click on CloudWatch Logs Group\nNote: Setting the filter to \"Reject\" will dramatically reduce the logging data accumulation for this recommendation\nand provide sufficient information for the purposes of breach detection, research and remediation. However,\nduring periods of least privilege security group engineering, setting this the filter to \"All\" can be very helpful in discovering\nexisting traffic flows required for proper operation of an already running environment.",
"tags": [
"domain:AWS",
"subdomain:Configuration"
]
}

Policy Details

Lacework supports the following types of custom policies:

  • Policies that invoke LQL queries on Lacework datasources.
  • Policies that are cloned and created in the Lacework Console and contain AND conditions. These policies were previously known as custom rules.

Lacework also ships with a set of default LQL policies that are available from Policies in the Lacework Console. To view all the policies in your Lacework instance, click Policies in the left navigation panel. To view the LQL query associated with a policy, click the policy name.

For example, to view the VPC Change LQL policy, select Policies and enter VPC Change in the search field. To view the LQL query that is called by VPC Change, click VPC Change in the list.

You can use default queries as the basis for your LQL queries.

Policy Types

Violation

These policies check for activity violations. For example, checking violations from CloudTrail or Kubernetes audit log activity. These policies generate one alert for each violation.

Violation policies contain an alertProfile field, which controls the information that is surfaced for an alert (the "5 Ws" in the Lacework Console seen in, for example, Resources > Cloud > AWS CloudTrail.

{
"policyId": "lacework-global-1",
"title": "VPC Change",
"enabled": true,
"policyType": "Violation",
"alertEnabled": true,
"alertProfile": "LW_CloudTrail_Alerts.VPCChange_AwsResource",
"evalFrequency": "Hourly",
"queryId": "LW_Global_AWS_CTA_VPCChange",
"severity": "medium",
"description": "A VPC was created, deleted or changed",
"remediation": "Check that the VPC change was expected.\nEnsure only specified users can modify VPCs."
}

Compliance: Manual

note

Creating custom compliance policies is currently not supported.

Manual policies represent recommendations that are not able to be automated but still have information to provide. These policies' are included in compliance reports; nothing is evaluated.

{
"policyId": "lacework-global-32",
"title": "Ensure security contact information is registered",
"policyType": "Manual",
"severity": "low",
"description": "AWS provides customers with the option of specifying the contact\ninformation for account's security team. It is recommended that this information\nbe provided.",
"remediation": "Perform the following to establish security contact information:\nFrom Console:\n1. Click on your account name at the top right corner of the console.\n2. From the drop-down menu Click My Account\n3. Scroll down to the Alternate Contacts section\n4. Enter contact information in the Security section\nNote: Consider specifying an internal email distribution list to ensure emails\nare regularly monitored by more than one individual.",
"references": [
"CCE-79200-2"
],
"infoLink": "https://docs.lacework.com/catalog/policies/lacework-global-32",
"tags": [
"security:compliance",
"framework:cis-aws-1-4-0",
"control:1.2",
"identifier:CCE-79200-2",
"domain:AWS",
"subdomain:Configuration"
]
}

Compliance: Reason

note

Creating custom compliance policies is currently not supported.

These policies check configuration compliance. For example, checking the state of AWS resources. Every resource that violates a policy can have multiple reasons for non-compliance. In contrast with the violation policies, these compliance policies generate one alert per policy. For example, if three S3 buckets violate a policy, Lacework generates only one alert that lists the non-compliant resources.

Note the evaluationDetails section. It is possible to list multiple LQL queries within a compliance policy. The results of all queries will be collated for non-compliant resource reporting.

{
"policyId": "lacework-global-75",
"title": "Ensure CloudTrail log file validation is enabled",
"enabled": false,
"policyType": "Compliance",
"alertEnabled": false,
"severity": "low",
"description": "CloudTrail log file validation creates a digitally signed digest\nfile containing a hash of each log that CloudTrail writes to S3. These digest\nfiles can be used to determine whether a log file was changed, deleted, or unchanged\nafter CloudTrail delivered the log. It is recommended that file validation be\nenabled on all CloudTrails.",
"remediation": "Perform the following to enable log file validation on a given trail:\nFrom Console:\n1. Sign in to the AWS Management Console and open the IAM console at (https://console.aws.amazon.com/cloudtrail)\n2. Click on Trails on the left navigation pane\n3. Click on target trail\n4. Within the S3 section click on the edit icon (pencil)\n5. Click Advanced\n6. Click on the Yes radio button in section Enable log file validation\n7. Click Save\nFrom Command Line:\naws cloudtrail update-trail --name <trail_name> --enable-log-file-validation\nNote that periodic validation of logs using these digests can be performed by running the following command:\naws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>",
"references": [
"CCE-78914-9",
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html"
],
"infoLink": "https://docs.lacework.com/catalog/policies/lacework-global-75",
"evaluationDetails": {
"goal": "none",
"anyOrAllOf": [
"LW_Global_AWS_Config_CloudTrailLogFileValidationNotEnabled"
]
},
"tags": [
"security:compliance",
"framework:cis-aws-1-4-0",
"control:3.2",
"identifier:CCE-78914-9",
"domain:AWS",
"subdomain:Configuration"
]
}