Docs Home
lacework 2.0.6 published on Monday, Apr 14, 2025 by lacework
lacework.PolicyCompliance
Explore with Pulumi AI
Lacework provides a highly scalable platform for creating, customizing, and managing custom policies against any datasource that is exposed via the Lacework Query Language (LQL).
For more information, see the Policy Overview Documentation.
Example Usage
Create a Lacework Compliance Policy to check for unenabled CloudTrail log file validation.
import * as pulumi from "@pulumi/pulumi";
import * as lacework from "@pulumi/lacework";
const aWSConfigCloudTrailLogFileValidationNotEnabled = new lacework.Query("aWSConfigCloudTrailLogFileValidationNotEnabled", {
queryId: "LW_Global_AWS_Config_CloudTrailLogFileValidationNotEnabled",
query: ` {
source {
LW_CFG_AWS_CLOUDTRAIL
}
filter {
RESOURCE_CONFIG:LogFileValidationEnabled = 'false'
}
return distinct {
ACCOUNT_ALIAS,
ACCOUNT_ID,
ARN as RESOURCE_KEY,
RESOURCE_REGION,
RESOURCE_TYPE,
SERVICE,
'CloudTrailLogFileValidationNotEnabled' as COMPLIANCE_FAILURE_REASON
}
}
`,
});
const example = new lacework.PolicyCompliance("example", {
queryId: aWSConfigCloudTrailLogFileValidationNotEnabled.laceworkQueryId,
title: "Ensure CloudTrail log file validation is enabled",
enabled: false,
severity: "High",
description: `CloudTrail log file validation creates a digitally signed digest
file containing a hash of each log that CloudTrail writes to S3. These digest
files can be used to determine whether a log file was changed, deleted, or unchanged
after CloudTrail delivered the log. It is recommended that file validation be
enabled on all CloudTrails.`,
remediation: `Perform the following to enable log file validation on a given trail:
From Console:
1. Sign in to the AWS Management Console and open the IAM console at (https://console.aws.amazon.com/cloudtrail)
2. Click on Trails on the left navigation pane
3. Click on target trail
4. Within the S3 section click on the edit icon (pencil)
5. Click Advanced
6. Click on the Yes radio button in section Enable log file validation
7. Click Save
From Command Line:
aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation
Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>`,
tags: ["security:compliance"],
alertingEnabled: false,
});
import pulumi
import pulumi_lacework as lacework
a_ws_config_cloud_trail_log_file_validation_not_enabled = lacework.Query("aWSConfigCloudTrailLogFileValidationNotEnabled",
query_id="LW_Global_AWS_Config_CloudTrailLogFileValidationNotEnabled",
query=""" {
source {
LW_CFG_AWS_CLOUDTRAIL
}
filter {
RESOURCE_CONFIG:LogFileValidationEnabled = 'false'
}
return distinct {
ACCOUNT_ALIAS,
ACCOUNT_ID,
ARN as RESOURCE_KEY,
RESOURCE_REGION,
RESOURCE_TYPE,
SERVICE,
'CloudTrailLogFileValidationNotEnabled' as COMPLIANCE_FAILURE_REASON
}
}
""")
example = lacework.PolicyCompliance("example",
query_id=a_ws_config_cloud_trail_log_file_validation_not_enabled.lacework_query_id,
title="Ensure CloudTrail log file validation is enabled",
enabled=False,
severity="High",
description="""CloudTrail log file validation creates a digitally signed digest
file containing a hash of each log that CloudTrail writes to S3. These digest
files can be used to determine whether a log file was changed, deleted, or unchanged
after CloudTrail delivered the log. It is recommended that file validation be
enabled on all CloudTrails.""",
remediation="""Perform the following to enable log file validation on a given trail:
From Console:
1. Sign in to the AWS Management Console and open the IAM console at (https://console.aws.amazon.com/cloudtrail)
2. Click on Trails on the left navigation pane
3. Click on target trail
4. Within the S3 section click on the edit icon (pencil)
5. Click Advanced
6. Click on the Yes radio button in section Enable log file validation
7. Click Save
From Command Line:
aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation
Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>""",
tags=["security:compliance"],
alerting_enabled=False)
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/lacework/v2/lacework"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
aWSConfigCloudTrailLogFileValidationNotEnabled, err := lacework.NewQuery(ctx, "aWSConfigCloudTrailLogFileValidationNotEnabled", &lacework.QueryArgs{
QueryId: pulumi.String("LW_Global_AWS_Config_CloudTrailLogFileValidationNotEnabled"),
Query: pulumi.String(` {
source {
LW_CFG_AWS_CLOUDTRAIL
}
filter {
RESOURCE_CONFIG:LogFileValidationEnabled = 'false'
}
return distinct {
ACCOUNT_ALIAS,
ACCOUNT_ID,
ARN as RESOURCE_KEY,
RESOURCE_REGION,
RESOURCE_TYPE,
SERVICE,
'CloudTrailLogFileValidationNotEnabled' as COMPLIANCE_FAILURE_REASON
}
}
`),
})
if err != nil {
return err
}
_, err = lacework.NewPolicyCompliance(ctx, "example", &lacework.PolicyComplianceArgs{
QueryId: aWSConfigCloudTrailLogFileValidationNotEnabled.LaceworkQueryId,
Title: pulumi.String("Ensure CloudTrail log file validation is enabled"),
Enabled: pulumi.Bool(false),
Severity: pulumi.String("High"),
Description: pulumi.String("CloudTrail log file validation creates a digitally signed digest\nfile containing a hash of each log that CloudTrail writes to S3. These digest\nfiles can be used to determine whether a log file was changed, deleted, or unchanged\nafter CloudTrail delivered the log. It is recommended that file validation be\nenabled on all CloudTrails."),
Remediation: pulumi.String(`Perform the following to enable log file validation on a given trail:
From Console:
1. Sign in to the AWS Management Console and open the IAM console at (https://console.aws.amazon.com/cloudtrail)
2. Click on Trails on the left navigation pane
3. Click on target trail
4. Within the S3 section click on the edit icon (pencil)
5. Click Advanced
6. Click on the Yes radio button in section Enable log file validation
7. Click Save
From Command Line:
aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation
Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>`),
Tags: pulumi.StringArray{
pulumi.String("security:compliance"),
},
AlertingEnabled: pulumi.Bool(false),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Lacework = Pulumi.Lacework;
return await Deployment.RunAsync(() =>
{
var aWSConfigCloudTrailLogFileValidationNotEnabled = new Lacework.Query("aWSConfigCloudTrailLogFileValidationNotEnabled", new()
{
QueryId = "LW_Global_AWS_Config_CloudTrailLogFileValidationNotEnabled",
Query = @" {
source {
LW_CFG_AWS_CLOUDTRAIL
}
filter {
RESOURCE_CONFIG:LogFileValidationEnabled = 'false'
}
return distinct {
ACCOUNT_ALIAS,
ACCOUNT_ID,
ARN as RESOURCE_KEY,
RESOURCE_REGION,
RESOURCE_TYPE,
SERVICE,
'CloudTrailLogFileValidationNotEnabled' as COMPLIANCE_FAILURE_REASON
}
}
",
});
var example = new Lacework.PolicyCompliance("example", new()
{
QueryId = aWSConfigCloudTrailLogFileValidationNotEnabled.LaceworkQueryId,
Title = "Ensure CloudTrail log file validation is enabled",
Enabled = false,
Severity = "High",
Description = @"CloudTrail log file validation creates a digitally signed digest
file containing a hash of each log that CloudTrail writes to S3. These digest
files can be used to determine whether a log file was changed, deleted, or unchanged
after CloudTrail delivered the log. It is recommended that file validation be
enabled on all CloudTrails.",
Remediation = @"Perform the following to enable log file validation on a given trail:
From Console:
1. Sign in to the AWS Management Console and open the IAM console at (https://console.aws.amazon.com/cloudtrail)
2. Click on Trails on the left navigation pane
3. Click on target trail
4. Within the S3 section click on the edit icon (pencil)
5. Click Advanced
6. Click on the Yes radio button in section Enable log file validation
7. Click Save
From Command Line:
aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation
Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>",
Tags = new[]
{
"security:compliance",
},
AlertingEnabled = false,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.lacework.Query;
import com.pulumi.lacework.QueryArgs;
import com.pulumi.lacework.PolicyCompliance;
import com.pulumi.lacework.PolicyComplianceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var aWSConfigCloudTrailLogFileValidationNotEnabled = new Query("aWSConfigCloudTrailLogFileValidationNotEnabled", QueryArgs.builder()
.queryId("LW_Global_AWS_Config_CloudTrailLogFileValidationNotEnabled")
.query("""
{
source {
LW_CFG_AWS_CLOUDTRAIL
}
filter {
RESOURCE_CONFIG:LogFileValidationEnabled = 'false'
}
return distinct {
ACCOUNT_ALIAS,
ACCOUNT_ID,
ARN as RESOURCE_KEY,
RESOURCE_REGION,
RESOURCE_TYPE,
SERVICE,
'CloudTrailLogFileValidationNotEnabled' as COMPLIANCE_FAILURE_REASON
}
}
""")
.build());
var example = new PolicyCompliance("example", PolicyComplianceArgs.builder()
.queryId(aWSConfigCloudTrailLogFileValidationNotEnabled.laceworkQueryId())
.title("Ensure CloudTrail log file validation is enabled")
.enabled(false)
.severity("High")
.description("""
CloudTrail log file validation creates a digitally signed digest
file containing a hash of each log that CloudTrail writes to S3. These digest
files can be used to determine whether a log file was changed, deleted, or unchanged
after CloudTrail delivered the log. It is recommended that file validation be
enabled on all CloudTrails. """)
.remediation("""
Perform the following to enable log file validation on a given trail:
From Console:
1. Sign in to the AWS Management Console and open the IAM console at (https://console.aws.amazon.com/cloudtrail)
2. Click on Trails on the left navigation pane
3. Click on target trail
4. Within the S3 section click on the edit icon (pencil)
5. Click Advanced
6. Click on the Yes radio button in section Enable log file validation
7. Click Save
From Command Line:
aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation
Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time> """)
.tags("security:compliance")
.alertingEnabled(false)
.build());
}
}
resources:
aWSConfigCloudTrailLogFileValidationNotEnabled:
type: lacework:Query
properties:
queryId: LW_Global_AWS_Config_CloudTrailLogFileValidationNotEnabled
query: |2
{
source {
LW_CFG_AWS_CLOUDTRAIL
}
filter {
RESOURCE_CONFIG:LogFileValidationEnabled = 'false'
}
return distinct {
ACCOUNT_ALIAS,
ACCOUNT_ID,
ARN as RESOURCE_KEY,
RESOURCE_REGION,
RESOURCE_TYPE,
SERVICE,
'CloudTrailLogFileValidationNotEnabled' as COMPLIANCE_FAILURE_REASON
}
}
example:
type: lacework:PolicyCompliance
properties:
queryId: ${aWSConfigCloudTrailLogFileValidationNotEnabled.laceworkQueryId}
title: Ensure CloudTrail log file validation is enabled
enabled: false
severity: High
description: |-
CloudTrail log file validation creates a digitally signed digest
file containing a hash of each log that CloudTrail writes to S3. These digest
files can be used to determine whether a log file was changed, deleted, or unchanged
after CloudTrail delivered the log. It is recommended that file validation be
enabled on all CloudTrails.
remediation: |-
Perform the following to enable log file validation on a given trail:
From Console:
1. Sign in to the AWS Management Console and open the IAM console at (https://console.aws.amazon.com/cloudtrail)
2. Click on Trails on the left navigation pane
3. Click on target trail
4. Within the S3 section click on the edit icon (pencil)
5. Click Advanced
6. Click on the Yes radio button in section Enable log file validation
7. Click Save
From Command Line:
aws cloudtrail update-trail --name <trail_name> --enable-log-file-validation
Note that periodic validation of logs using these digests can be performed by running the following command:
aws cloudtrail validate-logs --trail-arn <trail_arn> --start-time <start_time> --end-time <end_time>
tags:
- security:compliance
alertingEnabled: false
Note: Lacework automatically generates a policy id when you create a policy, which is the recommended workflow. Optionally, you can define your own policy id using the
policy_id_suffix, this suffix must be all lowercase letters, optionally followed by-and numbers, for example,abcd-1234. When you define your own policy id, Lacework prepends the account name. The final policy id would then belwaccountname-abcd-1234.
Create PolicyCompliance Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new PolicyCompliance(name: string, args: PolicyComplianceArgs, opts?: CustomResourceOptions);@overload
def PolicyCompliance(resource_name: str,
args: PolicyComplianceArgs,
opts: Optional[ResourceOptions] = None)
@overload
def PolicyCompliance(resource_name: str,
opts: Optional[ResourceOptions] = None,
description: Optional[str] = None,
query_id: Optional[str] = None,
remediation: Optional[str] = None,
severity: Optional[str] = None,
title: Optional[str] = None,
alerting_enabled: Optional[bool] = None,
enabled: Optional[bool] = None,
policy_id_suffix: Optional[str] = None,
tags: Optional[Sequence[str]] = None)func NewPolicyCompliance(ctx *Context, name string, args PolicyComplianceArgs, opts ...ResourceOption) (*PolicyCompliance, error)public PolicyCompliance(string name, PolicyComplianceArgs args, CustomResourceOptions? opts = null)
public PolicyCompliance(String name, PolicyComplianceArgs args)
public PolicyCompliance(String name, PolicyComplianceArgs args, CustomResourceOptions options)
type: lacework:PolicyCompliance
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args PolicyComplianceArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args PolicyComplianceArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args PolicyComplianceArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args PolicyComplianceArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args PolicyComplianceArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var policyComplianceResource = new Lacework.PolicyCompliance("policyComplianceResource", new()
{
Description = "string",
QueryId = "string",
Remediation = "string",
Severity = "string",
Title = "string",
AlertingEnabled = false,
Enabled = false,
PolicyIdSuffix = "string",
Tags = new[]
{
"string",
},
});
example, err := lacework.NewPolicyCompliance(ctx, "policyComplianceResource", &lacework.PolicyComplianceArgs{
Description: pulumi.String("string"),
QueryId: pulumi.String("string"),
Remediation: pulumi.String("string"),
Severity: pulumi.String("string"),
Title: pulumi.String("string"),
AlertingEnabled: pulumi.Bool(false),
Enabled: pulumi.Bool(false),
PolicyIdSuffix: pulumi.String("string"),
Tags: pulumi.StringArray{
pulumi.String("string"),
},
})
var policyComplianceResource = new PolicyCompliance("policyComplianceResource", PolicyComplianceArgs.builder()
.description("string")
.queryId("string")
.remediation("string")
.severity("string")
.title("string")
.alertingEnabled(false)
.enabled(false)
.policyIdSuffix("string")
.tags("string")
.build());
policy_compliance_resource = lacework.PolicyCompliance("policyComplianceResource",
description="string",
query_id="string",
remediation="string",
severity="string",
title="string",
alerting_enabled=False,
enabled=False,
policy_id_suffix="string",
tags=["string"])
const policyComplianceResource = new lacework.PolicyCompliance("policyComplianceResource", {
description: "string",
queryId: "string",
remediation: "string",
severity: "string",
title: "string",
alertingEnabled: false,
enabled: false,
policyIdSuffix: "string",
tags: ["string"],
});
type: lacework:PolicyCompliance
properties:
alertingEnabled: false
description: string
enabled: false
policyIdSuffix: string
queryId: string
remediation: string
severity: string
tags:
- string
title: string
PolicyCompliance Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The PolicyCompliance resource accepts the following input properties:
- Description string
- The description of the policy.
- Query
Id string - The query id.
- Remediation string
- The remediation message to display.
- Severity string
- The list of the severities. Valid severities include:
Critical,High,Medium,LowandInfo. - Title string
- The policy title.
- Alerting
Enabled bool - Whether the alerting profile is enabled or disabled. Defaults to
true. - Enabled bool
- Whether the policy is enabled or disabled. Defaults to
true. - Policy
Id stringSuffix - The string appended to the end of the policy id.
- List<string>
- A list of policy tags.
- Description string
- The description of the policy.
- Query
Id string - The query id.
- Remediation string
- The remediation message to display.
- Severity string
- The list of the severities. Valid severities include:
Critical,High,Medium,LowandInfo. - Title string
- The policy title.
- Alerting
Enabled bool - Whether the alerting profile is enabled or disabled. Defaults to
true. - Enabled bool
- Whether the policy is enabled or disabled. Defaults to
true. - Policy
Id stringSuffix - The string appended to the end of the policy id.
- []string
- A list of policy tags.
- description String
- The description of the policy.
- query
Id String - The query id.
- remediation String
- The remediation message to display.
- severity String
- The list of the severities. Valid severities include:
Critical,High,Medium,LowandInfo. - title String
- The policy title.
- alerting
Enabled Boolean - Whether the alerting profile is enabled or disabled. Defaults to
true. - enabled Boolean
- Whether the policy is enabled or disabled. Defaults to
true. - policy
Id StringSuffix - The string appended to the end of the policy id.
- List<String>
- A list of policy tags.
- description string
- The description of the policy.
- query
Id string - The query id.
- remediation string
- The remediation message to display.
- severity string
- The list of the severities. Valid severities include:
Critical,High,Medium,LowandInfo. - title string
- The policy title.
- alerting
Enabled boolean - Whether the alerting profile is enabled or disabled. Defaults to
true. - enabled boolean
- Whether the policy is enabled or disabled. Defaults to
true. - policy
Id stringSuffix - The string appended to the end of the policy id.
- string[]
- A list of policy tags.
- description str
- The description of the policy.
- query_
id str - The query id.
- remediation str
- The remediation message to display.
- severity str
- The list of the severities. Valid severities include:
Critical,High,Medium,LowandInfo. - title str
- The policy title.
- alerting_
enabled bool - Whether the alerting profile is enabled or disabled. Defaults to
true. - enabled bool
- Whether the policy is enabled or disabled. Defaults to
true. - policy_
id_ strsuffix - The string appended to the end of the policy id.
- Sequence[str]
- A list of policy tags.
- description String
- The description of the policy.
- query
Id String - The query id.
- remediation String
- The remediation message to display.
- severity String
- The list of the severities. Valid severities include:
Critical,High,Medium,LowandInfo. - title String
- The policy title.
- alerting
Enabled Boolean - Whether the alerting profile is enabled or disabled. Defaults to
true. - enabled Boolean
- Whether the policy is enabled or disabled. Defaults to
true. - policy
Id StringSuffix - The string appended to the end of the policy id.
- List<String>
- A list of policy tags.
Outputs
All input properties are implicitly available as output properties. Additionally, the PolicyCompliance resource produces the following output properties:
- string
- All policy tags, server generated and user specified tags
- Id string
- The provider-assigned unique ID for this managed resource.
- Owner string
- Updated
By string - Updated
Time string
- string
- All policy tags, server generated and user specified tags
- Id string
- The provider-assigned unique ID for this managed resource.
- Owner string
- Updated
By string - Updated
Time string
- String
- All policy tags, server generated and user specified tags
- id String
- The provider-assigned unique ID for this managed resource.
- owner String
- updated
By String - updated
Time String
- string
- All policy tags, server generated and user specified tags
- id string
- The provider-assigned unique ID for this managed resource.
- owner string
- updated
By string - updated
Time string
- str
- All policy tags, server generated and user specified tags
- id str
- The provider-assigned unique ID for this managed resource.
- owner str
- updated_
by str - updated_
time str
- String
- All policy tags, server generated and user specified tags
- id String
- The provider-assigned unique ID for this managed resource.
- owner String
- updated
By String - updated
Time String
Look up Existing PolicyCompliance Resource
Get an existing PolicyCompliance resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: PolicyComplianceState, opts?: CustomResourceOptions): PolicyCompliance@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
alerting_enabled: Optional[bool] = None,
computed_tags: Optional[str] = None,
description: Optional[str] = None,
enabled: Optional[bool] = None,
owner: Optional[str] = None,
policy_id_suffix: Optional[str] = None,
query_id: Optional[str] = None,
remediation: Optional[str] = None,
severity: Optional[str] = None,
tags: Optional[Sequence[str]] = None,
title: Optional[str] = None,
updated_by: Optional[str] = None,
updated_time: Optional[str] = None) -> PolicyCompliancefunc GetPolicyCompliance(ctx *Context, name string, id IDInput, state *PolicyComplianceState, opts ...ResourceOption) (*PolicyCompliance, error)public static PolicyCompliance Get(string name, Input<string> id, PolicyComplianceState? state, CustomResourceOptions? opts = null)public static PolicyCompliance get(String name, Output<String> id, PolicyComplianceState state, CustomResourceOptions options)resources: _: type: lacework:PolicyCompliance get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Alerting
Enabled bool - Whether the alerting profile is enabled or disabled. Defaults to
true. - string
- All policy tags, server generated and user specified tags
- Description string
- The description of the policy.
- Enabled bool
- Whether the policy is enabled or disabled. Defaults to
true. - Owner string
- Policy
Id stringSuffix - The string appended to the end of the policy id.
- Query
Id string - The query id.
- Remediation string
- The remediation message to display.
- Severity string
- The list of the severities. Valid severities include:
Critical,High,Medium,LowandInfo. - List<string>
- A list of policy tags.
- Title string
- The policy title.
- Updated
By string - Updated
Time string
- Alerting
Enabled bool - Whether the alerting profile is enabled or disabled. Defaults to
true. - string
- All policy tags, server generated and user specified tags
- Description string
- The description of the policy.
- Enabled bool
- Whether the policy is enabled or disabled. Defaults to
true. - Owner string
- Policy
Id stringSuffix - The string appended to the end of the policy id.
- Query
Id string - The query id.
- Remediation string
- The remediation message to display.
- Severity string
- The list of the severities. Valid severities include:
Critical,High,Medium,LowandInfo. - []string
- A list of policy tags.
- Title string
- The policy title.
- Updated
By string - Updated
Time string
- alerting
Enabled Boolean - Whether the alerting profile is enabled or disabled. Defaults to
true. - String
- All policy tags, server generated and user specified tags
- description String
- The description of the policy.
- enabled Boolean
- Whether the policy is enabled or disabled. Defaults to
true. - owner String
- policy
Id StringSuffix - The string appended to the end of the policy id.
- query
Id String - The query id.
- remediation String
- The remediation message to display.
- severity String
- The list of the severities. Valid severities include:
Critical,High,Medium,LowandInfo. - List<String>
- A list of policy tags.
- title String
- The policy title.
- updated
By String - updated
Time String
- alerting
Enabled boolean - Whether the alerting profile is enabled or disabled. Defaults to
true. - string
- All policy tags, server generated and user specified tags
- description string
- The description of the policy.
- enabled boolean
- Whether the policy is enabled or disabled. Defaults to
true. - owner string
- policy
Id stringSuffix - The string appended to the end of the policy id.
- query
Id string - The query id.
- remediation string
- The remediation message to display.
- severity string
- The list of the severities. Valid severities include:
Critical,High,Medium,LowandInfo. - string[]
- A list of policy tags.
- title string
- The policy title.
- updated
By string - updated
Time string
- alerting_
enabled bool - Whether the alerting profile is enabled or disabled. Defaults to
true. - str
- All policy tags, server generated and user specified tags
- description str
- The description of the policy.
- enabled bool
- Whether the policy is enabled or disabled. Defaults to
true. - owner str
- policy_
id_ strsuffix - The string appended to the end of the policy id.
- query_
id str - The query id.
- remediation str
- The remediation message to display.
- severity str
- The list of the severities. Valid severities include:
Critical,High,Medium,LowandInfo. - Sequence[str]
- A list of policy tags.
- title str
- The policy title.
- updated_
by str - updated_
time str
- alerting
Enabled Boolean - Whether the alerting profile is enabled or disabled. Defaults to
true. - String
- All policy tags, server generated and user specified tags
- description String
- The description of the policy.
- enabled Boolean
- Whether the policy is enabled or disabled. Defaults to
true. - owner String
- policy
Id StringSuffix - The string appended to the end of the policy id.
- query
Id String - The query id.
- remediation String
- The remediation message to display.
- severity String
- The list of the severities. Valid severities include:
Critical,High,Medium,LowandInfo. - List<String>
- A list of policy tags.
- title String
- The policy title.
- updated
By String - updated
Time String
Import
A Lacework compliance policy can be imported using a POLICY_ID, e.g.
$ pulumi import lacework:index/policyCompliance:PolicyCompliance example YourLQLPolicyID
-> Note: To retrieve the POLICY_ID from existing policies in your account, use the
Lacework CLI command lacework policy list. To install this tool follow
this documentation.
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- lacework lacework/terraform-provider-lacework
- License
- Notes
- This Pulumi package is based on the
laceworkTerraform Provider.