IaC Lacework Policies
Lacework IaC Security is converting existing policies to Rego. You may notice duplicate findings due to checkov or tfsec policies temporarily co-existing. For remediation, Lacework offers suppression options for both Code Security App and CI/CD integrations.
Assessments
Invoked via Code Security App and CI/CD
In the Console, the new Lacework authored policies are visible as part of your assessment findings. The old policies they have replaced can be seen in Suppressed findings (Soluble) / Exceptions (Lacework).
Note that these new policies have been carefully reviewed and tested by Lacework, and they may not use the same logic as the checkov or tfsec policies. You may see false positive results disappear and true positive results appear.
Invoked via the CLI
The CLI runs one tool per scan, for example a checkov scan or a tfsec scan. Therefore, all the policies for a given tool are evaluated.
Duplicate Findings
For Code Security App and CI/CD invoked assessments, to avoid duplication, Lacework suppresses the old policy findings. As assessments are built dynamically, the old policies will show up as suppressed for old assessments too.
Published Lacework Policies
Policies converted to Rego are released in small batches. In cases where an existing policy is no longer relevant, it is deprecated without replacement.
The following table tracks released Rego policies.
Policy Mapping
| Policy Name | Lacework Policy ID | Checkov Policy ID | Tfsec Policy ID | Publish Date |
|---|---|---|---|---|
| EKS should not allow public access to API endpoint | lacework-iac-aws-network-1 | ckv-aws-38 | tfsec-aws068, tfsec-aws069 | 7/10/23 |
| Ensure RDS cluster has IAM authentication enabled | lacework-iac-aws-iam-1 | ckv-aws-162 | 7/10/23 | |
Pods should not run containers with allowPrivilegeEscalation | lacework-iac-k8s-security-2 | ckv-k8s-20 | 7/10/23 | |
| KMS master keys should not be globally accessible | lacework-iac-aws-security-1 | ckv-aws-33 | 7/10/23 | |
| Container image should be versioned | lacework-iac-k8s-workload-1 | ckv-k8s-43 | 7/27/23 | |
| Minimize the execution of container workloads with added capabilities | lacework-iac-k8s-workload-2 | ckv-k8s-24 | 7/27/23 | |
Minimize the execution of container workloads with the NET_RAW capability | lacework-iac-k8s-workload-3 | ckv-k8s-7, ckv-k8s-28 | 7/27/23 | |
| AWS resources must specify a Security Group | lacework-iac-aws-network-2 | ckv2-aws-5 | 7/27/23 | |
| Apply security context to pods and containers | lacework-iac-k8s-security-1 | ckv-k8s-29, ckv-k8s-30 | 7/27/23 | |
| An inbound firewall rule allows traffic from /0 | lacework-iac-gcp-network-1 | tfsec-gcp003 | 7/27/23 | |
| Amazon ALBs should implement HTTPS | lacework-iac-aws-tls-1 | ckv-aws-2 | tfsec-aws004 | 8/4/23 |
| An outdated SSL policy is in use by a load balancer | lacework-iac-aws-tls-2 | tfsec-aws010 | 8/4/23 | |
| CloudFront distribution uses outdated SSL/TLS protocols | lacework-iac-aws-tls-3 | tfsec-aws021 | 8/4/23 | |
| API Gateway domain name uses outdated SSL/TLS protocol | lacework-iac-aws-tls-4 | tfsec-aws025 | 8/4/23 | |
| ElasticSearch domain endpoint uses outdated TLS policy | lacework-iac-aws-tls-5 | tfsec-aws034 | 8/4/23 | |
| Network ACL allows ingress from 0.0.0.0/0 | lacework-iac-aws-network-3 | tfsec-aws049 | 8/4/23 | |
| Network ACL ingress must not permit all ports | lacework-iac-aws-network-4 | tfsec-aws050 | 8/4/23 | |
| S3 bucket does not block public access | lacework-iac-aws-storage-1 | cks-aws-53, ckv-aws-54, ckv-aws-55, ckv-aws-56 | tfsec-aws001, tfsec-aws074, tfsec-aws075, tfsec-aws076, | 8/4/23 |
| DAX Cluster should encrypt data at rest | lacework-iac-aws-encryption-2 | tfsec-aws081 | 8/17/23 | |
| Unencrypted SNS topic | lacework-iac-aws-encryption-4 | tfsec-aws016 | 8/17/23 | |
| A KMS key is not configured to auto-rotate | lacework-iac-aws-encryption-5 | tfsec-aws019 | 8/17/23 | |
| CloudFront viewer protocol policy should be set to https-only or redirect-to-http | lacework-iac-aws-encryption-6 | tfsec-aws020 | 8/17/23 | |
| EKS Clusters should encrypt secrets | lacework-iac-aws-encryption-10 | tfsec-aws066 | 8/17/23 | |
| EKS Cluster should have control plane logging enabled | lacework-iac-aws-logging-1 | ckv-aws-37 | tfsec-aws067 | 8/17/23 |
| S3 bucket does not have access logging | lacework-iac-aws-storage-2 | tfsec-aws002 | 8/17/23 | |
| RDS instance is publicly accessible | lacework-iac-aws-storage-3 | tfsec-aws011 | 8/17/23 | |
| RDS instance does not encrypt Performance Insights | lacework-iac-aws-storage-4 | tfsec-aws053 | 8/17/23 | |
| Athena database not encrypted at rest | lacework-iac-aws-storage-5 | ckv-aws-77 | tfsec-aws059 | 8/17/23 |
| Athena workgroup not encrypted at rest | lacework-iac-aws-storage-6 | ckv-aws-159 | tfsec-aws060 | 8/17/23 |
| S3 Versioning should be enabled | lacework-iac-aws-storage-7 | ckv-aws-21 | tfsec-aws077 | 8/17/23 (Replacing tfsef-aws077), 9/19/23 (Replacing ckv-aws-21) |
| ECR should have immutable image tags | lacework-iac-aws-storage-8 | tfsec-aws078 | 8/17/23 | |
| Launch configuration with unencrypted block device | lacework-iac-aws-encryption-1 | tfsec-aws014 | 8/29/23 | |
| Unencrypted SQS queue | lacework-iac-aws-encryption-3 | tfsec-aws015 | 8/29/23 | |
| A MSK cluster allows unencrypted data in transit | lacework-iac-aws-encryption-7 | tfsec-aws022 | 8/29/23 | |
| Elasticsearch domain is not encrypted at rest | lacework-iac-aws-encryption-8 | tfsec-aws031 | 8/29/23 | |
| CodeBuild artifacts and logs should be encrypted | lacework-iac-aws-encryption-9 | ckv-aws-78, ckv-aws-147 | tfsec-aws080 | 8/29/23 |
| CloudTrail log files should be encrypted with customer managed KMS keys | lacework-iac-aws-encryption-11 | ckv-aws-35 | tfsec-aws065 | 8/29/23 |
| ElasticSearch node-to-node encryption not enabled | lacework-iac-aws-encryption-12 | tfsec-aws055 | 8/29/23 | |
| ElasticSearch domains should enforce HTTPS | lacework-iac-aws-encryption-14 | ckv-aws-054 | tfsec-aws033, tfsec-aws054 | 8/29/23 |
| RDS Cluster should have storage encryption enabled | lacework-iac-aws-encryption-16 | tfsec-aws051 | 8/29/23 | |
| RDS DB instance should have storage encrypted | lacework-iac-aws-encryption-17 | tfsec-aws052 | 8/29/23 | |
| Unencrypted Elasticache Replication Group | lacework-iac-encryption-18 | ckv-aws-29 | tfsec-aws035 | 8/29/23 |
| Elastic File System should be encrypted | lacework-iac-encryption-19 | ckv-aws-184 | tfsec-aws048 | 9/12/23 |
| Enable transit encryption for Elasticache RG | lacework-iac-aws-encryption-20 | tfsec-aws036 | 9/12/23 |
Policy Deprecation
The following table tracks policies that have been deprecated without a replacement Lacework policy.
Policies may be deprecated for various reasons including but not limited to:
- the resource, service or feature targeted by the policy being deprecated
- lack of security rationale
checkov Policies
AWS
| Policy ID | Policy Name | Deprecation Date |
|---|---|---|
ckv-aws-11 | Ensure IAM password policy requires at least one lowercase letter | 9/11/23 |
ckv-aws-12 | Ensure IAM password policy requires at least one number | 9/11/23 |
ckv-aws-14 | Ensure IAM password policy requires at least one symbol | 9/11/23 |
ckv-aws-15 | Ensure IAM password policy requires at least one uppercase letter | 9/11/23 |
ckv-aws-19 | Ensure all data stored in the S3 bucket is securely encrypted at rest | 7/3/23 |
ckv-aws-145 | Ensure that S3 buckets are encrypted with KMS by default | 7/3/23 |
Google Cloud
| Policy ID | Policy Name | Deprecation Date |
|---|---|---|
ckv-gcp-24 | GKE is enabled with PodSecurityPolicy check | 8/10/23 |
Kubernetes (K8s)
| Policy ID | Policy Name | Deprecation Date |
|---|---|---|
ckv-k8s-1 | Minimize the admission of containers wishing to share the host process ID namespace | 8/10/23 |
ckv-k8s-2 | Minimize the admission of privileged containers in PodSecurityPolicy | 8/10/23 |
ckv-k8s-3 | Minimize the admission of containers wishing to share the host IPC namespace | 8/10/23 |
ckv-k8s-4 | Minimize the admission of containers wishing to share the host network namespace | 8/10/23 |
ckv-k8s-5 | Minimize the admission of containers with allowPrivilegeEscalation | 8/10/23 |
ckv-k8s-6 | Minimize the admission of root containers | 8/10/23 |
ckv-k8s-11 | CPU limits should be set | 8/16/23 |
ckv-k8s-16 | Minimize the admission of privileged containers | 8/10/23 |
ckv-k8s-17 | CronJob containers should not share the host process ID namespace | 8/10/23 |
ckv-k8s-18 | CronJob containers should not share the host IPC namespace | 8/10/23 |
ckv-k8s-19 | CronJob containers should not share the host network namespace | 8/10/23 |
ckv-k8s-23 | Minimize the admission of root containers | 8/10/23 |
ckv-k8s-36 | Minimize the admission of containers with capabilities assigned | 8/10/23 |
ckv-k8s-39 | Do not use the CAP_SYS_ADMIN linux capability | 8/10/23 |
ckv-k8s-40 | Containers should run as a high UID to avoid host conflict | 8/10/23 |
ckv-k8s-84 | Ensure that the admission control plugin PodSecurityPolicy is set | 8/10/23 |
tfsec Policies
AWS
| Policy ID | Policy Name | Deprecation Date |
|---|---|---|
tfsec-aws017 | Unencrypted S3 bucket | 7/3/23 |
tfsec-aws041 | IAM Password policy should have requirement for at least one number in the password | 9/11/23 |
tfsec-aws042 | IAM Password policy should have requirement for at least one lowercase character | 9/11/23 |
tfsec-aws043 | IAM Password policy should have requirement for at least one uppercase character | 9/11/23 |
Google Cloud
| Policy ID | Policy Name | Deprecation Date |
|---|---|---|
tfsec-gcp009 | Pod security policy enforcement not defined | 8/10/23 |