Question

How can I pull Kubernetes Compliance report data via the Lacework API?

  • 15 March 2024
  • 0 replies
  • 56 views

Userlevel 1
Badge

The following Lacework API endpoint, “/api/v2/Configs/ComplianceEvaluations/search”,  will enable you to export Kubernetes Compliance report data in json format.   Below is an example using this endpoint to pull all Kubernetes Compliance data for a set timeframe.  When using this endpoint, ensure that the payload has dataset set to “K8sCompliance” to filter out any CSP compliance data.

lacework api post "/api/v2/Configs/ComplianceEvaluations/search" -d '{ "timeFilter": { "startTime": "2024-03-12T20:30:00Z", "endTime": "2024-03-13T22:30:00Z"},"dataset": "K8sCompliance" }'

The output of this command will be a json array of objects detailing all the Kubernetes Compliance Violations with each object looking similar to the example below:

{
"account": {
"AccountId": "XXXXXXXXXXXX",
"accountId": "XXXXXXXXXXXX"
},
"evalType": "LW_K8S_SA",
"id": "lacework-global-315",
"reason": "EKS cluster does not have all logging categories enabled",
"recommendation": "Enable audit Logs",
"region": "us-west-1",
"reportTime": "2024-03-13T22:16:52.370Z",
"resource": "arn:aws:eks:us-west-1:XXXXXXXXXXXX:cluster/test-eks-cluster",
"section": "",
"severity": "Medium",
"status": "NonCompliant"
}

Finally, in some cases the resource displayed in this output will be a Kubernetes cluster identifier instead of a cloud resource identifier (arn, resource name, etc).  This is particularly relevant for policies that reference a specific Kubernetes api or node instead of the entire cluster.  It is possible to convert a Kubernetes uid (ex: 1ac6926e-d5df-438f-84af-616a1102cfcc8) to a cluster name, cloud account, and region using the following LQL query.

queryId: K8uid_to_cluster_id
queryText: |-
{
source {
LW_CFG_K8S_CLUSTER_ALL
}
filter {
RESOURCE_KEY like any("%<uid>%")
}
return distinct{
CLUSTER_ID,
RESOURCE_REGION,
CSP_INFO:account AS ACCOUNT
}
}

References:

ComplianceEvaluations API Documentation

Agent

N/A

Platform

Using Lacework/Operationalizing

Cloud

AWS


0 replies

Be the first to reply!

Reply