Skip to main content

AWS GovCloud Integration

info

Lacework now provides AWS GovCloud support for Datasource Metadata, which allows GovCloud customers to migrate to the new CSPM Compliance engine based on LPP/LQL.

AWS GovCloud (US-East and US-West) are isolated regions within AWS for hosting sensitive data in regulated workflows. The workflows described below differ from AWS standard regions and are relevant for monitoring only AWS GovCloud environments within the Lacework application.

Two integration methods are available:

  • Terraform - This method sets up CloudTrail (US GovCloud) and Config (US GovCloud) integrations.
  • AWS CloudFormation template - This method sets up the CloudTrail (US GovCloud) integration only.

Use Terraform

Configuration (US GovCloud) Integration with Terraform

For organizations using Terraform to manage their environments, Lacework maintains the Terraform provider for Lacework, which enables configuration of Lacework integrations using automation.

If you are new to the Lacework Terraform Provider or Lacework Terraform Modules, read the Terraform for Lacework Overview to learn the basics on how to configure the provider and more.

  1. Ensure you have the Lacework CLI installed and configured to the Lacework account you plan to integrate.
    1. Install the Lacework CLI.
    2. Create your API key.
    3. Configure your Lacework CLI.
  2. Install the AWS CLI. For details on how to install the AWS CLI, see Configuring your AWS CLI.
  3. Open an editor (such as Vim) and create a new Terraform file called main.tf.
  4. Edit the Terraform file to specify the Lacework AWS US GovCloud Terraform provider by copying and pasting the code under Use Provider in the Lacework Terraform provider for AWS Configuration US GovCloud into your Terraform file.
  5. Add the lacework_integration_aws_govcloud_cfg Terraform resource and its related parameters, such as the name, account_id and credentials, into your Terraform file. For an example of this Terraform resource and parameters to use for AWS US GovCloud, see Example Usage and GovCloud Terraform Example.
  6. Open a Terminal and change directories to the directory that contains the Terraform file (~/lacework/aws) and run terraform init to initialize the project and download the required modules.
  7. Run terraform plan to validate the configuration and review pending changes.
  8. After you review the pending changes, run terraform apply to execute changes.
    note

    This Lacework Terraform provider has a number of inputs for customization. Visit the documentation on the lacework_integration_aws_govcloud_cfg for the complete list of inputs.

  9. After Terraform finishes applying changes, use the Lacework CLI or log in to the Lacework Console to validate the integration.
    • To validate the integration using the CLI, run the lacework cloud-account list command. You should see AwsUsGovCfg for the Configuration integration
    • To validate the integration using the Lacework Console, log in to your account and go to Settings > Cloud Accounts.
  10. Go back to the Lacework Console onboarding page and click Exit to finish the AWS integration and save your onboarding progress. The integration appears in the list of cloud accounts under Cloud accounts.

CloudTrail and Configuration (US GovCloud) Integration with Terraform

For organizations using Terraform to manage their environments, Lacework maintains the Terraform provider for Lacework, which enables configuration of Lacework integrations using automation.

If you are new to the Lacework Terraform Provider or Lacework Terraform Modules, read the Terraform for Lacework Overview to learn the basics on how to configure the provider and more.

  1. Ensure you have the Lacework CLI installed and configured to the Lacework account you plan to integrate.
    1. Install the Lacework CLI.
    2. Create your API key.
    3. Configure your Lacework CLI.
  2. Install the AWS CLI. For details on how to install the AWS CLI, see Configuring your AWS CLI.
  3. Open an editor (such as Vim) and create a new Terraform file called main.tf.
  4. Edit the Terraform file to specify the Lacework AWS US GovCloud Terraform provider by copying and pasting the code under Use Provider in the Lacework Terraform provider for AWS Configuration US GovCloud into your Terraform file.
  5. Add the lacework_integration_aws_govcloud_cfg Terraform resource and its related parameters, such as the name, account_id and credentials, into your Terraform file. For an example of this Terraform resource and parameters to use for AWS US GovCloud, see Example Usage and GovCloud Terraform Example.
  6. Add the lacework_integration_aws_govcloud_ct Terraform resource and its related parameters, such as the name, account_id, queue_url and credentials, into your Terraform file. For an example of this Terraform resource and parameters to use for AWS CloudTrail US GovCloud, see Example Usage and GovCloud Terraform Example.
  7. Open a Terminal and change directories to the directory that contains the Terraform file (~/lacework/aws) and run terraform init to initialize the project and download the required modules.
  8. Run terraform plan to validate the configuration and review pending changes.
  9. After you review the pending changes, run terraform apply to execute changes.
    note

    This Lacework Terraform provider has a number of inputs for customization. Visit the documentation on the lacework_integration_aws_govcloud_cfg and lacework_integration_aws_govcloud_ct for the complete list of inputs.

  10. After Terraform finishes applying changes, use the Lacework CLI or log in to the Lacework Console to validate the integration.
    • To validate the integration using the CLI, run the lacework cloud-account list command. You should see two integrations: AwsUsGovCfg for the Configuration integration, and AwsUsGovCtSqs for the CloudTrail integration.
    • To validate the integration using the Lacework Console, log in to your account and go to Settings > Cloud Accounts.
  11. Go back to the Lacework Console onboarding page and click Exit to finish the AWS integration and save your onboarding progress. The integration appears in the list of cloud accounts under Cloud accounts.

Terraform GovCloud Examples

# Configure AWS GovCloud Config integration in Lacework

resource "lacework_integration_aws_govcloud_cfg" "example" {
    name = "AWS gov cloud config integration example"
    account_id = "553453453"
    credentials {
        access_key_id     = "AWS123abcAccessKeyID"
        secret_access_key = "AWS123abc123abcSecretAccessKey0000000000"
    }
}

# Configure AWS GovCloud CloudTrail integration in Lacework

resource "lacework_integration_aws_govcloud_ct" "example" {
    name       = "AWS gov cloud cloudtrail integration example"
    account_id = "553453453"
    queue_url  = "https://sqs.us-gov-west-1.amazonaws.com/123456789012/my_queue"
    credentials {
        access_key_id     = "AWS123abcAccessKeyID"
        secret_access_key = "AWS123abc123abcSecretAccessKey0000000000"
    }
}

You can find additional information on the lacework_integration_aws_govcloud_cfg and lacework_integration_aws_govcloud_ct resources in the Terraform Registry.

Use a CloudFormation Template

This integration method creates an AWS CloudTrail (US GovCloud) integration only. If you also want to create a Configuration integration, use Terraform.

Creating an integration between Lacework and an AWS GovCloud requires running steps in the AWS GovCloud console followed by running additional steps in the Lacework Console.

AWS Setup

Create the Lacework AWS GovCloud CloudFormation Template

You must create an AWS GovCloud CloudFormation template file that creates a new AWS GovCloud CloudFormation stack.

  1. Right-click and download the Lacework GovCloud CloudFormation template.
  2. In a text editor, replace the %acnt string with the name of your AWS account.
    "Parameters": {
        "ResourceNamePrefix":
        {
            ...
            "Default": "%acnt",
            ...
        },
  3. Save the file.

Create a Stack in CloudFormation Using the Customized CloudFormation Template

  1. Log in to an AWS account on the AWS GovCloud with administrative credentials. The AWS account used to create the stack must use a role with the aws:policy/SecurityAudit permission.
  2. Select the CloudFormation service. In the AWS console, select Services > Management & Governance > CloudFormation.
  3. Select the appropriate region for your environment.
  4. Click Create stack and select With new resources.
  5. Under Specify template, select Upload a template file.
  6. Click Choose file and browse for the Lacework AWS GovCloud template file that you previously downloaded and updated. Then click Open.
  7. Click Next.

Specify Stack Details

  1. In the Stack name field, enter a unique value.
  2. Click Next.
  3. On the Specify stack details page, create a new trail and S3 bucket.
  4. Resource name prefix is populated with your account name. The value does not need to change unless:
    • You are creating a stack for each account - For this case, the value must be unique for each account because the S3 bucket namespace is global.
    • You are creating multiple stacks - For this case, the value must be unique to avoid a resource collision.
  5. Set Create new trail? to Yes.
  6. If you want a specific S3 bucket path for your logs, add a Log file prefix.
  7. Leave the values for Bucket name and Topic ARN empty.
  8. Click Next.

Continue Stack Creation and Gather Settings

Complete the creation of the stack in the AWS console and gather the required settings as described by the following steps.

  1. In the Configure stack options page, no changes are required. Click Next.
  2. In the Review page, select the acknowledgment and click Submit. After clicking Submit, you are redirected back to the CloudFormation page.
  3. If you do not see your new stack in the table, refresh the page. Keep refreshing the page until the status of the stack is CREATE-COMPLETE.
  4. After the stack status is CREATE-COMPLETE, click the stack name link.
  5. Expand Outputs.
  6. Leave the AWS console open to this page so you can copy the following values about the stack:
    • AccountId
    • AccessKeyId
    • SecretAccessKey
    • SQSQueueURL
    You need these values when you finish creating the integration using the Lacework Console as described in the next procedure.

In the Lacework Console

Use the Lacework Console for AWS GovCloud manual configuration.

  1. Log in to the Lacework Console.
  2. Go to Settings > Integrations > Cloud accounts.
  3. Click + Add New.
  4. Click Amazon Web Services and select Manual configuration.
  5. Click Next.
  6. Select the CloudTrail+Configuration (US GovCloud) integration type.
  7. Ensure you have completed AWS setup as described in AWS Setup.
  8. For Name, specify a unique name that displays in the Lacework Console.
  9. For Account ID, enter your AWS account identifier or alias.
  10. For Access Key ID, enter the AccessKeyId value from the AWS console.
  11. For Secret Access Key, enter the SecretAccessKey value from the AWS console.
  12. For, SQSQueueURL, specify the Amazon Simple Queue Service (SQS) URL value.
  13. Click Save to finish the AWS integration and save your onboarding progress.
    The integration appears in the list of cloud accounts under Cloud accounts.
Last updated on