Skip to main content

Using Suppression

Notice of Deprecation

The Using Suppression page is being deprecated on 30th September 2022. The Add Compliance Policy Exceptions replaces the functionality in this page.

To maximize the value of Lacework AWS compliance reports, Lacework recommends using suppression. In addition to the report itself, Lacework creates an alert for every violation when the report is first run. Subsequently, Lacework creates an alert when a compliant recommendation changes to non-compliant or if an additional resource associated with a non-compliant recommendation produces a violation. Automated reports run once a day and additional reports can be run on demand.

Use suppression to help create a structured view of your AWS resources. In addition, it allows you to focus on the assets that are most important to you.

Suppression

To use suppression and write exceptions, go to Compliance > AWS / Azure / GCP > Reports. in the Lacework Console. Select a recommendation with a violation and expand it to view the non-compliant resources with the option to suppress. If you determine that a non-compliant resource is expected, you can mark it as an exception, which means that it will no longer be assessed.

sp_01.png

If you want to mark all shown resources as exceptions, you can click in the Actions column and select Suppress these violations only, which is helpful if you have a long list and want to select all the resources.

sp_02.png

You can reactivate resources by either unchecking them individually or by clicking the Actions column and selecting Restore these violations only.

Advanced Suppression

When expanding the Actions column, you can also select Advanced Suppression, which provides additional options. To disable the recommendation entirely, click Off in the Status column. Turning off a recommendation means that it will no longer be assessed as part of the compliance report.

sp_03.png

Create a New Exception

To create a new custom exception, click +New Exception. The available fields depend on the type of recommendation. Less complex recommendations typically have fewer options.

Use of ARN format for AWS policies

Do not use the whole ARN format when entering the resource ID or policy name.

For example, if the ARN for a policy is arn:aws:iam::*:policy/my/arn/path/user-policy, enter user-policy for the policy name.

This applies to all relevant AWS polices except LW_AWS_SERVERLESS_* where the full ARN for the Lambda Function is required.

Exception Logic

When there is more than one manual field available for an exception (not including cloud account / region dropdowns), they function with OR logic.

For example, LW_AWS_NETWORKING_5 allows you to enter both a Group Id/Name and Tags for the exception:

console-aws-reports-suppresion-lw_aws_networking_5-template.png

If you were to enter mySecurityGroup* for Group Id/Name and myKey:myValue for Tags, the exception applies to any Security Group named "mySecurityGroup..." or any with those specific tags.

console-aws-reports-suppresion-lw_aws_networking_5-example.png

Exceptions Using Tags

Certain AWS and Azure policies can be suppressed through the use of tags (see AWS CIS 1.1.0 - Exception Criteria for a full list of compatible and non-compatible AWS policies). You can use tags with your security groups to automatically suppress security_groups that are in violation by design.

For example, you could create an AWS tag named ssh_access with values of open and limited. You could then add the open tag to any security groups that you intend to be reachable from 0.0.0.0/0. As long as you included the tag upon creation, the new security group exceptions are automatically created.

sp_04.png

After adding your tags, click Add Tag, Add Exception, and Save to save your custom suppression policy. In this example, you also have options to customize suppression by account, region, and GroupID/Name.

Lacework compliance suppression is very flexible and powerful. Take the time to write exceptions so you can focus on your most important assets.

info

Certain GCP policies can also be suppressed through the use of resource labels, which is very similar to suppressing policies by using tags.