Open p5 opened 1 year ago
p5
commented
1 year ago Some other changes that could be updated to make the Lacework modules more compliant with the various standards:
(Will be updating this list as and when I find some, and will create separate issues later)
bebold-jhr
commented
1 year ago My understanding of this module is that it should give the consumers the possibility to "easily" create everything needed to make use of lacework agentless scanning. I see the use case, but hear me out. Another approach could be to let the consumer handle the networking and just pass the necessary information into the module. This would drastically reduce the complexity of the module, because right now both cases have to be handled for each module: "bring-your-own-resource" and "module created resource". This would also mean that it would be a lot easier for the module to be compliant with the default set of policies provided by lacework (as mentioned by @p5). And in my opinion it would shift the focus more towards the key components relevant for agentless scanning.
mbmblbelt
commented
2 months ago @theopolis Would you mind assigning someone to this issue and/or providing an update? As it stands, this results in the lacework-agentless-scanning-vpc created by this module being marked as non-compliant for the lacework-global-79 policy.
It's easy enough to add our own aws_flow_log resource in conjunction with this module but it seems like something that should be provided with it. Ideally any module provided by Lacework, if properly configured, should not result in the creation of resources that violate the Lacework Compliance Policies.
reggora-mmatney
commented
2 months ago cc @afiune Apologies, I left the previous comment from my personal account. We are using this module at Reggora and would like an update on whether or not this will be fixed and what the timeline might be. In the meantime, I'll be implementing a custom fix so that the VPC resources are not marked non-compliant. Thanks
p5
commented
2 months ago Unfortunately I do not have access to the Lacework platform any longer, so will be suppressing notifications for this issue. I trust the other participants on this thread can carry this forward as I can no longer add value.
But I do agree that if Lacework provides a module, that module should not negatively impact the Lacework security ratings.
Thanks Rob
Feature Request
Describe the Feature Request We should ensure the modules provided are compliant, and will not result in new vulnerabilities being detected in the Lacework platform. As it stands, this module does not create VPC Flow Logs, so by deploying this module, the security scores are being decreased.
This fails the "CIS Amazon Web Services Foundations Benchmark v1.4.0" CIS 3.9 policy since it does not create any flow logs.
Describe Preferred Solution Enable the option to create VPC Flow Logs to an S3 bucket or CloudWatch log group. This should be disabled by default, until the next "breaking" release.