Reports
This article describes enhanced report features that are currently in preview.
Overview
Reports let you communicate compliance and security information from Lacework to your teams in a regular, automated way. Using report, you can deliver compliance and posture security report assessments as PDF files to user's email inboxes.
By default, Lacework does not generate reports. To have Lacework start generating and delivering reports, you need to create a report configuration.
A report configuration associates a compliance assessment framework to settings that control how reports are generated and delivered based on those frameworks. Lacework includes several default compliance frameworks, which you can supplement with your own custom assessments.
Report configuration parameters include the report frequency, the severity of policies to include, the status of evaluation result to include, and the email notification channel on which to distribute the report.
The report configuration also includes one or more resource groups. Resource groups give you precise control over the content of reports. For example, you can generate reports that include only resources in US regions, or for resource with a particular asset tag value. Using resource groups, you can precisely target reports for the intended report recipients. Any conditions on which you can compose resource groups can also determine the content of Lacework reports.
Reports versus Alerts
Alerts and reports contain the same information about issues detected by Lacework. Alerts are typically meant to be consumed soon after they occur, and may require immediate action. Alerts can be delivered through all channel types.
Reports are typically meant to be generated and delivered at regular intervals, such as once per day. They include a predefined information set, such as SOC 2 or NIST assessment results. Reports are delivered through email channels only.
Alerts facilitate a reactive workflow among security teams and service owners, allowing them to act in response to an event. Reports, on the other hand, facilitate a proactive workflow, allowing teams to discover and address compliance risk before those risks result in an event.
View Report Configurations
As a user with permissions to read reports, you can view report configurations and generated reports by clicking Reports in the left navigation.
Report configurations appear in the list. For each report configuration, the list presents a few details, including the resource group and delivery frequency, and information on when the configuration was last modified.
You can use the following methods to refine the list of report configurations displayed:
Use filters to display a subset of specific reports. Click the filter groups along the top of the page to display the list of filters associated with the selected filter group, then select the filters that you want to apply.
Use the search function at the top of the page to find a subset of specific reports.
Use the time filter to display a subset of specific reports based on their report time, that is, when they were generated. When you select a certain time frame, the Last run date changes to reflect the last run of this report configuration within the selected time frame. So, for example, if you select the previous week for the time frame, the Last run date shows the last day on which the report was generated.
The ability to view reports are subject to Lacework access controls, in particular, access permissions for the resource groups in the report configuration. You can only view reports that cover resources to which you have permissions.
View Reports
To see an individual report, click on a report configuration. The latest generated report appears in the right pane.
When the page displays your desired reports, you can click Save or Create view in the top right corner to save the view for later access. You can also copy the link to a saved view by opening the list of saved views and clicking the Share view icon of the view you want to share. You can then send that link to others so they can see the same view. For more details about saved views, refer to Views Management.
You can view previous instances of the report by clicking Report history. Lacework retains generated reports for 90 days. If your report retention requirements exceed 90 days, you should download and archive the reports.
Report history is only available for reports that reflect a single account. For cross-account reports, the report history is disabled.
You can also preview and download reports directly from the details view of a framework in the Cloud Compliance Dashboard. To view a report by framework there, click the framework and then click Preview Report.
It may take a minute or two for the report preview to appear. Note that the report preview displays a subset of the policy assessments that make up the entire report, from only two accounts by default. You can download the report in PDF or CSV format to see the entire report.
Create Report Configurations
By default, Lacework does not generate or deliver reports. To enable Lacework reports, you need to create a report configuration as described here.
A report configuration specifies a set of policies and a user group and email notification channel on which to distribute the report. Before following these steps, therefore, make sure that the email notification channels, resource groups, and user groups that you want to use are already configured.
You should also choose the framework on which to base the reports. You can view available frameworks from the Cloud Compliance dashboard, where you can also modify or create assessments or preview reports, as described in View Reports.
A report can include policy assessment results from multiple AWS accounts, GCP projects, Azure tenants, or OCI compartments. However, reports are limited to having a maximum of 300 accounts, projects, tenants, or compartments. Attempting to exceed this limit results in a report generation error. Note that individual policy assessments within a report appear in alphabetical order by account.
To create a custom report configuration:
Log in the Lacework Console as a user with reports write permission.
Navigate to the Reports page from the left navigation menu.
Click Configure report.
Select the user group for the report and click Next.
Choosing a user group populates the report configuration with the resource groups associated with the user group. This aligns the intended audience for the report, identified by user group, with the resource groups allocated to them. You can refine the resource groups for the report configuration later.
Only those user groups that you belong to are available for selection.
Choose a template and click Next. Any assessment framework that appears in the Cloud Compliance Dashboard is available for use as a report template.
Enter a name for the custom report configuration and configure the remaining fields:
Content: The Content section shows the template on which the report is based. Set or modify, as needed, the following items:
- Severity specifies the severity-level of the policies to be included in the report. If you remove medium severity, for example, the evaluation results of policies with medium severity are excluded from the generated reports.
- Resource groups represent the resources that are assessed in the report. This is populated based on the user groups you selected, but you can refine the list as needed. Note that the resource groups available for selection are constricted by the type of template you chose. That is, if you choose an AWS-based template, resource groups for other cloud providers are not available.
- Status refers to the evaluation result of each policy. By default, all statuses are included in the report. Exclude results by status by removing the status from the field. For more information, see Status definitions.
Schedule report: Choose one or more email channel on which to distribute the report, along with the frequency of report distribution. Note that email channels can be any email address or distribution list, not necessarily an email associated with a Lacework user account. Be sure to consider the sensitivity of the content generated by the report when choosing recipients.
The report frequency determines how often the report is distributed, but note that the time of report assessment is controlled by the compliance report schedule time, which is daily at 12 PM GMT, by default.
Click Save.
The report now appears in the reports list. It will be evaluated and distributed at the next report evaluation cycle. You can modify the default evaluation time in the General Settings page.
You can preview a report by clicking on the report configuration. It may take a minute or two for the report to appear. The report preview displays a subset of the policy assessments that make up the entire report, from only two accounts by default. You can download the report in PDF format to see the entire report.
You can modify the report configuration settings at any point, or disable the report. Disabling a report retains the configuration and historical reports (up to 90 days old), but prevents new reports from being generated.
Status Definitions
A report is made up of a collection of policy assessment results. Each assessment includes the following details:
| Column | Description |
|---|---|
| ID | The Lacework identifier for the policy associated with each compliance assessment. You can see the mapping of Lacework IDs to benchmark-defined IDs under Compliance Frameworks. For example, for the CIS AWS 1.4.0 Benchmark report, the Lacework policy ID that corresponds to each CIS AWS 1.4.0 rule is listed on CIS AWS 1.4.0 Benchmark. |
| Policy | A description of the policy. |
| Status | The result of each policy assessment for this report:  - For the assessment in the selected report, this policy was not in compliance.  - For the assessment in the selected report, this policy was in compliance.  - For the assessment in the selected report, this policy was omitted as an exception. Manual - There is no way to determine if the policy is in compliance because the configuration status cannot be retrieved. You may want to manually check compliance directly in your cloud account. Could Not Assess - Lacework encountered a problem while attempting to assess this policy. This status can result from insufficient privileges for the Lacework role while conducting a compliance assessment. If this status appears intermittently, it may be related to API availability or rate limiting affecting Lacework's ability to query the AWS IAM credentials report. |
| Severity | The severity of the policy: Critical, High, Medium, Low or Info. |
| Affected | The total number of resources assessed as non-compliant (failed) for this policy. |
| Assessed | The total number of resources assessed for this policy. |
If you configure multiple AWS accounts to use a single CloudTrail associated with a single AWS organization, Lacework correctly accesses the compliance status across the accounts. However, the Affected and Assessed counts may be reported as 0.
For example, under Logging, the AWS_CIS_2_1 - Ensure CloudTrail is enabled in all regions policy may be reported as compliant but Affected and Assessed counts report as 0.