| Description | This article explains how to find the queries that determine if a resource is 'Compliant' or 'Non Compliant'. |
| Scope | Lacework, FortiCNAPP, Compliance, Lacework Policy platform, Lacework Query Language. |
| Solution |
To find the query, first find the policy that has the resources of interest. In this example, 'Ensure Identity and Access Management (IAM) policies that allow full "*:*" administrative privileges are not attached to roles' is of interest. However, this guide will work for all compliance policies.
It's possible to make a good guess at what the criteria are for a non-compliant resource; however, there may be times when a resource is non-compliant when it seems that it should not be.
First, navigate to Cloud -> Compliance and find the policy using the policy tab.
Take note of the policy ID.
Navigate to 'Policies' on the left-hand navigation option. Enter the policy ID in the text box and then select it.
Select the 'Query' tab to see the query.
Note the filter of the query; this is what it checks to return non-compliant resources.
Note in this example, there is a check for 'AdministratorAccess'; however, there is also a filter for "statement:Action = '*'" which will also result in a non-compliant resource.
To fix this, ensure no policies have either statements attached to them. |
