Skip to main content

Agentless Workload Scanning for AWS - Organization Integration (CloudFormation)

Overview

This article describes how to integrate your AWS organization with Lacework's Agentless Workload Scanning. The high-level steps are summarized below:

  1. Configure your integration in the Lacework Console.
  2. Set Up scanning account (Step 1 for CloudFormation).
  3. Integrate scanning account with your organization (Step 2 for CloudFormation).
  4. Delete the default inbound rule for the default security group.
  5. Verify your Agentless Workload Scanning Integration.

Configure the Integration in Lacework Console

  1. Log in to the Lacework Console.
  2. Select Settings > Integrations > Cloud accounts.
  3. Click Add New.
  4. Click Amazon Web Services and select CloudFormation.
  5. Click Next.
  6. Click the Choose integration type dropdown and select Agentless Workload Scanning (Organization).
  7. Fill in the settings as described in Configuration Settings.
  8. Click Save.
  9. Once the integration is created, the Status displays as Pending.
    Proceed to Step 1: Set Up Scanning Account to continue the integration.

Configuration Settings

SettingDescriptionExample
NameThe name for the integration (as it will be displayed in the Lacework Console).myAgentlessIntegration
Scanning AWS Account IDThe AWS Account ID where the scanning resources will be created.123456789012
Limit Scanned WorkloadsUse an LQL key and value to constrain the Agentless Workload Scanning to specific resources. If left blank, Lacework will scan all resources available to the account or organization. See Limit Scanned Workloads for further guidance.
Scan Frequency (hours)How often your images, containers, and hosts are scanned for vulnerabilities (in hours). This option can be changed at any time.

The maximum scan frequency is 24 hours.		24
Scan containersClear the checkbox if you don't want to scan containers for vulnerabilities. This option can be changed at any time.Ticked checkbox
Scan host vulnerabilitiesClear the checkbox if you don't want to scan hosts for vulnerabilities. This option can be changed at any time.Ticked checkbox
Scan secondary volumesSelect the checkbox if you want to scan additional volumes on hosts (other than the root or primary volume). This option can be changed at any time.Unticked checkbox
Scan stopped instancesClear the checkbox if you don't want to scan stopped instances in your environment. This option can be changed at any time.Ticked checkbox
info

Once created, you can view all the Agentless Workload Scanning integration details in the Lacework Console.

Step 1: Set Up Scanning Account

Choose one of the following options to set up a scanning account for your AWS Organization integration using CloudFormation:

Option 1: Run CloudFormation Script

tip

For this option, disable your browser pop-up blocker, otherwise you may not be redirected to the AWS user portal during the initial steps.

  1. In the Lacework Console, go to Settings > Integrations > Cloud accounts, and select the integration that you created using the Configure the Integration in Lacework Console procedure. This displays the details of the integration.

  2. Under Install using CloudFormation > Step 1: Set up AWS Scanning Account, click Run CloudFormation Template.

    This redirects you to the AWS Create stack > Specify Template page in a new tab. The Lacework script populates the Amazon S3 URL in Specify template for you.

  3. Review the page and click Next.

  4. On the Specify stack details page, enter a Stack name (for example: Lacework-AWS-Agentless-ScanAccount).

  5. Check that the Regions list contains the appropriate regions for your account.

    • A VPC and Internet Gateway will be created in each region, please verify resource quotas have not been reached using the Service Quotas tool.
    • Regional STS must be enabled in each region selected.
    info

    Lacework checks your account and populates the Regions list automatically. If the check fails, all regions will be listed by default.

  6. For Quota Check: Can a new VPC and VPC Internet Gateway be created in each selected Region?

    • See Access and Resource Requirements for guidance on how to check if the required VPC resources can be created.
    • Select Yes once you have completed the quotas check.

  7. Review the page and click Next.

  8. On Configure stack options, review the page and click Next (no changes are required).

    • If you would like to add custom Tags, use the option here. These tags will be propagated to all resources created by the agentless scanner.

  9. On the Review page, check the acknowledgements in the Capabilities section:

    • I acknowledge that AWS CloudFormation might create IAM resources with custom names.
    • I acknowledge that AWS CloudFormation might require the following capability:
      CAPABILITY_AUTO_EXPAND

  10. Click Create stack.

  11. You are then redirected to the CloudFormation > Stacks page. Select your stack to see the event log as it is being created. If you do not see your new stack in the table, refresh the page.

    Up to three stacks are created for the purposes of the scanning account, the descriptions for each are as follows:

    • Lacework AWS Agentless Workload Scanning Organization Integration - Scanning Resources
    • Lacework AWS Agentless Workload Scanning Integration - Global
    • Lacework AWS Agentless Workload Scanning Integration - Regional

    When the Status of each of these stacks reaches CREATE_COMPLETE, the first part of the integration is complete.

  12. Note down the following key values from the first stack that was created (and named by you). They can be found on the Outputs tab when viewing the stack:

    1. CrossAccountRoleArn
    2. ECSTaskRoleArn
    3. ExternalId
    4. S3BucketArn

    These are entered during the stack deployment in step 2.

  13. Proceed to Step 2: Integrate Scanning Account with your Organization to continue the integration.

Option 2: Download CloudFormation Script

You can use the AWS Console or the AWS CLI to run the CloudFormation script to set up a scanning account for your AWS Organization integration. For more information, see the following sections:

Use AWS Console to Run CloudFormation Script

  1. In the Lacework Console, go to Settings > Integrations > Cloud accounts, and select the integration that you created using the Configure the Integration in Lacework Console procedure. This displays the details of the integration.

  2. Under Install using CloudFormation > Step 1: Set up AWS Scanning Account, click Download CloudFormation Template.

    When prompted, choose a suitable location to save the JSON file on your local machine.

  3. Log in to your AWS account.

  4. Select the CloudFormation service and click Create stack > With new resources (standard).

  5. Under Specify template, select Upload a template file. Click Choose file and upload the CloudFormation script that was downloaded earlier.

  6. Click Next.

  7. On the Specify stack details page, enter a Stack name (for example: Lacework-AWS-Agentless-ScanAccount).

  8. Check that the Regions list contains the appropriate regions for your account.

    • A VPC and Internet Gateway will be created in each region, please verify resource quotas have not been reached using the Service Quotas tool.
    • Regional STS must be enabled in each region selected.
    info

    Lacework checks your account and populates the Regions list automatically. If the check fails, all regions will be listed by default.

  9. For Quota Check: Can a new VPC and VPC Internet Gateway be created in each selected Region?

    • See Access and Resource Requirements for guidance on how to check if the required VPC resources can be created.
    • Select Yes once you have completed the quotas check.

  10. Review the page and click Next.

  11. On Configure stack options, review the page and click Next (no changes are required).

    If you would like to add custom Tags, use the option here. These tags will be propagated to all resources created by the agentless scanner.

  12. On the Review page, check the acknowledgements in the Capabilities section:

    • I acknowledge that AWS CloudFormation might create IAM resources with custom names.
    • I acknowledge that AWS CloudFormation might require the following capability:
      CAPABILITY_AUTO_EXPAND

  13. Click Create stack.

  14. You are then redirected to the CloudFormation > Stacks page. Select your stack to see the event log as it is being created. If you do not see your new stack in the table, refresh the page.

    Up to three stacks are created for the purposes of the scanning account, the descriptions for each are as follows:

    • Lacework AWS Agentless Workload Scanning Organization Integration - Scanning Resources
    • Lacework AWS Agentless Workload Scanning Integration - Global
    • Lacework AWS Agentless Workload Scanning Integration - Regional

    When the Status of each of these stacks reaches CREATE_COMPLETE, the first part of the integration is complete.

  15. Note down the following key values from the first stack that was created (and named by you). They can be found on the Outputs tab when viewing the stack:

    1. CrossAccountRoleArn
    2. ECSTaskRoleArn
    3. ExternalId
    4. S3BucketArn

    These are entered during the stack deployment in step 2.

  16. Proceed to Step 2: Integrate Scanning Account with your Organization to continue the integration.

Use AWS CLI to Run CloudFormation Script

  1. In the Lacework Console, go to Settings > Integrations > Cloud accounts, and select the integration that you created using the Configure the Integration in Lacework Console procedure. This displays the details of the integration.

  2. Under Install using CloudFormation > Step 1: Set up AWS Scanning Account, click Download CloudFormation Template.

    When prompted, choose a suitable location to save the JSON file on your local machine.

  3. Run the downloaded CloudFormation template JSON file using the following AWS CLI command.

    aws cloudformation create-stack --profile YOUR_AWS_PROFILE_NAME --region REGION_FOR_STACK \
       --stack-name lacework-agentless-scanning \
       --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
       --template-body file://path/to/lacework-agentless-step1.json \
       --parameters \
          ParameterKey=VPCQuotaCheck,ParameterValue=Yes \
          ParameterKey=Regions,ParameterValue=\"us-east-1,us-west-1\"

    Where:

    • --profile specifies the profile you want to use from your AWS credential file.
    • --region specifies the region in which you want to create the CloudFormation stack.
    • --stack-name specifies the name of the CloudFormation stack you want to create.
    • --template-body specifies the path to the CloudFormation template JSON file you downloaded from the Lacework Console.
    • Regions parameter specifies the comma-separated list of regions in which you want to enable agentless scanning.

  4. Run the following AWS CLI command to view the stack details.

    aws cloudformation describe-stacks --stack-name lacework-agentless-scanning --output json

  5. Note down the values for the following parameters from the stack.

    1. CrossAccountRoleArn
    2. ECSTaskRoleArn
    3. ExternalId
    4. S3BucketArn

    These are entered during the stack deployment in step 2.

  6. Proceed to Step 2: Integrate Scanning Account with your Organization to continue the integration.

Step 2: Integrate Scanning Account with your Organization

Choose one of the following options to integrate the scanning account with your AWS Organization using CloudFormation:

Option 1: Run CloudFormation Script

tip

For this option, disable your browser pop-up blocker, otherwise you may not be redirected to the AWS user portal during the initial steps.

  1. In the Lacework Console, go to Settings > Integrations > Cloud accounts, and select the agentless integration that you have just set up a scanning account for. This displays the details of the integration.

  2. Under Install using CloudFormation > Step 2: Integrate AWS Scanning Account with your AWS Organization, click Run CloudFormation Template.

    This redirects you to the AWS Create stack > Specify Template page in a new tab. The Lacework script populates the Amazon S3 URL in Specify template for you.

  3. Review the page and click Next.

  4. On the Specify stack details page, enter a Stack name (for example: Lacework-AWS-Agentless-OrgIntegration).

  5. For Monitored Account Deployment, select one of the following options:

    1. SERVICE_MANAGED (Organizational Units) - Select this option if you want to monitor the whole organization from the Root or specific Organizational Units (OUs).
    2. SELF_MANAGED (Account IDs) - Select this option if you only want to monitor one or more specific accounts within the organization.
    info

    See AWS Organizations terminology and concepts for further guidance on AWS Organizational structure.

  6. For Monitored Account IDs, there are a number of options available:

    1. Enter the AWS Organization Root ID if you want to monitor the whole organization. Ensure SERVICE_MANAGED (Organizational Units) has been selected in the Monitored Account Deployment dropdown.

    2. Enter one or more Organization unit (OU) IDs if you want to monitor specific OUs. Ensure SERVICE_MANAGED (Organizational Units) has been selected in the Monitored Account Deployment dropdown.

    3. Enter the Account IDs that you want to monitor specific accounts within the organization. Ensure SELF_MANAGED (Account IDs) has been selected in the Monitored Account Deployment dropdown.

  7. For the following named fields, enter the equivalent key values obtained from the scanning account stack (Outputs tab) created in Step 1.

    1. CrossAccountRoleArn
    2. ECSTaskRoleArn
    3. ExternalId
    4. S3BucketArn

  8. Review the page and click Next.

  9. On Configure stack options, review the page and click Next (no changes are required).

    If you would like to add custom Tags, use the option here. These tags will be propagated to all resources created by the agentless scanner.

  10. On the Review page, check the acknowledgements in the Capabilities section:

    • I acknowledge that AWS CloudFormation might create IAM resources with custom names.
    • I acknowledge that AWS CloudFormation might require the following capability:
      CAPABILITY_AUTO_EXPAND

  11. Click Create stack.

  12. You are then redirected to the CloudFormation > Stacks page. Select your stack to see the event log as it is being created. If you do not see your new stack in the table, refresh the page.

    When the Status of the stack reaches CREATE_COMPLETE, the Agentless Workload Scanning integration for this AWS Organization is complete.

Option 2: Download CloudFormation Script

You can use the AWS Console or the AWS CLI to run the CloudFormation script to integrate the scanning account with your AWS Organization. For more information, see the following sections:

Use AWS Console to Run CloudFormation Script

  1. In the Lacework Console, go to Settings > Integrations > Cloud accounts, and select the agentless integration that you have just set up a scanning account for. This displays the details of the integration.

  2. Under Install using CloudFormation > Step 2: Integrate AWS Scanning Account with your AWS Organization, click Download CloudFormation Template.

    When prompted, choose a suitable location to save the JSON file on your local machine.

  3. Log in to your AWS account.

  4. Select the CloudFormation service and click Create stack > With new resources (standard).

  5. Under Specify template, select Upload a template file. Click Choose file and upload the CloudFormation script that was downloaded earlier.

  6. Click Next.

  7. On the Specify stack details page, enter a Stack name (for example: Lacework-AWS-Agentless-OrgIntegration).

  8. For Monitored Account Deployment, select one of the following options:

    1. SERVICE_MANAGED (Organizational Units) - Select this option if you want to monitor the whole organization from the Root or specific Organizational Units (OUs).
    2. SELF_MANAGED (Account IDs) - Select this option if you only want to monitor one or more specific accounts within the organization.
    info

    See AWS Organizations terminology and concepts for further guidance on AWS Organizational structure.

  9. For Monitored Account IDs, there are a number of options available:

    1. Enter the AWS Organization Root ID if you want to monitor the whole organization. Ensure SERVICE_MANAGED (Organizational Units) has been selected in the Monitored Account Deployment dropdown.

    2. Enter one or more Organization unit (OU) IDs if you want to monitor specific OUs. Ensure SERVICE_MANAGED (Organizational Units) has been selected in the Monitored Account Deployment dropdown.

    3. Enter the Account IDs that you want to monitor specific accounts within the organization. Ensure SELF_MANAGED (Account IDs) has been selected in the Monitored Account Deployment dropdown.

  10. For the following named fields, enter the equivalent key values obtained from the scanning account stack (Outputs tab) created in Step 1.

    1. CrossAccountRoleArn
    2. ECSTaskRoleArn
    3. ExternalId
    4. S3BucketArn

  11. Review the page and click Next.

  12. On Configure stack options, review the page and click Next (no changes are required).

    • If you would like to add custom Tags, use the option here. These tags will be propagated to all resources created by the agentless scanner.

  13. On the Review page, check the acknowledgements in the Capabilities section:

    • I acknowledge that AWS CloudFormation might create IAM resources with custom names.
    • I acknowledge that AWS CloudFormation might require the following capability:
      CAPABILITY_AUTO_EXPAND

  14. Click Create stack.

  15. You are then redirected to the CloudFormation > Stacks page. Select your stack to see the event log as it is being created. If you do not see your new stack in the table, refresh the page.

    When the Status of the stack reaches CREATE_COMPLETE, the Agentless Workload Scanning integration for this AWS Organization is complete.

Use AWS CLI to Run CloudFormation Script

  1. In the Lacework Console, go to Settings > Integrations > Cloud accounts, and select the agentless integration that you have just set up a scanning account for. This displays the details of the integration.

  2. Under Install using CloudFormation > Step 2: Integrate AWS Scanning Account with your AWS Organization, click Download CloudFormation Template.

    When prompted, choose a suitable location to save the JSON file on your local machine.

  3. Run the downloaded CloudFormation template JSON file using the following AWS CLI command. 

    aws cloudformation create-stack --profile YOUR_AWS_PROFILE_NAME --region REGION_FOR_STACK \
       --stack-name lacework-agentless-org-role \ 
       --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
       --template-body file://path/to/lacework-agentless-step2.json \
       --parameters \
          ParameterKey=MonitoredAccountIds,ParameterValue="YOUR_AWS_MONITORED_ACCOUNT_ID" \
          ParameterKey=CrossAccountRoleArn,ParameterValue="YOUR_CROSS_ACCOUNT_ROLE_ARN" \
          ParameterKey=ECSTaskRoleArn,ParameterValue="YOUR_ECS_TASK_ROLE_ARN" \
          ParameterKey=ExternalId,ParameterValue="YOUR_EXTERNAL_ID" \
          ParameterKey=S3BucketArn,ParameterValue="YOUR_S3_BUCKET_ARN"

    Where:

    • --profile specifies the profile to use from your AWS credential file.
    • --region specifies the region in which you want to create the CloudFormation stack.
    • --stack-name specifies the name of the CloudFormation stack you want to create.
    • --template-body specifies the path to the CloudFormation template JSON file you downloaded from the Lacework Console.
    • MonitoredAccountIds parameter specifies the AWS Organization, Organization OUs, or accounts you want to monitor. Do one of the following:
      • Enter the AWS Organization Root ID if you want to monitor the whole organization.
      • Enter one or more Organization unit (OU) IDs in a comma-separated list if you want to monitor specific OUs only. For example:
        ParameterKey=MonitoredAccountIds,ParameterValue=\"ou-id-1,ou-id-2\"
    • For the following parameters, enter the values obtained from the scanning account stack created in Step 1.
      1. CrossAccountRoleArn
      2. ECSTaskRoleArn
      3. ExternalId
      4. S3BucketArn

Delete the Default Inbound Rule for the Default Security Group

As part of the Agentless deployment in CloudFormation, a VPC and security group are created. Due to AWS limitations with CloudFormation, the VPCs created for each region during Agentless deployment are assigned default security groups with a default inbound rule that only allows traffic within the subnet. While no external traffic is allowed through this rule, it is still unnecessary and can be removed.

If you have the CIS AWS 1.4.0 benchmark and/or Lacework AWS Security Addendum 1.0 enabled in your environment, lacework-global-87 may trigger alerts for the security group that Agentless uses. To resolve the alert, delete the default inbound rule in the security group using the instructions in Alerts Triggering for lacework-global-87 after Deployment.

Verify your Agentless Workload Scanning Integration

Verify CloudFormation StackSet Instances Completed

These steps will verify that CloudFormation installed a StackSet for each Region selected in the Stack Regions. Note that it is possible that the CloudFormation Stack completed successfully but one or more regional StackSet Instances failed.

  1. In the AWS Console open the CloudFormation page. Make sure you have selected the AWS region where the Agentless Scanning template was installed.
  2. On the left-hand side menu click StackSets.
  3. Click on the link for the StackSet matching the name of the CloudFormation Stack created above.
  4. Click on the Stack Instances tab.
  5. Review each Instance and check that the Detailed Status is "Success", if there is an error then the Status Reason will provided a detailed error message.

Verify Lacework Integration Completed

In the Lacework console, the status of the integration at Settings > Integrations > Cloud accounts will update from Pending to Success if all resources are installed correctly.

You may need to refresh the page when returning from the AWS Console after completing the integration steps.

If the periodic scanning encounters an error, the status will display the error details.

Remove an Agentless Workload Scanning Integration

Follow these steps if you want to remove your organization integration.

Start in the Lacework console.

  1. In Settings > Integrations > Cloud accounts, find the integration that you would like to remove.
  2. Note the name of the integration, this will be used to locate the CloudFormation Stack later.
  3. Toggle the integration State to disabled, or Delete the integration using the actions menu on the right.

Once complete, remove the integration within AWS using the AWS Console.

  1. Log in to your AWS account.
  2. Select the CloudFormation service and find the Stacks with the associated names from the integration.
  3. Click the Delete button then Delete stack to confirm deleting.

Next Steps

  1. View scanning results in the Lacework Console.
  2. Read FAQs on Agentless Workload Scanning.
Last updated on