Skip to main content

Lacework AWS Security Addendum 1.0

Lacework AWS Security Addendum 1.0 policies supplement the CIS AWS benchmark with rules for AWS S3, IAM, Lambda, networking, analytics, database, and general security.

For a mapping between legacy Lacework rules and the Lacework AWS Security Addendum 1.0 policies, see CIS AWS 1.4.0 - Legacy Lacework AWS Rule Mapping.

Prerequisites

Before using Lacework AWS Security Addendum 1.0 policies, you need to integrate your AWS environment with the Lacework Compliance platform.

The following articles describe how to integrate your AWS environment with the Lacework Compliance platform, depending on your specific environment:

  1. Integrate Lacework with AWS - Terraform
    • Choose one of the configuration options to enable AWS configuration compliance. These articles provide guidance on multiple deployment scenarios.
  2. Integrate Lacework with AWS - AWS CloudFormation
  3. Integrate Lacework with AWS - AWS GovCloud (US)

Enable the Lacework AWS Security Addendum Policies

All policies in the Lacework AWS Security Addendum are disabled by default. You can enable them as follows.

Enable Policies through the Lacework Console

On the Policies page, use the framework:aws-lacework-security-1-0 tag to filter for Lacework AWS Security Addendum policies only. Enable or disable a policy using its status toggle: policy-status-toggle.png

Alternatively, you can modify multiple policies at once, as described on Batch Update Policies.

Bulk Enable Policies through the Lacework CLI

Enable all the Lacework AWS Security Addendum policies by using the following command in the Lacework CLI:

lacework policy enable --tag framework:aws-lacework-security-1-0
tip

If you have not used the CLI before, see the Lacework CLI guide to get started.

Lacework AWS Security Addendum Policies

1: Identity and Access Management

Policy IDPolicy NameSeverity
laceworkglobal115Ensure access keys are rotated every 30 days or lessMedium
lacework-global-116Ensure access keys are rotated every 45 days or lessMedium
lacework-global-117Ensure public ssh keys are rotated every 30 days or lessMedium
lacework-global-118Ensure public ssh keys are rotated every 45 days or lessMedium
lacework-global-119Ensure public ssh keys are rotated every 90 days or lessHigh
lacework-global-120Ensure active access keys are used every 90 days or lessHigh
lacework-global-121IAM user should not be inactive for more than 30 daysMedium
lacework-global-181Ensure non-root user exists in the accountMedium
lacework-global-142Ensure access keys are rotated every 350 days or lessMedium
lacework-global-141Ensure access keys are rotated every 180 days or lessCritical
lacework-global-105No IAM users with password-based console access should existMedium

2: Storage

Policy IDPolicy NameSeverity
laceworkglobal130Ensure the bucket ACL does not grant 'Everyone' READ permission (list S3 objects)Critical
lacework-global-131Ensure the bucket ACL does not grant 'Everyone' WRITE permission (create, overwrite, and delete S3 objects)Critical
lacework-global-132Ensure the bucket ACL does not grant 'Everyone' READ_ACP permission (read bucket ACL)Critical
lacework-global-133Ensure the bucket ACL does not grant 'Everyone' WRITE_ACP permission (modify bucket ACL)Critical
lacework-global-134Ensure the bucket ACL does not grant 'Everyone' FULL_CONTROL (READ, WRITE, READ_ACP, WRITE_ACP)Critical
lacework-global-135Ensure the bucket ACL does not grant AWS users READ permission (list S3 objects)Critical
lacework-global-136Ensure the bucket ACL does not grant AWS users WRITE permission (create, overwrite, and delete S3 objects)Critical
lacework-global-137Ensure the bucket ACL does not grant AWS users READ_ACP permission (read bucket ACL)Critical
lacework-global-138Ensure the bucket ACL does not grant AWS users WRITE_ACP permission (modify bucket ACL)Critical
lacework-global-139Ensure the bucket ACL does not grant AWS users FULL_CONTROL (READ, WRITE, READ_ACP, WRITE_ACP)Critical
lacework-global-140Ensure the attached S3 bucket policy does not grant 'Allow' permission to everyoneCritical
lacework-global-94Ensure the S3 bucket requires MFA to delete objectsMedium
lacework-global-217Ensure the S3 bucket has default server-side encryption enabled and encryption policyHigh
lacework-global-96Ensure all data is transported from the S3 bucket securelyHigh
lacework-global-97Ensure the S3 bucket has versioning enabledHigh
lacework-global-98Ensure the attached S3 bucket policy does not grant global 'Get' permissionCritical
lacework-global-99Ensure the attached S3 bucket policy does not grant global 'Delete' permissionCritical
lacework-global-100Ensure the attached S3 bucket policy does not grant global 'List' permissionCritical
lacework-global-101Ensure the attached S3 bucket policy does not grant global 'Put' permissionCritical

3: Logging

Policy IDPolicy NameSeverity
laceworkglobal95Ensure the S3 bucket has access logging enabledLow

4: Networking

Policy IDPolicy NameSeverity
laceworkglobal227Security groups are not attached to an in-use network interfaceLow
lacework-global-145Network ACLs do not allow unrestricted inbound trafficCritical
lacework-global-146Network ACLs do not allow unrestricted outbound trafficMedium
lacework-global-147AWS VPC endpoints should not be exposedMedium
lacework-global-148Security group inbound traffic should not allow inbound traffic from allCritical
lacework-global-149Security group inbound traffic should not allow traffic except port 80 and 443High
lacework-global-228Security group attached to EC2 instance should not allow inbound traffic from all portsCritical
lacework-global-229Security group attached to RDS DB instance should not allow inbound traffic from all portsCritical
lacework-global-230Security group attached to Network Interface should not allow inbound traffic from all portsCritical
lacework-global-231Security group attached to Elastic Load Balancer should not allow inbound traffic from all portsCritical
lacework-global-199Security group attached to Application Load Balancer should not allow inbound traffic from allCritical
lacework-global-150Security Group should not allow inbound traffic from all to TCP port 9200 or 9300 (Opensearch/Elasticsearch)High
lacework-global-151Security Group should not allow inbound traffic from all to TCP port 5601 (Kibana)High
lacework-global-152Security Group should not allow inbound traffic from all to TCP port 6379 (Redis)High
lacework-global-153Security Group should not allow inbound traffic from all to TCP port 2379 (etcd)High
lacework-global-225ELB SSL Certificate expires in 5 DaysHigh
lacework-global-226ELB SSL Certificate expires in 45 DaysHigh
lacework-global-154Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 23 (Telnet)High
lacework-global-155Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 135 (Windows RPC)High
lacework-global-156Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 445 (Windows SMB)High
lacework-global-104Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 3306 (MySQL)High
lacework-global-106Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5432 (PostgreSQL)High
lacework-global-107Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 1433 (SQLServer)High
lacework-global-108Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 1434 (SQLServer)High
lacework-global-109Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 4333 (MSQL)High
lacework-global-110Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5500 (VNC Listener)High
lacework-global-111Security group attached to EC2 instance should not allow inbound traffic from all to TCP port 5900 (VNC Server)High
lacework-global-112Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 137 (NetBIOS)High
lacework-global-113Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 138 (NetBIOS)High
lacework-global-114Security group attached to EC2 instance should not allow inbound traffic from all to UDP port 445 (CIFS)High
lacework-global-218EC2 instance should not allow inbound traffic from all to TCP port 21High
lacework-global-219EC2 instance should not allow inbound traffic from all to TCP port 20High
lacework-global-220EC2 instance should not allow inbound traffic from all to TCP port 25High
lacework-global-221EC2 instance should not allow inbound traffic from all to TCP port 53High
lacework-global-222EC2 instance should not allow inbound traffic from all to UDP port 53High
lacework-global-102Redshift Cluster should not be Publicly AccessibleHigh
lacework-global-223ELB Security Group should have Outbound Rules attached to itHigh
lacework-global-184ELB should not use insecure Cipher(s)High
lacework-global-103EC2 instance should be deployed in EC2-VPC platformHigh
lacework-global-125CloudFront Origin Protocol Policy should use https-onlyHigh
lacework-global-126CloudFront Origin SSL Protocols should not use insecure Cipher(s)High
lacework-global-127Security group should not allow inbound traffic from all to all ICMPHigh
lacework-global-482Classic LBs should have a valid and secure security groupHigh
lacework-global-157No Default VPC should be present in an AWS accountMedium
lacework-global-128EC2 instances should not have a Public IP address attachedMedium
lacework-global-159Load Balancers should have Access Logs enabledMedium
lacework-global-129CloudFront Viewer Protocol Policy should use https-onlyHigh
laceworkglobal483ELBs should have a valid and secure security groupHigh
lacework-global-93RDS should not have a Public InterfaceMedium
lacework-global-196EC2 instance should not allow inbound traffic from all to TCP port 27017 or 27018 (MongoDB)High
lacework-global-197Elastic Load Balancer instance should not allow inbound traffic from all to TCP port 27017 or 27018 (MongoDB)High
lacework-global-198Application Load Balancer instance should not allow inbound traffic from all to TCP port 27017 or 27018 (MongoDB)High
lacework-global-122OpenSearch Domain should not be exposedHigh
lacework-global-123OpenSearch Domain should be in Virtual Private Cloud (VPC)High

5: Lambda

Policy IDPolicy NameSeverity
laceworkglobal179Lambda Function should not have Admin PrivilegesCritical
lacework-global-180Lambda Function should not have Cross Account AccessCritical
lacework-global-143Lambda Function should have tracing enabledHigh
lacework-global-144Lambda Function should not have VPC accessLow

6: General Security

Policy IDPolicy NameSeverity
laceworkglobal89EC2 instance does not have any tagsHigh
lacework-global-90Ensure EBS Volumes are EncryptedMedium
lacework-global-160Ensure No Public EBS SnapshotsCritical
lacework-global-171Ensure RDS database is encrypted with customer managed KMS keyCritical
lacework-global-91Ensure Redshift Cluster is encryptedCritical
lacework-global-92Ensure no server certificate has been uploaded before Heartbleed vulnerabilityCritical
lacework-global-182Ensure ELB has latest Secure Cipher policies Configured for Session EncryptionCritical
lacework-global-224Ensure ELBv2 has latest Secure Cipher policies Configured for Session EncryptionCritical
lacework-global-183Ensure ELB is not affected by POODLE Vulnerability (CVE-2014-3566)Critical
lacework-global-124OpenSearch Domain should have Encryption At Rest enabledHigh
lacework-global-161OpenSearch Domain should have Encryption with KMS (Customer Managed Keys)High