Skip to main content

Create a Custom Compliance Policy

Compliance policies assess the configuration of Cloud and Kubernetes infrastructure. The result of compliance policy assessments are typically consumed in the form of reports, which you can customize and schedule for regular delivery. A compliance policy may also generate an alert.

Every resource that violates a policy can have multiple reasons for non-compliance. Compliance policies generate one alert per policy. For example, if three S3 buckets violate a policy, Lacework generates one alert that lists the non-compliant resources. A compliance policy must return a reason for the compliance violation.

This topic describes how to create a custom compliance policy and include it in reports. To present the assessments for a custom policy in reports, you need to add it to a custom report framework. A framework specifies the policies included in a report, and defines the order and organization of the report.

There are two create custom compliance policies and custom reports, as described in this topic:

For information on creating a violation policy, see Create a Custom Violation Policy.

Before Starting

At the core of each compliance policy is an LQL query. Before creating a policy, you should be familiar with LQL and compose and test your LQL query with the Lacework CLI. As a short cut, you can start with an existing query that comes close to what you'd like to achieve with your custom policy. You can see existing queries by viewing policy details from the Policies dashboard. For information on developing queries with the CLI, see LQL Queries in the LQL documentation.

Configuration compliance policies inspect the configuration of cloud assets, including configuration information on supported IaaS and PaaS services of supported cloud service providers. Kubernetes configuration compliance support includes Amazon EKS and Google Kubernetes Engine (GKE) configuration support.

To learn more about the datasources and fields you can query, see Datasource Information.

To perform these steps, you need to be a user with policy write permissions in the Lacework Console.

Create a Custom Compliance Policy Using the Lacework Console

PREVIEW FEATURE

This section describes functionality that is currently in preview.

This section takes you through the steps to create a custom compliance policy as a cloned policy or as a new policy and adding it to reports with the Lacework Console. Note that cloning a compliance policy creates a new, independent policy; changing the original policy do not affect the cloned policy, and vice versa.

Users with Policies write permission can create or clone policies in the Lacework Console.

Create the Policy

There are two ways to create a custom compliance policy in the Lacework Console. If an existing policy closely matches the policy that you want to create, the easiest way is to clone the existing policy and modify it to fit your needs. Alternatively, you can create a new policy manually, from scratch. Both methods are described below:

Create the Policy by Cloning

To create a policy by cloning and modifying an existing policy, follow these steps:

  1. As a user with write permissions for policies, click Policies from the left navigation menu.
  2. Find the policy on which you want to base your custom compliance policy, and click on the policy to open its details pane.
  3. Click the clone icon, which appears below the policy name.
  4. Click the edit icon next to the name or descriptions to edit the default values for your new policy.
  5. Click the Query tab and click the edit icon next to the query ID.
  6. Provide a new query ID and modify the LQL query in the query pane. See LQL Queries for more information about LQL.
  7. Click the Context tab and review and optionally modify the remediation steps.
  8. Click Save.

Create the Policy Manually

To create the sample custom compliance policy, follow these steps:

  1. As a user with write permissions for policies, click Policies from the left navigation menu.

  2. Click Configure policy.

  3. Choose the status of the policy, draft or live. A draft policy can appear in assessment reports, but do not generate alerts and are not considered in overall assessment results. Using draft status for new policies allows you to test and troubleshoot a new policy, and understand its impact before promoting it to live status.

  4. Configure the general policy settings, as illustrated by the following sample configuration:

    • Policy title: A title for the policy. The title appears in the policy list, so it should distinguish this policy from others.
    • Policy description: A description of the policy.
    • Policy type: For a compliance policy, choose Compliance. Compliance policies can generate alerts and appear in reports, while violation policies only generate alerts.
    • Severity: The severity associated with a failure in compliance with this policy.

  5. For Query ID, enter a unique, descriptive name for the query that uses numbers, letters, and underscores.

  6. For the query, enter your LQL query. In most cases, this should be a query that you have already developed and tested with the Lacework CLI, such as the following:

     {
       source {
         LW_CFG_AWS_EC2_SECURITY_GROUPS securityGroup,
         array_to_rows(securityGroup.RESOURCE_CONFIG:IpPermissions) as ip_permissions,
         array_to_rows(ip_permissions:IpRanges) as ip_ranges
       }
       filter {
         ip_permissions:IpProtocol = 'tcp'
         and ip_permissions:FromPort = 3349
         and ip_permissions:ToPort = 3349
         and ip_ranges:CidrIp = '0.0.0.0/0'
       }
       return distinct {
         'This is the compliance reason' as COMPLIANCE_FAILURE_REASON
       }
     }

    If your query has any syntax errors, the interface will say so and identify the error. You can proceed only with a valid query.

  7. Optionally, enter remediation steps. The steps should provide directions for addressing the issue identified by the policy.

  8. Click Save.

The policy list appears. You should now be able to find your custom policy in the list.

Add the Policy to a Custom Framework

The policy you just created is not a part of any report yet. To have assessments of the custom policy appear in reports, create a custom framework based on an existing one. You can then see the assessments of your new policy in a report, and optionally, distribute it on a schedule.

Lacework provides hundreds of compliance policies, grouped by industry benchmarks (PCI, ISO27001, SOC2, HIPAA, and more), which get assessed daily. Choose the existing framework on which you want to base your custom framework.

When choosing a framework, consider that cloud security teams usually care about CIS for Security Posture baseline; compliance teams often care about just one or two industry benchmarks, but not all of them. You can have reports generated for those benchmarks sent to the teams interested in them in your organization.

note

A custom report can only contain compliance policies based on the same type of cloud (that is, only AWS, GCP, or Azure compliance policies).

To add your policy to a custom framework, follow these steps:

  1. Click Compliance > Cloud.
  2. Click Configure framework.
  3. Choose an existing assessment on which you want to base your new framework and click Next.
  4. In Framework name, provide a unique name for the framework.
  5. Use the builder to find the section to modify by adding your custom policy framework. You can use the outline on the left to quickly navigate to a section. On the right, view and refine the existing section organization for the generated reports. Click Quick view to get more information on individual policies.
  6. To add a policy to the framework, click Add / Edit policies in the Framework pane.
  7. Find the custom policy and select it, using the search bar if needed.
  8. Click Update Section. Your custom policy should now appear in the outline.
  9. Click Save.

Create Custom Compliance Policies Using the Lacework CLI

This section takes you through the steps to create a custom compliance policy as a cloned policy or as a brand new policy and adding it to a custom framework with the Lacework CLI. Note that cloning a policy creates a new, independent policy; changes to the original policy do not affect it, and vice versa.

Create a Query

  1. Open your text editor, create a new file, and add your query, such as the following example:

    Compliance query
      queryId: LW_Custom_UnrestrictedIngressToTCP3349
      queryText: |-
        {
          source {
            LW_CFG_AWS_EC2_SECURITY_GROUPS securityGroup,
            array_to_rows(securityGroup.RESOURCE_CONFIG:IpPermissions) as ip_permissions,
            array_to_rows(ip_permissions:IpRanges) as ip_ranges
          }
          filter {
            ip_permissions:IpProtocol = 'tcp'
            and ip_permissions:FromPort = 3349
            and ip_permissions:ToPort = 3349
            and ip_ranges:CidrIp = '0.0.0.0/0'
          }
          return distinct {
            'This is the compliance reason' as COMPLIANCE_FAILURE_REASON
          }
        }

  2. Save the file as YAML with the filename LW_Custom_UnrestrictedIngressToTCP3349.yaml. Note the file's location.

  3. In the Lacework CLI, run this command:

    lacework query create -f <path_to>/LW_Custom_UnrestrictedIngressToTCP3349.yaml

    The following response appears:

    The query LW_Custom_UnrestrictedIngressToTCP3349 was created.

Create a Policy

  1. In your text editor, create a new file, and add the following content:

    Compliance policy
    ---
    title: Security Groups Should Not Allow Unrestricted Ingress to TCP Port 3349
    enabled: true
    policyType: Compliance
    alertEnabled: true
    queryId: LW_Custom_UnrestrictedIngressToTCP3349
    description: Security groups should not allow unrestricted ingress to TCP port 3349
    remediation: Policy remediation
    severity: medium

  2. Save the file as YAML with the filename LW_Custom_UnrestrictedIngressToTCP3349_Policy.yaml. Note the file's location.

  3. In the Lacework CLI, run this command:

    lacework policy create -f <path_to>/LW_Custom_UnrestrictedIngressToTCP3349_Policy.yaml

    The following response appears:

    The policy dev-default-75 was created.

Add the Policy to a Framework

DEPRECATED FEATURE

The lacework report-definition command described in this section is deprecated and will be replaced soon. For now, Lacework recommends that you add custom compliance policies to a framework in the Lacework Console, as described in Create a Custom Compliance Policy Using the Lacework Console.

The policy you just created is not a part of any report yet. To have your policy appear in a report using the Lacework CLI, create a custom framework based on an existing one or create a new framework.

Lacework provides hundreds of compliance policies, grouped by industry benchmarks (PCI, ISO27001, SOC2, HIPAA, and more), which get assessed daily. Choose the framework on which you want to base your custom framework with your custom policy.

When choosing a framework, consider that cloud security teams usually care about CIS for Security Posture baseline; compliance teams often care about just one or two industry benchmarks, but not all of them. You can have reports generated for those benchmarks sent to the teams interested in them in your organization.

note

Currently, a custom report can only contain compliance policies of the same cloud type (that is, only AWS, Google Cloud, or Azure compliance policies).

To add the policy to a custom framework, follow these steps:

  1. Enter the following command from the command line: 
    lacework report-definition create
    tip

    In these steps, you create the custom framework interactively. Alternatively, you can create a custom framework by passing its definition to the command as a file, in the following format: 

    lacework report-definition create --file my_framework.yml
  2. At the prompt asking whether you want to create a report definition from a blank template or from an existing template, either add your policy to an existing template or create a new framework, as follows:
    • To add your policy to an existing template, enter y and follow these steps:
      1. Use arrows to scroll through the list of frameworks and choose one to serve as your template by highlighting it and pressing the enter key.
      2. In your text editor, modify the reportName, displayName, and add your custom policy by name, dev-default-75, to a section in the template. Your framework should look similar to the following: 
        reportName: My Custom AWS NIST 800-171 Report
        displayName: My Custom AWS NIST 800-171 Report
        reportType: COMPLIANCE
        subReportType: AWS
        reportDefinition:
          sections:
           - category: ACCESS CONTROL
              title: 3.1.1. Limit system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
              policies:
              - dev-default-75
              - AWS_CIS_1_1
              - AWS_CIS_1_3
              - AWS_CIS_1_12
              - AWS_CIS_1_24
              - AWS_CIS_2_1
              - AWS_CIS_2_2
              - AWS_CIS_4_4
              - LW_AWS_NETWORKING_2
              - LW_AWS_NETWORKING_3
              - LW_AWS_NETWORKING_5
              - LW_AWS_NETWORKING_7
              - LW_AWS_NETWORKING_8
              - LW_AWS_NETWORKING_9
              - LW_AWS_NETWORKING_10
              - LW_AWS_NETWORKING_11
           - category: ACCESS CONTROL
              title: 3.1.2. Limit system access to the types of transactions and functions that authorized users are permitted to execute.
              policies:
              - AWS_CIS_1_1
              - AWS_CIS_1_3
        ...
      3. Save and close the file.
    • To add your policy to a new framework, enter N and follow the steps as prompted by the CLI.

When you finish the custom configuration, the CLI displays a command for inspecting your new report definition with its unique ID. The compliance policy is now listed in the cloud compliance page, and appears in the next daily compliance report:

Last updated on