Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Support creation of vpc flow logs #86

Open
p5 opened this issue Jun 16, 2023 · 5 comments
Open

feat: Support creation of vpc flow logs #86

p5 opened this issue Jun 16, 2023 · 5 comments
Labels
feat New feature

Comments

@p5
Copy link

p5 commented Jun 16, 2023

Feature Request

Describe the Feature Request
We should ensure the modules provided are compliant, and will not result in new vulnerabilities being detected in the Lacework platform. As it stands, this module does not create VPC Flow Logs, so by deploying this module, the security scores are being decreased.
This fails the "CIS Amazon Web Services Foundations Benchmark v1.4.0" CIS 3.9 policy since it does not create any flow logs.

Describe Preferred Solution
Enable the option to create VPC Flow Logs to an S3 bucket or CloudWatch log group.
This should be disabled by default, until the next "breaking" release.

@p5 p5 added the feat New feature label Jun 16, 2023
@p5
Copy link
Author

p5 commented Jun 16, 2023

Some other changes that could be updated to make the Lacework modules more compliant with the various standards:

  • Deny inbound access to NACLs (lacework-global-67)
  • Integrate CloudTrail with CloudWatch Logs

(Will be updating this list as and when I find some, and will create separate issues later)

@bebold-jhr
Copy link
Contributor

bebold-jhr commented Aug 8, 2023

My understanding of this module is that it should give the consumers the possibility to "easily" create everything needed to make use of lacework agentless scanning. I see the use case, but hear me out.
Another approach could be to let the consumer handle the networking and just pass the necessary information into the module.
This would drastically reduce the complexity of the module, because right now both cases have to be handled for each module: "bring-your-own-resource" and "module created resource".
This would also mean that it would be a lot easier for the module to be compliant with the default set of policies provided by lacework (as mentioned by @p5).
And in my opinion it would shift the focus more towards the key components relevant for agentless scanning.

@mbmblbelt
Copy link

@theopolis Would you mind assigning someone to this issue and/or providing an update? As it stands, this results in the lacework-agentless-scanning-vpc created by this module being marked as non-compliant for the lacework-global-79 policy.

It's easy enough to add our own aws_flow_log resource in conjunction with this module but it seems like something that should be provided with it. Ideally any module provided by Lacework, if properly configured, should not result in the creation of resources that violate the Lacework Compliance Policies.

@reggora-mmatney
Copy link

cc @afiune
Apologies, I left the previous comment from my personal account. We are using this module at Reggora and would like an update on whether or not this will be fixed and what the timeline might be. In the meantime, I'll be implementing a custom fix so that the VPC resources are not marked non-compliant. Thanks

@p5
Copy link
Author

p5 commented Jun 14, 2024

Unfortunately I do not have access to the Lacework platform any longer, so will be suppressing notifications for this issue. I trust the other participants on this thread can carry this forward as I can no longer add value.

But I do agree that if Lacework provides a module, that module should not negatively impact the Lacework security ratings.

Thanks
Rob

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feat New feature
Projects
None yet
Development

No branches or pull requests

4 participants