Compliance Assessment Tool FAQs

For more information on the complimentary Cloud Compliance Assessment tool provided by Lacework, please refer to the common questions answered below:

  1. What is Lacework?
    • Lacework is the data-driven security company for the cloud. The Lacework Polygraph® Data Platform is offered as-a-Service and delivers build-time to run-time threat detection, ML-powered behavioral anomaly detection, and cloud compliance across AWS, GCP, Azure, and Kubernetes services, workloads, and containers. Trusted by enterprise customers worldwide, Lacework significantly drives down costs and risk, and removes the burden of unnecessary toil, rule writing, and inaccurate alerts.
  2. What exactly does this tool do?
    • The Cloud Compliance Assessment tool provides a one-time compliance scan of one AWS cloud account across a selected compliance framework. Once you complete the request form you will be emailed instructions on how to deploy a simple CloudFormation template that connects Lacework to your single account with read only permissions. After being successfully integrated, Lacework will perform a one-time scan of your environment’s resources and configurations and deliver your selected compliance report in <24 hours. Once you receive your report, be sure to delete the CloudFormation stack that was created from the provided template. 

      Note that the Cloud Compliance Assessment does not capture CloudTrail events for ML processing and visualization with Polygraph in Lacework. If you are interested in processing cloud audit logs with Lacework please engage with us directly:

  3. I see Lacework uses CloudFormation. What resources and permissions are created as part of the deployment?
    • To allow Lacework to scan your AWS resources (e.g. networking, IAM, S3 bucket configurations, etc), the CloudFormation template will create the following resources with a unique ExternalID per deployment:
      • A cross account access role with Lacework’s AWS account (laceworkcwsrole-sa) with matching ExternalID
      • Addition of the AWS-managed SecurityAudit policy to the newly created laceworkcwsrole-sa role. Get additional information on this policy.

      When the template is deployed a notification will be sent to a Lacework managed SNS topic that will initiate the one-time scan.

      To inspect the CloudFormation template further and the resources it creates, you can inspect the template file that is sent in the welcome email.

  4. How is my information protected?
  5. What if I want to scan more than one AWS account or a different compliance standard?
    • Please engage with your Lacework account team to discuss the capabilities and comprehensive value of the Lacework platform and deployment for other accounts and workloads.
  6. What should I expect when using this tool and follow-up from Lacework?
    • Once you obtain your final report, a notification is sent to your account team. A representative will then follow up to discuss how Lacework can help you proactively manage risk and meet compliance requirements. You may opt out at any time in accordance with our Privacy Policy.

Trusted by Global Innovators

  • vmware
  • snowflake
  • nextdoor
  • pocketgems
  • cloudera