Skip to main content

AWS Compliance Reports

Notice of Deprecation

The AWS Compliance Reports page is being deprecated on 30th September 2022. The Cloud Compliance Dashboard and Reports pages replace the functionality in this page.

See Use Cases for Reports and Use Cases for Cloud Compliance Dashboard for guidance on viewing similar sections and data.

To populate the AWS data viewed in this page, you must configure an integration with at least one AWS account. For more information, see Integrate Lacework with AWS.

While the Compliance Dashboard provides a great overview of your accounts and resources, the Compliance Reports page is where data is presented to help you take action. The Compliance Reports page provides you with the ability to drill-down into details about your security posture such as policy recommendations and the associated non-compliance resources that are in violation.

note

You can run a compliance report for a maximum of 100 times a day.

View Reports

Select Compliance > AWS > Reports in the Lacework Console to display the AWS Compliance Reports page. The following drop-downs control the output displayed in the compliance report page:

  • Report Type
  • Account
  • Report Date

Report Types

info

The CIS AWS 1.4.0 Benchmark Report is not displayed on this page. See CIS AWS 1.4.0 Benchmark Report for guidance.

Use the Report Type drop-down to select one of following types of report or benchmarks to report on:

  • AWS CIS Benchmark and S3 Report
  • AWS HIPAA Report
  • AWS ISO 27001:2013 Report
  • AWS NIST 800-171 Report
  • AWS NIST 800-53 Report
  • AWS PCI DSS Report
  • AWS SOC 2 Report
  • AWS SOC 2 Report Rev2

Report Filters

Use the Account drop-down and text field to specify the account to report on. You can select a specific account or you can enter text in this field to immediately start searching by account number or account alias.

Use the Report Date drop-down and text field to specify the compliance report run to report on enter text in this field to immediately start searching for a report run. For example, enter 2/ to find all the reports in February. By default, the latest report is selected and displayed. These reports can be useful to review specified points in time that correlate to your security posture at the provided date/time.

After you specify a Report Type, Account, and Report Date, the reports page displays corresponding compliance assessment data. A graph outlines the number of non-compliant recommendations by severity. The report displays a count of non-compliant recommendations with the correlated number of assessed and suppressed. It also displays a count of non-compliant resources with the correlated number of assessed and suppressed is reported. This data helps to identify if you are assessing by recommendation or resource.

Use the Recommendation Status drop-down filter below the visual graph and compliance report calculations to limit the output of the compliance report page by compliance status. For example, select Non-Compliant to limit the result to only those recommendations that are determined to be not compliant when the selected compliance assessment run occurred. Each compliance assessment run is a snapshot in time, for example, the LW_S3_16 - Ensure the S3 bucket has versioning enabled recommendation could be non-compliant in the first assessment run but in the next assessment run, the status is compliant because someone turned on versioning for the S3 bucket between the two runs. By default, the Recommendation Status drop-down is set to view All, however, you can select one of the following recommendation status filter options: Non-Compliant, Compliant, Suppressed, Manual, or Could Not Assess. For a description of these status states, see below.

Select the Recommendation Severity checkboxes to the right of the Recommendation Status drop-down to filter limit the recommendations reported on the page by severity. For example, select just the Critical checkbox to list only critical recommendations.

Download Reports

Click the Download Report icon to initiate a download of the currently open compliance report in PDF format. Like the Lacework Console, the PDF displays one recommendation per row and its status, compliant/non-compliant/suppressed/manual.

Click the Download CSV Report icon to initiate a download of report data about the currently open compliance report in the CSV (comma-separated value) format. You can use the CSV file to import the report data into other tools such as spreadsheets or databases. The CSV data differs from the PDF data in following ways:

  • The CSV contains non-compliant resources and suppressed resources.
  • Each CSV row represents one resource, so there could be multiple rows for the same resource. Each row in the PDF represents one recommendation.
  • The PDF groups resources together by recommendation. The CSV flattens the resources. For example:
    PDF
    Row 1: RecId_1, Non-Compliant
    CSV
    Row1: RecId_1, Resource_1, Non-Compliant
    Row2: RecId_1, Resource_2, Non-Compliant
    Row3: RecId_1, Resource_3, Non-Compliant

Both download options are useful for providing reports to others in your organization that are responsible for remediating the non-compliant resources in violation.

Run a Report

Lacework runs a complete compliance assessment run for all accounts on a regular schedule, typically once a day. To immediately initiate a compliance assessment run for a single account, which occurs outside the regular schedule, click the Run a new report icon. Pending displays next to the icon. The assessment may take a few minutes to run. After the assessment completes, Pending stops displaying.

You can also verify that an assessment run for a single account is complete by looking at the drop-down options available under Report Date. The newest drop-down assessment run is the top Report Date drop-down item and is labeled with (Latest).

note

Due to underlying AWS behavior, AWS compliance report content for Identity and Access Management can be updated only every four hours. This means IAM assessments retain the same status if a new report is generated within four hours of the latest report. For additional information, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html.

Report Tables

The recommendation data presented in the Compliance Report is structured in category tables. For example, if viewing the CIS Benchmark and S3 Report, the following category tables are displayed: S3, Identify and Access Management, Logging, Monitoring, Networking, and Lacework (LW) General Security. In each of these category tables, the data points about recommendations are displayed as the following columns:

ColumnDescription
IDDisplays the unique identifier for the recommendation, for example: AWS_CIS_1_1 is the ID for the AWS CIS Benchmark 1.1 recommendation. LW_S3_16 is the ID for the Lacework recommendation that S3 buckets should have versioning enabled.
RecommendationDisplays the description of the recommendation.
StatusDisplays the status of the recommendation at the selected report date:
1) Non-Compliant—During the assessment that occurred during the selected report run, this recommendation was not in compliance. It was in violation of the recommendation.
2) Compliant—During the assessment that occurred during the selected report run, this recommendation was in compliance.
3) Suppressed—During the assessment that occurred during the selected report run, this recommendation was completely suppressed. For more information, see Advanced Suppression in AWS Compliance Reports - Using Suppression.
4) Manual—There is no way to determine if the recommendation is in compliance because the configuration status cannot be retrieved. You may want to manually check compliance directly in AWS. For more information, see the remediation provided in Additional Info of the Actions column as described below.
5) Could Not Assess—Lacework encountered a problem while attempting to assess this recommendation, for example, the correct privileges have not been granted. During compliance assessment, Lacework queries the AWS IAM credentials report and if it cannot be generated or assessed, potentially due to API behavior/backfire or rate, this status may result.
SeverityDisplays the severity of the recommendation: Critical, High, Medium, Low or Info.
AffectedDisplays the total number of resources assessed as non-compliant (in violation) for this recommendation.
AssessedDisplays the total number of resources assessed for this recommendation.
ActionsClick the More.png (more) icon, to reveal the following additional functionality:
Additional Info provides additional information/documentation on the recommendation such as a description, rationale, audit, and remediation.
Advanced Suppression optionally configures suppression of this recommendation. For additional information, see AWS Compliance Reports - Using Suppression.

You can expand a recommendation that has a violation to view any non-compliant resources. Click a resource name to open that resource's details within Lacework Resource Inventory.

To sort by a column, click the column header, for example, if you want to sort the recommendations of a table by severity, click Severity in the column header.

A note about the Affected and Assessed counts for multiple AWS accounts that are managed by a single AWS organization with a single CloudTrail. Lacework correctly accesses the compliance status when you configure multiple AWS accounts to use a single CloudTrail associated with a single AWS organization, however, the Affected and Assessed counts may be reported as 0. For example, under Logging, the AWS_CIS_2_1 - Ensure CloudTrail is enabled in all regions recommendation may be reported as compliant but Affected and Assessed counts reported as 0.

AWS CIS Compliance Benchmarks - Monitoring Sections

Background

CIS Benchmarks are consensus-based configuration guidelines developed by experts in the US government, business, industry, and academia to help organizations assess and improve the security of AWS deployments. They are generally accepted as best practices for security with no specific bearing to regulatory compliance like PCI or HIPAA.

AWS CIS benchmarks for the 3.2-3.14 sections recommend monitoring for critical changes within AWS environments such as disabling or deleting CMKs. The CIS standard further goes to suggest the method for meeting these requirements through the use of AWS CloudTrail logs, Amazon CloudWatch alarms, and CloudWatch Events rules in combination within your AWS account to detect and alert on critical changes. This requires a specific filter for each of the events described in the table below and a matching filter for the detection action, across all monitored AWS accounts.

While this was a feasible approach with smaller environments, it adds overhead and does not align well with large environment workflows where Operations and Security teams may be distributed. Also, with newer paradigms like centralized CloudTrail logging, teams can monitor for these changes effectively from single aggregation source vs. distributed implementation. The intent of the monitoring section continues to be valid as a best practice for monitoring critical infrastructure changes, however, the methods suggested may be improved with newer efficiencies.

Recommendation

As an alternative, Lacework continuously monitors for critical infrastructure changes via AWS CloudTrail logs for one or all accounts that have been configured for monitoring, whether this is aggregated to a single CloudTrail account or distributed. Lacework by default implements a series of AWS CloudTrail policies that specifically maps to CIS Monitoring to provide similar coverage at an aggregated level, rather than account-by-account, alleviating the need to implement a filter for each AWS account. As this monitoring capability within Lacework’s CloudTrail policies is enabled on a continuous basis, Lacework recommends a manual review of CloudWatch alarms or enable suppressions to the CIS Monitoring section of the AWS CIS compliance report.

The following table maps CIS Compliance benchmark recommendations to Lacework CloudTrail policies.

CIS Compliance Benchmark RecommendationsLacework CloudTrail Policies
AWS_CIS_3_2 - Ensure a log metric filter and alarm exist for Management Console sign-in without MFALW_CT_IAM_26 - Successful Console Login Without MFA
AWS_CIS_3_3 - Ensure a log metric filter and alarm exist for usage of "root" accountLW_CT_IAM_28 - Usage of Root Account
AWS_CIS_3_4 - Ensure a log metric filter and alarm exist for IAM policy changesLW_CT_IAM_14 - IAM Policy Changed
AWS_CIS_3_5 - Ensure a log metric filter and alarm exist for CloudTrail configuration changesLW_CT_CloudTrail_18 - CloudTrail Changed LW_CT_CloudTrail_19 - CloudTrail Stopped LW_CT_CloudTrail_20 - CloudTrail Deleted
AWS_CIS_3_6 - Ensure a log metric filter and alarm exist for AWS Management Console authentication failuresLW_CT_IAM_27 - Failed Console Login
AWS_CIS_3_7 - Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer-created CMKsLW_CT_KMS_23 - Customer Master Key Disabled LW_CT_KMS_25 - Customer Master Key Scheduled For deletion
AWS_CIS_3_8 - Ensure a log metric filter and alarm exist for S3 bucket policy changesLW_CT_S3_12 - S3 Bucket Policy Changed
AWS_CIS_3_9 - Ensure a log metric filter and alarm exist for AWS Config configuration changesLW_CT_AWSConfig_30 - Config Service Change
AWS_CIS_3_10 - Ensure a log metric filter and alarm exist for security group changesLW_CT_VPC_4 - Security Group Change
AWS_CIS_3_11 - Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)LW_CT_VPC_5 - NACL Change
AWS_CIS_3_12 - Ensure a log metric filter and alarm exist for changes to network gatewaysLW_CT_VPC_7 - Network Gateway Change
AWS_CIS_3_13 - Ensure a log metric filter and alarm exist for route table changesLW_CT_VPC_9 - Route Table Change
AWS_CIS_3_14 - Ensure a log metric filter and alarm exist for VPC changesLW_CT_VPC_8 - VPN Gateway Change