Migrate existing exceptions to the latest benchmarks

When deprecation occurs, you can utilize the Lacework CLI to migrate your existing exceptions/suppression logic to the new benchmarks.

Using version 1.8.0 or greater of the CLI, run the following:

• lacework suppressions <aws> list - allows customers to review their legacy suppressions for aws, gcp, or azure.
• lacework suppressions <aws> migrate - this interactive command gives the option to auto-migrate the legacy suppressions after reviewing the converted policy exceptions, OR the recommended manual option, which outputs CLI commands that can be copied and pasted after review.

For support on migrating your legacy suppressions to the new compliance policies, please contact your account team.

NOTE: By running the above commands, users are accepting responsibility for the suppression of any compliance violations missed as a result of the added exceptions. If you are using suppressions in AWS CIS 1.1 policies, we encourage you to immediately migrate your legacy suppressions to equivalent policy exceptions to avoid alert duplicates. 

Policy Changes

Policy changes are automatic; you don’t need to perform any actions to receive the latest policies and benchmarks.

To ensure that your CSPM assessments are up to complete and accurate on an ongoing basis:

• Please review and update your cloud config integration and permissions to ensure that Lacework can enable successful compliance collections for these new policies. (We are aware some customers have experienced assessment errors due to GCP and/or Azure integration missing certain permissions).
• If you have Google Cloud and are using Terraform to automate the cloud config integration, be sure to use the most current Lacework TF modules. For manual Google Cloud and/or Azure integrations, you will need to follow the instructions on manually configuring your GCP permissions and/or Azure permissions.
• We encourage you to proactively disable legacy policies in anticipation of their deprecation.