Skip to main content

AWS GovCloud Integration

info

Lacework now provides AWS GovCloud support for Resource Inventory which allows GovCloud customers to migrate to the new CSPM Compliance engine based on LPP/LQL.

AWS GovCloud (US-East and US-West) are isolated regions within AWS for customers to host sensitive data for supporting their regulated workflows. The configuration workflows described below differ from AWS standard regions and are relevant for monitoring only AWS GovCloud environments within the Lacework application.

Creating an integration between Lacework and an AWS GovCloud requires running steps in the AWS GovCloud console followed by running additional steps in the Lacework Console.

The steps below configure AWS CloudTrail (US GovCloud) with AWS Config (US GovCloud) integration.

If you want to integrate AWS GovCloud using Terraform, see Configuration (US GovCloud) Integration with Terraform or CloudTrail and Configuration (US GovCloud) Integration with Terraform.

AWS Setup

Create the Lacework AWS GovCloud CloudFormation Template

You must create an AWS GovCloud CloudFormation template file that creates a new AWS GovCloud CloudFormation stack.

To download and customize the template file:

  1. Open a text editor.

  2. Click the following link: https://raw.githubusercontent.com/lacework/lacework-cloudformation/main/aws-govcloud-template/lacework-aws-gov-cloud-ct-cfg.json
    The Lacework AWS GovCloud CloudFormation template file displays in GitHub.

  3. Select all text in the GitHub window of the browser. (In Chrome, select Edit > Select All.)

  4. Copy the text. (In Chrome, select Edit > Copy.)

  5. Paste the text into the text editor.

  6. In the text editor, replace the %acnt string with the name of your AWS account.

    "Parameters": {
    "ResourceNamePrefix":
    {
    ...
    "Default": "%acnt",
    ...
    },
  7. Save the file as lacework-aws-gov-cloud-ct-cfg.json in the text editor.

Create a Stack in CloudFormation Using the Customized CloudFormation Template

To create a new stack in the AWS GovCloud:

  1. Log in to an AWS account on the AWS GovCloud with administrative credentials. The AWS account used to create the stack must use a role with the aws:policy/SecurityAudit permission.

  2. Select the CloudFormation service.
    CloudFormation.png
    In the AWS console, select Services > Management Tools > CloudFormation. The Create Stack panel displays.

  3. From the Region drop-down located in the top left of the menu bar, select the appropriate region for your environment.
    AWSRegions.png

  4. Click Create Stack.
    The Select Template panel displays.

  5. Under Choose a template, select Upload a template to Amazon S3. Browse for the Lacework AWS GovCloud template file that you previously created and click Open.

  6. Click Next.
    The Specify Details page displays.

  7. In the Stack name field, enter a unique value.

  8. On the Create stack > Specify Details page, you can either create a new trail and S3 bucket or use an existing trail. Follow the appropriate procedure for your AWS GovCloud environment:

    1. Option 1 - Create a New Trail and S3 Bucket
    2. Option 2 - Use an Existing Trail

Option 1 - Create a New Trail and S3 Bucket

If you plan to separately integrate multiple accounts, the Resource Name Prefix must be different for each account because S3 bucket names are globally unique.

  1. Resource name prefix should be pre-populated with your account name. The value does not need to change unless:
    • you are creating a stack for each account—For this case, the value must be unique for each account because the S3 bucket namespace is global.
    • you are creating multiple stacks—For this case, the value must be unique to avoid a resource collision.
  2. Set Create a new trail? to Yes.
  3. If you want a specific S3 bucket path for your logs, add a Log file prefix.
  4. Leave the values for Bucket name and Topic ARN blank.
  5. Click Next. AWSMultipleTrails.png

Option 2 - Use an Existing Trail

  1. Resource name prefix should be pre-populated with your account name.
  2. Set Create a new trail? to No.
  3. The Log file prefix is not applicable because you are not creating a new trail.
  4. Enter the Bucket name associated with your existing trail.
  5. Add the SNS Topic ARN of your existing trail into Topic ARN. If the trail does not already have an SNS topic, you must create one.
  6. Click Next. AWSExistingTrail.png
note

If you are integrating an existing trail, you may be using server-side encryption. If using Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), key management is local to S3, and therefore no changes are required. If you are using Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS), key management requires access to the AWS KMS service, so you must give the Lacework-created role the required permission. See this topic for instructions on how to update the inline policy associated with the Lacework-created role. If you are manually integrating Lacework, you will need to grant this same permission.

Continue Stack Creation and Gather Settings

Complete the creation of the stack in the AWS console and gather the required settings as described by the following steps.

  1. In the Create stack > Options page, no changes are required. Click Next.

  2. In the Create Stack > Review page, select the acknowledgment and click Create. After clicking Create, you are redirected back to the CloudFormation page.

  3. If you do not see your new stack in the table, refresh the page. Keep refreshing the page until the status of the stack is CREATE-COMPLETE.

  4. After the stack status is CREATE-COMPLETE, click the stack name link.

  5. Expand Outputs.

  6. Leave the AWS console open to this page so you can copy the following values about the stack:

    • AccountId
    • AccessKeyId
    • SecretAccessKey
    • SQSQueueURL

    You need these values when you finish creating the integration using the Lacework Console as described in the next procedure.

Use the Lacework Console

Use the Lacework Console for the following steps:

  1. Log in to the Lacework Console.
  2. Select Settings > Integrations > Cloud accounts.
  3. Click + Add New.
  4. Click Amazon Web Services and select one of the following options:
    • Configuration (US GovCloud) to analyze AWS configuration compliance.
    • CloudTrail+Configuration (US GovCloud) to analyze CloudTrail activity for monitoring cloud account security and AWS configuration compliance.
  5. Click Next.
  6. Click Manual Configuration.
  7. Follow the steps in the section corresponding to your previous choice:

Configuration (US GovCloud) Manual Integration

Ensure you have completed AWS setup as described in AWS Setup.

  1. Specify a unique name for the Lacework Console in the Name field.
  2. Enter your AWS account identifier or alias in the Account ID field.
  3. Enter the AccessKeyId value from the AWS console in the Access Key ID field.
  4. Enter the SecretAccessKey value from the AWS console in the Secret Access Key field.
  5. Click Save to finish the AWS integration and save your onboarding progress.
    The integration appears in the list of cloud accounts under Cloud accounts.

CloudTrail and Configuration (US GovCloud) Manual Integration

Ensure you have completed AWS setup as described in AWS Setup.

  1. Specify a unique name for the Lacework Console in the Name field.
  2. Enter your AWS account identifier or alias in the Account ID field.
  3. Enter the AccessKeyId value from the AWS console in the Access Key ID field.
  4. Enter the SecretAccessKey value from the AWS console in the Secret Access Key field.
  5. Specify the Amazon Simple Queue Service (SQS) URL value in the SQSQueueURL field.
  6. Click Save to finish the AWS integration and save your onboarding progress.
    The integration appears in the list of cloud accounts under Cloud accounts.

Configuration (US GovCloud) Integration with Terraform

For organizations using Terraform to manage their environments, Lacework maintains the Terraform provider for Lacework, which enables configuration of Lacework integrations using automation.

If you are new to the Lacework Terraform Provider or Lacework Terraform Modules, read the Terraform for Lacework Overview to learn the basics on how to configure the provider and more.

  1. Ensure you have the Lacework CLI installed and configured to the Lacework account you plan to integrate.
    1. Install the Lacework CLI.
    2. Create your API key.
    3. Configure your Lacework CLI.
  2. Install the AWS CLI. For details on how to install the AWS CLI, see Configuring your AWS CLI.
  3. Open an editor of your choice (VSCode, Atom, or VIM) and create a new Terraform file called main.tf.
  4. Edit the Terraform file to specify the Lacework AWS US GovCloud Terraform provider by copying and pasting the code under Use Provider in the Lacework Terraform provider for AWS Config US GovCloud into your Terraform file.
  5. Add the lacework_integration_aws_govcloud_cfg Terraform resource and its related parameters, such as the name, account_id and credentials, into your Terraform file. For an example of this Terraform resource and parameters to use for AWS US GovCloud, see Example Usage and GovCloud Terraform Example.
  6. Open a Terminal and change directories to the directory that contains the Terraform file and run terraform init to initialize the project and download the required modules.
  7. Run terraform plan to validate the configuration and review pending changes.
  8. After you review the pending changes, run terraform apply to execute changes.
    note

    This Lacework Terraform provider has a number of inputs for customization. Visit the documentation on the lacework_integration_aws_govcloud_cfg for the complete list of inputs.

  9. After Terraform finishes applying changes, use the Lacework CLI or log in to the Lacework Console to validate the integration.
  10. Go back to the Lacework Console onboarding page and click Exit to finish the AWS integration and save your onboarding progress. The integration appears in the list of cloud accounts under Cloud accounts.

CloudTrail and Configuration (US GovCloud) Integration with Terraform

For organizations using Terraform to manage their environments, Lacework maintains the Terraform provider for Lacework, which enables configuration of Lacework integrations using automation.

If you are new to the Lacework Terraform Provider or Lacework Terraform Modules, read the Terraform for Lacework Overview to learn the basics on how to configure the provider and more.

  1. Ensure you have the Lacework CLI installed and configured to the Lacework account you plan to integrate.
    1. Install the Lacework CLI.
    2. Create your API key.
    3. Configure your Lacework CLI.
  2. Install the AWS CLI. For details on how to install the AWS CLI, see Configuring your AWS CLI.
  3. Open an editor of your choice (VSCode, Atom, or VIM) and create a new Terraform file called main.tf.
  4. Edit the Terraform file to specify the Lacework AWS US GovCloud Terraform provider by copying and pasting the code under Use Provider in the Lacework Terraform provider for AWS Config US GovCloud into your Terraform file.
  5. Add the lacework_integration_aws_govcloud_cfg Terraform resource and its related parameters, such as the name, account_id and credentials, into your Terraform file. For an example of this Terraform resource and parameters to use for AWS US GovCloud, see Example Usage and GovCloud Terraform Example.
  6. Add the lacework_integration_aws_govcloud_ct Terraform resource and its related parameters, such as the name, account_id, queue_url and credentials, into your Terraform file. For an example of this Terraform resource and parameters to use for AWS CloudTrail US GovCloud, see Example Usage and GovCloud Terraform Example.
  7. Open a Terminal and change directories to the directory that contains the Terraform file and run terraform init to initialize the project and download the required modules.
  8. Run terraform plan to validate the configuration and review pending changes.
  9. After you review the pending changes, run terraform apply to execute changes.
    note

    This Lacework Terraform provider has a number of inputs for customization. Visit the documentation on the lacework_integration_aws_govcloud_cfg and lacework_integration_aws_govcloud_ct for the complete list of inputs.

  10. After Terraform finishes applying changes, use the Lacework CLI or log in to the Lacework Console to validate the integration.
  11. Go back to the Lacework Console onboarding page and click Exit to finish the AWS integration and save your onboarding progress. The integration appears in the list of cloud accounts under Cloud accounts.

Terraform GovCloud Examples

# Configure AWS GovCloud Config integration in Lacework

resource "lacework_integration_aws_govcloud_cfg" "example" {
name = "AWS gov cloud config integration example"
account_id = "553453453"
credentials {
access_key_id = "AWS123abcAccessKeyID"
secret_access_key = "AWS123abc123abcSecretAccessKey0000000000"
}
}

# Configure AWS GovCloud CloudTrail integration in Lacework

resource "lacework_integration_aws_govcloud_ct" "example" {
name = "AWS gov cloud cloudtrail integration example"
account_id = "553453453"
queue_url = "https://sqs.us-gov-west-1.amazonaws.com/123456789012/my_queue"
credentials {
access_key_id = "AWS123abcAccessKeyID"
secret_access_key = "AWS123abc123abcSecretAccessKey0000000000"
}
}

You can find additional information on the lacework_integration_aws_govcloud_cfg and lacework_integration_aws_govcloud_ct resources in the Terraform Registry.