Configure Access to Tags and Metadata in AWS

The Lacework agent can retrieve user defined tags and other metadata from the AWS EC2 instances on which the agent is installed and display them in the Lacework Console. This enables you to do the following:

• Use the tag and metadata values to identify AWS resources displayed in the Lacework Console.
• Use the tags to filter information displayed in the Lacework Console. For example, you can use the Machine tags filter in the Host Vulnerabilities page to view only the vulnerabilities on hosts in a specific AWS account.

Requirements

• For the agent to retrieve user defined tags, you must configure one of the following on EC2 instances:

  • Instance Metadata Service (IMDS). For more information, see Configure the Instance Metadata Options.
  • DescribeTags IAM permission. For more information, see Configure DescribeTags and DescribeOrganization IAM Permissions.
  note

  If you have configured IMDS on EC2 instances, agents will first use IMDSv2 to retrieve the tags. If it fails, agents use IMDSv1 to retrieve the tags. If it fails again, and if you have configured the DescribeTags IAM permission on EC2 instances, agents use the IAM permission to retrieve the tags.

• For the agent to retrieve other metadata such as the ID of the organization in which the EC2 instance exists, the instance must have the DescribeOrganization IAM permission. For more information, see Configure DescribeTags and DescribeOrganization IAM Permissions.

Configure DescribeTags and DescribeOrganization IAM Permissions

To provide the necessary permission, complete the following steps:

1. Log in to the IAM service.

2. Click Policies.

3. Click Create policy.

4. Click the JSON tab and replace the displayed policy with the following text.

       {
          "Version": "2012-10-17",
          "Statement": [
             {
                "Effect": "Allow",
                "Action": [
                   "ec2:DescribeTags",
                   "organizations:DescribeOrganization"
                ],
               "Resource": "*"
             }
          ]
       }

5. Click Next: Tags

6. Click Next: Review.

7. Enter a policy name and description.

8. Click Create policy.

After creating the policy, associate it with an IAM role that can be attached to EC2 instances.

1. Log in to the IAM service.
2. Click Roles.
3. Click Create role.
4. Select AWS service as the trusted entity type and EC2 as the use case.
5. Click Next.
6. Search for the policy you created, click it, and click Next.
7. Enter a role name, update the description if you want, and click Create role.

After creating the policy and role, navigate to the EC2 service and do the following:

1. Select the instance for which you want to retrieve the tags and metadata.

2. Under Actions > Security > Modify IAM role, select the IAM role you created and click Update IAM role.

   The next time the Lacework agent forwards data, you will see the AWS tags and metadata in the Machine Tag Summary table in the Machines dashboard in the Lacework Console.

tip

In addition to retrieving AWS tags and metadata, you can add local tags to agents. For details, see Add Agent Tags.