Skip to main content

Configure Access to Tags in AWS

For the Lacework Linux agent to be able to retrieve externally-created tags, the AWS EC2 instance must have permission to DescribeTags. Note that doing this enables discovery of any external cloud tags, not just the custom agent tags for Lacework.

To provide the necessary permission, complete the following steps:

  1. Log in to the IAM service.

  2. Click Policies.

  3. Click Create policy.

  4. Click the JSON tab and replace the displayed policy with the following text.

       "Version": "2012-10-17",
       "Statement": [
             "Effect": "Allow",
             "Action": "ec2:DescribeTags",
             "Resource": "*"
  5. Click Next: Tags

  6. Click Next: Review.

  7. Enter a policy name and description.

  8. Click Create policy.

After creating the policy, associate it with an IAM role that can be attached to EC2 instances.

  1. Log in to the IAM service.
  2. Click Roles.
  3. Click Create role.
  4. Select AWS service as the trusted entity type and EC2 as the use case.
  5. Click Next.
  6. Search for your newly created policy, click it, and click Next.
  7. Enter a role name, update the description if you want, and click Create role.

After creating the role and policy, go to the EC2 service and select the instance for which you want to retrieve the 'Name' tag.

Under Actions > Security > Modify IAM role, select the IAM role you created and click Update IAM role.

The next time the Lacework agent forwards data, you will see the 'Name' field in the Lacework Console.

In addition to importing AWS tags, you can add local tags to agents. For details, see Add Agent Tags.