Skip to main content

AWS Integration - Terraform from Any Supported Host

Overview

This topic describes how to integrate with AWS by running Lacework Terraform modules from any host supported by Terraform.

If you are new to the Lacework Terraform provider, or Lacework Terraform modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider.

note

Lacework Terraform modules for AWS do not support GovCloud integration yet.

Resources Provisioned by Lacework Terraform Modules

To integrate AWS with Lacework, Lacework Terraform modules provision the following resources in the designated AWS account:

  • IAM Cross-Account Role - A cross-account role is required to give access to Lacework access for assessments of cloud resource configurations and for analysis of CloudTrail events. The cross-account role is given the following policies:
    • SecurityAudit - AWS-managed policy to provide read-only access to cloud resource configurations.
    • Lacework Custom Audit Policy - A custom policy that extends SecurityAudit to enable read-only access to additional configuration resources.
    • Lacework Custom IAM Policy - A custom policy that provides Lacework read-only access to ingest CloudTrail logs.
  • CloudTrail - Lacework can create a new trail or use an existing CloudTrail.
  • S3 Bucket - An S3 bucket is required for all CloudTrail integrations. Lacework can use an existing bucket or create a new bucket in the designated account.
  • SNS Topic - An SNS topic is required for all CloudTrail integrations. Terraform can use an existing SNS topic or create one if an SNS topic has not been added to an existing CloudTrail.
  • SQS Queue - An SQS queue is required for all CloudTrail integrations and monitored by Lacework.

Requirements

  • AWS Account Admin - The account used to run Terraform must have administrative privileges on every AWS account you intend to integrate with Lacework.
  • AWS CLI - The Terraform provider for AWS leverages the configuration from the AWS CLI and it is recommended the AWS CLI is installed and configured with API keys for the account being integrated.
  • Lacework Administrator - You must have a Lacework account with administrator privileges.
  • Lacework CLI - Lacework leverages the configuration from the Lacework CLI. It is recommended the Lacework CLI is installed and configured.
  • Terraform - ~> 0.14, ~> 0.15, ~> 1.0, ~> 1.1.

Module Inputs Reference

For an up-to-date guide on all available configuration inputs, refer to the Terraform Registry documentation:

Module Dependencies

Lacework Terraform modules for AWS have the following dependencies that are installed when running terraform init:

For detailed information on these dependencies, see Lacework on the Terraform Registry.

Deployment Scenarios

Lacework Terraform modules for AWS support the following deployment scenarios:

  • Add Configuration Assessment Only - This deployment scenario configures an AWS account for cloud resource configuration assessment. This scenario uses the Lacework CLI.
  • Deploy New CloudTrail and Add Configuration Assessment - This deployment scenario configures a new CloudTrail in an AWS account, configures an AWS account for cloud resource configuration assessment, and integrates the AWS account with Lacework. This scenario uses the Lacework CLI.
  • Integrate Existing CloudTrail and Add Configuration Assessment - This deployment scenario uses an existing CloudTrail, S3 bucket, and can create a new or use an existing SNS topic passed as inputs to the module. The example creates the SQS queue and IAM role for Lacework, and then configures both integrations with Lacework.
  • New Consolidated CloudTrail - This scenario enables a new consolidated CloudTrail and IAM role for Lacework, then configures both integrations with Lacework. Finally, it configures a new CloudTrail Trail in an AWS sub-account that points to the main CloudTrail.
  • Existing Consolidated CloudTrail - This scenario uses a consolidated CloudTrail and creates an IAM role for Lacework, then configures all sub-accounts to be integrated with Lacework.
  • AWS Organization Using Control Tower or Similar Structure - This scenario is for integrating with AWS Organizations that use AWS Control Tower (or similar setup) to automatically set up their CloudTrail logging. This scenario uses a different module that only creates an IAM role for Lacework in the log_archive account and an SQS queue in the audit account.
  • Configure Multiple AWS Accounts - This scenario configures multiple AWS accounts for cloud resource configuration compliance only.
  • Existing CloudTrail Using S3 Bucket Notifications - This scenario configures a cross-account IAM role to provide Lacework access to an existing CloudTrail with Lacework and uses S3 Bucket notifications rather than CloudTrail SNS notifications.
  • Supplemental: New or Existing CloudTrail with KMS Bucket Encryption - Additional parameters for use of KMS-encyrpted S3 buckets.

Scenario 1 - Add Configuration Assessment Only

This deployment scenario configures an AWS account for cloud resource configuration assessment.

  1. Ensure the Lacework CLI is installed and configured to the Lacework account you plan to integrate.
    1. Install the Lacework CLI.
    2. Create your API key.
    3. Configure your Lacework CLI.
  2. Install the AWS CLI. For details on how to install the AWS CLI, see Configuring your AWS CLI.
  3. From the Lacework CLI, generate the Infrastructure-as-Code (IaC) Terraform code by running the command: lacework cloud-account iac-generate aws.
  4. Answer the integration questions in the CLI to customize your Terraform code for your specific integration. For this integration type, enter y to Enable configuration integration? and N to Enable CloudTrail Integration?.
  5. Specify your AWS region at Specify the AWS region to be used by CloudTrail, SNS, and S3:. Select N for Configure advanced integration options?.
    note

    Lacework Terraform modules provide a number of inputs for customization. See the documentation on terraform-aws-config for the complete list of inputs for this module under the Inputs tab.

  6. Enter y at Run Terraform plan now? to install Terraform if it is not already installed, initialize, download the required modules, and display the plan of resources to apply.
  7. Select Continue with Terraform Apply to deploy the integration.
  8. After Terraform finishes applying changes, use the Lacework CLI or log in to the Lacework Console to validate the integration.
  9. Go back to the Lacework Console onboarding page and click Exit to finish the AWS integration and save your onboarding progress. The integration appears in the list of cloud accounts under Cloud accounts.
note

Lacework Terraform modules provide a number of inputs for customization. See the Terraform Registry documentation for the complete list of inputs for each module.

Scenario 2 - Deploy New CloudTrail and Add Configuration Assessment

This scenario creates a new CloudTrail in an AWS account along with a cross-account IAM role to provide Lacework access to monitor CloudTrail, AWS resource configurations, and integrate the AWS account into Lacework.

  1. Ensure the Lacework CLI is installed and configured to the Lacework account you plan to integrate.
    1. Install the Lacework CLI.
    2. Create your API key.
    3. Configure your Lacework CLI.
  2. Install the AWS CLI, then configure it to point to the correct AWS account. For details on how to install and configure the AWS CLI, see Configuring your AWS CLI.
  3. From the Lacework CLI, generate the Infrastructure-as-Code (IaC) Terraform code by running the command: lacework cloud-account iac-generate aws.
  4. Answer the integration questions in the CLI to customize your Terraform code for your specific integration. For this integration type, enter y to Enable configuration integration? and y to Enable CloudTrail Integration?.
  5. Specify your AWS region at Specify the AWS region to be used by CloudTrail, SNS, and S3:. Select N for Configure advanced integration options?.
    note

    Lacework Terraform modules provide a number of inputs for customization. See terraform-aws-config and terraform-aws-cloudtrail for the complete list of inputs for each module under the Inputs tab.

  6. Enter y at Run Terraform plan now? to install Terraform if it is not already installed, initialize, download the required modules, and display the plan of resources to apply.
  7. Select Continue with Terraform Apply to deploy the integration.
  8. After Terraform finishes applying changes, use the Lacework CLI or log in to the Lacework Console to validate the integration.
  9. Go back to the Lacework Console onboarding page and click Exit to finish the AWS integration and save your onboarding progress. The integration appears in the list of cloud accounts under Cloud accounts.
note

Lacework Terraform modules provide a number of inputs for customization. See the Terraform Registry documentation for the complete list of inputs for each module.

Validate the Configuration

After Terraform finishes applying changes, use the Lacework CLI or log in to the Lacework Console to confirm the integration is working.

To validate the integration using the CLI, open a Terminal and run lacework cloud-account list. You should see two integrations: AwsCfg for the Config integration, and AwsCtSqs for the CloudTrail integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Scenario 3 - Integrate Existing CloudTrail and add Configuration Assessment

In this scenario, Terraform configures a cross-account IAM role to provide Lacework access to monitor an existing CloudTrail. That same cross-account role also provides Lacework permissions to audit AWS resource configurations and integrate the AWS account into Lacework. An SQS queue is created for Lacework, and you can optionally deploy an SNS topic for that SQS queue if one does not already exist.

About SNS Topics

AWS CloudTrail provides an option to create an SNS topic, which is required to integrate AWS environments with Lacework. The Lacework Terraform module for CloudTrail creates a new SNS topic by default. The SNS topic must be created in the same region as the existing CloudTrail, and it must be manually attached to the CloudTrail by logging in to the AWS console, navigating to CloudTrail, and then selecting the new SNS topic.

main.tf Template

terraform {
required_providers {
lacework = {
source = "lacework/lacework"
version = "~> 1.0"
}
}
}

provider "aws" {
region = "YourRegionOfExistingCloudTrail"
}

provider "lacework" {}

module "aws_config" {
source = "lacework/config/aws"
version = "~> 0.6"
}

module "aws_cloudtrail" {
source = "lacework/cloudtrail/aws"
version = "~> 2.2"

use_existing_cloudtrail = true
bucket_arn = "YourExistingBucketARN"

use_existing_iam_role = true
iam_role_name = module.aws_config.iam_role_name
iam_role_arn = module.aws_config.iam_role_arn
iam_role_external_id = module.aws_config.external_id
}
note

Terraform must be configured to run using the account that owns the S3 bucket used with the CloudTrail.

  1. Ensure the Lacework CLI is installed and configured to the Lacework account you plan to integrate.
  2. Open an editor of your choice (such as Vim) and create a new file named main.tf.
  3. Copy the code snippet above, and paste it into the main.tf file.
  4. Validate the provider/module versions and the configuration as covered in the provider documentation.
  5. Update the region and bucket_arn.
  6. If you have an SNS topic configured on the existing CloudTrail, specify it using the following input:
    use_existing_sns_topic = true
    sns_topic_arn = AWS_SNS_ARN
    If you do not have an existing SNS topic configured on the existing CloudTrail, the Terraform module automatically creates one, but you must manually attach the SNS topic to the existing CloudTrail.
  7. Open a Terminal and change directories to the directory that contains the main.tf file and run terraform init to initialize the project and download the required modules.
  8. Run terraform plan to validate the configuration and review pending changes.
  9. After you review the pending changes, run terraform apply to execute the changes.
note

Lacework Terraform modules provide a number of inputs for customization. See the Terraform Registry documentation for the complete list of inputs for each module.

Validate the Configuration

After Terraform finishes applying changes, use the Lacework CLI or log in to the Lacework Console to confirm the integration is working.

To validate the integration using the CLI, open a Terminal and run lacework cloud-account list. You should see two integrations: AwsCfg for the Config integration, and AwsCtSqs for the CloudTrail integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Scenario 4 - Deploy New Consolidated CloudTrail and Configuration Assessment

Lacework supports the integration of consolidated CloudTrail deployments where multiple sub-accounts send CloudTrail logs to a main CloudTrail account.

This scenario enables an organization CloudTrail and a cross-account IAM role to give Lacework access to CloudTrail and integrates the AWS accounts into Lacework.

terraform {
required_providers {
lacework = {
source = "lacework/lacework"
version = "~> 1.0"
}
}
}

provider "lacework" {}

provider "aws" {
alias = "main"
region = "YourAWSRegion"
profile = "[profile name for the main account in ~/.aws/credentials]"
}

module "aws_config_main" {
source = "lacework/config/aws"
version = "~> 0.6"

providers = {
aws = aws.main
}
}

module "main_cloudtrail" {
source = "lacework/cloudtrail/aws"
version = "~> 2.2"

providers = {
aws = aws.main
}

consolidated_trail = true
use_existing_iam_role = true
iam_role_name = module.aws_config_main.iam_role_name
iam_role_arn = module.aws_config_main.iam_role_arn
iam_role_external_id = module.aws_config_main.external_id
}

provider "aws" {
alias = "sub_account_1_alias"
region = "YourAWSRegion"
profile = "[profile name for sub_account_1 in ~/.aws/credentials]"
}

module "aws_config_sub_account_1" {
source = "lacework/config/aws"
version = "~> 0.5"

providers = {
aws = aws.sub_account_1_alias
}
}

resource "aws_cloudtrail" "lw_sub_account_1_cloudtrail" {
provider = aws.sub_account_1_alias
name = "lacework-sub-trail"
is_multi_region_trail = true
s3_bucket_name = module.main_cloudtrail.bucket_name
sns_topic_name = module.main_cloudtrail.sns_arn
}

# Create additional provider, module, and resource sections for each additional sub-account.
# Ensure that each `provider` section has a unique alias, and use that alias in the module and
# resource sections for each account.

# For example, to integrate an account with the alias 'prod'

# provider "aws" {
# alias = "prod"
# region = "YourAWSRegion"
# profile = "[profile name for sub_account_1 in ~/.aws/credentials]"
# }

# module "aws_config_prod" {
# source = "lacework/config/aws"
# version = "~> 0.5"
#
# providers = {
# aws = aws.prod
# }
# }

# resource "aws_cloudtrail" "lw_prod_cloudtrail" {
# provider = aws.prod
# name = "lacework-sub-trail"
# is_multi_region_trail = true
# s3_bucket_name = module.main_cloudtrail.bucket_name
# sns_topic_name = module.main_cloudtrail.sns_arn
}

You must create separate provider, module, and resource entries for each sub-account. Ensure that the alias used in each provider entry is unique, such as PROD, DEV, QA.

For more information on organization level CloudTrail deployments, see AWS documentation.

  1. Ensure the Lacework CLI is installed and configured to the Lacework account you plan to integrate.
  2. Open an editor of your choice (such as Vim) and create a new file named main.tf.
  3. Copy the code snippet above, and paste it into the main.tf file.
  4. Validate the provider/module versions and the configuration as covered in the provider documentation.
  5. Open a Terminal and change directories to the directory that contains the main.tf file and run terraform init to initialize the project and download the required modules.
  6. Run terraform plan to validate the configuration and review pending changes.
  7. After you review the pending changes, run terraform apply to execute the changes.
note

Lacework Terraform modules provide a number of inputs for customization. See the Terraform Registry documentation for the complete list of inputs for each module.

Validate the Configuration

After Terraform finishes applying changes, use the Lacework CLI or log in to the Lacework Console to confirm the integration is working.

To validate the integration using the CLI, open a Terminal and run lacework cloud-account list. You should see two integrations: AwsCfg for the Config integration, and AwsCtSqs for the CloudTrail integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Scenario 5 - Integrate Existing Consolidated CloudTrail and Configuration Assessment

Lacework supports the integration of consolidated CloudTrail deployments where multiple sub-accounts send CloudTrail logs to a main CloudTrail account.

This scenario uses an existing consolidated CloudTrail, and deploys a cross-account IAM role to give Lacework access to CloudTrail and integrates the AWS accounts into Lacework. The cross-account role also provides Lacework access to assess cloud resource configurations.

About SNS Topics

AWS CloudTrail provides an option to create an SNS topic, which is required to integrate AWS environments with Lacework. The Lacework Terraform module for CloudTrail creates a new SNS topic by default. The SNS topic must be created in the same region as the existing CloudTrail, and it must be manually attached to the CloudTrail by logging in to the AWS console, navigating to CloudTrail, and then selecting the new SNS topic.

main.tf Template

terraform {
required_providers {
lacework = {
source = "lacework/lacework"
version = "~> 1.0"
}
}
}

provider "lacework" {}

provider "aws" {
alias = "main"
region = "YourAWSRegion"
profile = "[profile name for the main account in ~/.aws/credentials]"
}

module "aws_config_main" {
source = "lacework/config/aws"
version = "~> 0.5"

providers = {
aws = aws.main
}
}

module "main_cloudtrail" {
source = "lacework/cloudtrail/aws"
version = "~> 2.2"

providers = {
aws = aws.main
}

consolidated_trail = true
use_existing_cloudtrail = true
bucket_arn = "YourExistingBucketARN"
}

provider "aws" {
alias = "sub_account"
region = "YourAWSRegion"
profile = "[profile name for the sub account in ~/.aws/credentials]"
}

module "aws_config_sub_account" {
source = "lacework/config/aws"
version = "~> 0.6"

providers = {
aws = aws.sub_account
}
}

For more information on organization level CloudTrail deployments, see AWS documentation.

  1. Ensure the Lacework CLI is installed and configured to the Lacework account you plan to integrate.
  2. Open an editor of your choice (such as Vim) and create a new file named main.tf.
  3. Copy the code snippet above, and paste it into the main.tf file.
  4. Validate the provider/module versions and the configuration as covered in the provider documentation.
  5. Update the region and bucket_arn.
  6. If you have an SNS topic configured on the existing CloudTrail, specify it using the following input:
    use_existing_sns_topic = true
    sns_topic_arn = AWS_SNS_ARN
    If you do not have an existing SNS topic configured on the existing CloudTrail, the Terraform module automatically creates one, but you must manually attach the SNS topic to the existing CloudTrail.
  7. Open a Terminal and change directories to the directory that contains the main.tf file and run terraform init to initialize the project and download the required modules.
  8. Run terraform plan to validate the configuration and review pending changes.
  9. After you review the pending changes, run terraform apply to execute the changes.
note

Lacework Terraform modules provide a number of inputs for customization. See the Terraform Registry documentation for the complete list of inputs for each module.

Validate the Configuration

After Terraform finishes applying changes, use the Lacework CLI or log in to the Lacework Console to confirm the integration is working.

To validate the integration using the CLI, open a Terminal and run lacework cloud-account list. You should see two integrations: AwsCfg for the Config integration, and AwsCtSqs for the CloudTrail integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Scenario 6 - AWS Organizations Using AWS Control Tower

Lacework supports the integration of consolidated CloudTrail for AWS Organizations using AWS Control Tower (or similar deployments) that split the S3 bucket for the consolidated CloudTrail and the subscribed SNS topic.

This scenario uses an existing consolidated CloudTrail in an S3 bucket, deploys a cross-account IAM role to the log_archive account to give Lacework access to that S3 bucket, deploys an SQS queue for the existing SNS topic in the audit account and finally, integrates the AWS accounts into Lacework.

terraform {
required_providers {
lacework = {
source = "lacework/lacework"
version = "~> 1.0"
}
}
}

provider "lacework" {}

provider "aws" {
alias = "log_archive_account"
region = "YourAWSRegion"
profile = "[profile name for log_archive account in ~/.aws/credentials]"
}

provider "aws" {
alias = "audit_account"
region = "YourAWSRegion"
profile = "[profile name for audit account in ~/.aws/credentials]"
}

module "cloudtrail-controltower" {
source = "lacework/cloudtrail-controltower/aws"
version = "~> 0.1"

providers = {
aws.audit = aws.audit_account
aws.log_archive = aws.log_archive_account
}

# The only two required variables are the SNS topic ARN and the S3 Bucket ARN where the CloudTrail logs are stored
# SNS Topic ARN is usually in the form: arn:aws:sns:[control_tower_region]:[aws_audit_account_id]:aws-controltower-AllConfigNotifications
sns_topic_arn = "arn:aws:sns:[control_tower_region]:[aws_audit_account_id]:aws-controltower-AllConfigNotifications"

# S3 Bucket ARN is usually in the form: arn:aws:s3:::aws-controltower-logs-[log_archive_account_id]-[control_tower_region]
s3_bucket_arn = "arn:aws:s3:::aws-controltower-logs-[log_archive_account_id]-[control_tower_region]"

# If encryption is being used
# KMS key ARN is usually in the form: arn:aws:kms:[aws_region]:[aws_account]:key/[value]
# kms_key_arn = "arn:aws:kms:[aws_region]:[aws_account]:key/[value]"

# All other fields are documented at: https://github.com/lacework/terraform-aws-cloudtrail-controltower
}
note
  1. Ensure the Lacework is CLI installed and configured to the Lacework account you plan to integrate.
  2. Ensure you have your multiple account credentials in your ~/.aws/credentials file.
  3. Open an editor of your choice (such as Vim) and create a new file named main.tf.
  4. Copy the code snippet above, and paste it into the main.tf file.
  5. Validate the provider/module versions and the configuration as covered in the provider documentation.
  6. Update the AWS provider profile, region, sns_topic_arn, and s3_bucket_arn.
  7. (Optional) If you have an IAM role in your log_archive account that you want to use, first set use_existing_iam_role = true, then specify the account using the input iam_role_name and iam_role_arn. If you do not have an existing IAM role configured in your log_archive account, the Terraform module automatically creates one. This IAM role MUST be in the log_archive account, not the audit account.
  8. Open a Terminal and change directories to the directory that contains the main.tf file and run terraform init to initialize the project and download the required modules.
  9. Run terraform plan to validate the configuration and review pending changes.
  10. After you review the pending changes, run terraform apply to execute the changes.
note

Lacework Terraform modules provide a number of inputs for customization. See the Terraform Registry documentation for the complete list of inputs for each module.

Validate the Configuration

After Terraform finishes applying changes, use the Lacework CLI or log in to the Lacework Console to confirm the integration is working.

To validate the integration using the CLI, open a Terminal and run lacework cloud-account list. You should see two integrations: AwsCfg for the Config integration, and AwsCtSqs for the CloudTrail integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Scenario 7 - Configure Multiple AWS Accounts

This scenario configures multiple AWS accounts for cloud resource configuration compliance only. You must have a corresponding AWS credentials file with the respective profiles listed in the example. For example, if your credentials file includes a profile named development then use that name in the profile field in the example.

provider "aws" {
alias = "account-1"
profile = "account-1"
region = "YourAWSRegion"
}

module "config_account_1" {
source = "lacework/config/aws"
version = "0.6"

providers = {
aws = aws.account-1
}
}

provider "aws" {
alias = "account-2"
profile = "account-2"
region = "YourAWSRegion"
}

module "config_account_2" {
source = "lacework/config/aws"
version = "0.3"

providers = {
aws = aws.account-2
}
}
  1. Ensure the Lacework CLI is installed and configured to the Lacework account you plan to integrate.
  2. Ensure you have your multiple account credentials in your ~/.aws/credentials file.
  3. Open an editor of your choice (such as Vim) and create a new file named main.tf.
  4. Copy the code snippet above, and paste it into the main.tf file.
  5. Validate the provider/module versions and the configuration as covered in the provider documentation.
  6. Update the AWS provider profile and region.
  7. Open a Terminal and change directories to the directory that contains the main.tf file and run terraform init to initialize the project and download the required modules.
  8. Run terraform plan to validate the configuration and review pending changes.
  9. After you review the pending changes, run terraform apply to execute the changes.
note

Lacework Terraform modules provide a number of inputs for customization. See the Terraform Registry documentation for the complete list of inputs for each module.

Validate the Configuration

After Terraform finishes applying changes, use the Lacework CLI or log in to the Lacework Console to confirm the integration is working.

To validate the integration using the CLI, open a Terminal and run lacework cloud-account list. You should see AwsCfg for the Config integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Scenario 8 - Integrate Existing CloudTrail Using S3 Bucket Notifications

In this scenario, Terraform configures a cross-account IAM role to provide Lacework access to an existing CloudTrail with Lacework and uses S3 Bucket notifications, rather than CloudTrail SNS notifications. An SQS queue is created for Lacework, and you can optionally deploy an SNS topic for that SQS queue if one does not already exist.

note

If your existing S3 bucket is already sending messages to your existing SQS queue. The new S3 to SQS notification setup (for Lacework) is not possible because both notifications require the same suffix (not allowed by AWS). In this case, you can move to an SNS fanout.

main.tf Template

terraform {
required_providers {
lacework = {
source = "lacework/lacework"
version = "~> 1.0"
}
}
}

provider "lacework" {}

provider "aws" {
region = "us-west-2"
}

module "aws_cloudtrail" {
source = "lacework/cloudtrail/aws"
version = "~> 2.2"

# Use an existing CloudTrail
use_existing_cloudtrail = true
bucket_arn = "YourExistingBucketARN"

# Use S3 Bucket Notifications
use_s3_bucket_notification = true
}
note

Terraform must be configured to run using the account that owns the S3 bucket used with the CloudTrail.

  1. Ensure the Lacework CLI is installed and configured to the Lacework account you plan to integrate.
  2. Open an editor of your choice (such as Vim) and create a new file named main.tf.
  3. Copy the code snippet above, and paste it into the main.tf file.
  4. Validate the provider/module versions and the configuration as covered in the provider documentation.
  5. Optionally, use the s3_notification_type option to configure the destination type (SNS or SQS) for the S3 bucket notification, which defaults to the SQS. In situations where there are multiple SQS queues that need to consume the S3 bucket notifications, or if your existing S3 bucket is already sending messages to an existing SQS queue, you can use the SNS destination type to do an SNS fanout.
  6. Update the region and bucket_arn.
  7. Open a Terminal and change directories to the directory that contains the main.tf file and run terraform init to initialize the project and download the required modules.
  8. Run terraform plan to validate the configuration and review pending changes.
  9. After you review the pending changes, run terraform apply to execute the changes.
note

Lacework Terraform modules provide a number of inputs for customization. See the Terraform Registry documentation for the complete list of inputs for each module.

Validate the Configuration

After Terraform finishes applying changes, use the Lacework CLI or log in to the Lacework Console to confirm the integration is working.

To validate the integration using the CLI, open a Terminal and run lacework cloud-account list. You should see two integrations: AwsCfg for the Config integration, and AwsCtSqs for the CloudTrail integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Supplemental - For New or Existing CloudTrail with KMS Encrypted Buckets

As of terraform-aws-cloudtrail v1.0.0, the module defaults to KMS-encrypted CloudTrail buckets and creates a new KMS key. Optionally, you can supply the ARN of the KMS key.

InputDetails
bucket_sse_key_arn(Optional). Specify the ARN of your KMS key. (Access to this key will be granted to the Lacework IAM cross-account role.)

Example

module "aws_cloudtrail" {
source = "lacework/cloudtrail/aws"
version = "~> 2.0"

... More code here ...

bucket_sse_key_arn = "arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd"
}

AWS Security Token Service Limitations

The Lacework AWS module fails due to STS limitations. See AWS STS documentation for more information.

Using aws-vault, for example, requires passing the --no-session flag. See aws-vault documentation for more information.