Skip to main content

AWS - Integrate Agentless Workload Scanning with CloudFormation

Overview

This article provides the prerequisites and troubleshooting steps for an Agentless Workload Scanning integration using AWS CloudFormation.

Once you have read through the access and resource requirements, complete the integration steps depending on your chosen integration level:

Access and Resource Requirements

For each region you choose to scan, a new Virtual Private Cloud (VPC) and Internet Gateway will be created. This applies to both integration types: Single Account and Organization. For an organization integration, a scanning account is created. The scanning account will contain a new VPC and Internet Gateway for each region. This process is performed in Step 1 of the organization integration.

The target AWS account must have Service Quotas allowing at least one more of these resources to be created in each region selected. One way to verify is to use AWS Trusted Advisor, then the Service limits link on the left and search by keyword "VPC" then expand both VPC and VPC Internet Gateways search results. Make sure at least one more of each can be created in each scanning region.

The Amazon Elastic Compute Service (ECS) is used in both the Single Account and Organization deployment methods for each region you choose to scan. For the organization integration, the scanning account will have ECS set up specifically for each region.

Single Account: Access Requirements

  • Access to run CloudFormation Stacks. A StackSet will be run in each region selected.
  • Access to create ECS clusters, and access to create a VPC, subnets, and Internet Gateway for the ECS cluster.
  • IAM to create an ECS task execution role, task role, and an EventBridge role for starting ECS tasks.
  • IAM to create a cross-account role that has permissions to read from a newly created S3 bucket and start ECS tasks.
  • Access to create CloudWatch Log Groups and Streams.
  • Access to create a new S3 bucket.
  • Access to create a new secret in AWS Secrets Manager.

Organization: Access Requirements

Two separate CloudFormation StackSets will be run. One in a scanning account and another on the billing or main/top-level AWS account. There are access requirements specific to both of these.

The access requirements for the scanning account are the same as the requirements for the Single Account integration. See Single Account: Access requirements.

The access requirements for the top-level AWS account are:

  • Access to the organization APIs.
  • IAM to create a role to provide the scanning account the ability to list accounts in the organization.
  • Access to run a CloudFormation StackSet on each Organization Unit (OU) or account selected in the template.
  • Access to create an IAM role on each of the accounts mentioned above. This role will have access to create snapshots and optionally decrypt the content.
note

CloudFormation trusted access with AWS Organizations is required to create service-managed (or SERVICE_MANAGED) StackSets.

Troubleshooting

Installation

There are some known limitations:

  • The Lacework Query Language (LQL) query you specify for an integration is not validated. If an improper query is specified, the scanning will fail with the status "fail closed".
  • It is possible to create multiple agentless scanning integrations in the same region. If overlapping integrations are created, they are not optimized. This can result in hosts being snapshotted and scanned more than once.

CloudFormation

Alerts Triggering for lacework-global-87 after Deployment

If you have the CIS AWS 1.4.0 benchmark and/or Lacework AWS Security Addendum 1.0 enabled in your environment, lacework-global-87 may trigger alerts for the security group that Agentless uses.

As part of the Agentless deployment in CloudFormation, a VPC and security group are created. Due to AWS limitations with CloudFormation, the default security group is assigned to the VPC. In addition, the Agentless deployment replaces the default outbound rules with custom rules that limits outbound traffic to port 443.

To resolve the alert, delete the default inbound rules in the default security group for the VPC. You can use one of the following two documented methods below to achieve this (or follow the remediation guidance in lacework-global-87).

1st Method

Delete the default inbound rule for the default security group in the AWS Console.

  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home.
  2. Click Security groups.
  3. Select the default security group for the VPC.
  4. Click Inbound rules, then click Edit inbound rules.
  5. Click Delete to delete the default rule.
  6. Click Save rules.
2nd Method

Delete the default inbound rule for the default security group through the AWS CLI.

  1. Delete the default inbound rule: revoke-security-group-ingress.

Service Quota reached for VPC or VPC Internet Gateway

The following error may indicate that Service Quotas have been reached for a region:

Embedded stack arn:aws:cloudformation:REGION:ACCOUNT_ID:stack/PREFIX-AgentlessScanRegionalStack-SUFFIX was not successfully created:
The following resource(s) failed to create: [AgentlessScanVPC, AgentlessScanInternetGateway].

The most likely root cause is that the maximum number of VPCs (20) or Internet Gateways (5) has been reached for a region. The solution is to request the soft quota limit to be increased through the Service Quotas tool.

note

Be aware that these requests may not be auto-approved and could take up to 24 hours.

Before starting the CloudFormation, the Trusted Advisor tool can be used to inspect Service limits for all regions.

Deleting Stacks fails to delete Regional StackSet

This error may occur if scanning is active. This means an ECS Task is running and CloudFormation will refuse to delete the ECS resources until the task stops. The recommended fix is to disable or delete the Lacework integration and wait for 2 hours. This will assure all Tasks have stopped.

Alternatively, locate the region where the Task is running.

  1. Use the AWS console to open the Elastic Container Service page.
  2. Find the name of the cluster associated with this integration. These clusters typically have a "lacework-agentless-" prefix.
  3. Click the cluster name and then click the Tasks tab.
  4. Check the Stop all button.
  5. Use the CloudFormation console to delete the Stack.

Uncommon CloudFormation errors

Here are uncommon situations that lead to errors, and example error messages.

A trailing comma exists in the Regions input field
Properties validation failed for resource AgentlessScanRegionalStackSet with message:
#: #: only 1 subschema matches out of 2 #/StackInstancesGroup/0/Regions/2: failed validation constraint for keyword [pattern]

In this situation the Regions input field contained a trailing comma or other invalid character.

A duplicate region exists in the Regions input field
Properties validation failed for resource AgentlessScanRegionalStackSet with message:
#: #: only 1 subschema matches out of 2 #/StackInstancesGroup/0/Regions: array items are not unique

In this situation the Regions input field contained a duplicate region name.

An invalid region was supplied in the Regions input field
Resource handler returned message: "Region $name is not supported (Service: CloudFormation, Status Code: 400, Request ID: $id)"
(RequestToken: $token, HandlerErrorCode: InvalidRequest)

In this situation the Regions input field contained an unknown or invalid region name.

Incorrect AWS Account ID or Organizational Unit used with Org-scanning
Properties validation failed for resource AgentlessSnapshotRoleServiceManagedStackSet with message:
#: #: only 1 subschema matches out of 2 #/StackInstancesGroup/0/DeploymentTargets/OrganizationalUnitIds/0: failed validation for keyword [pattern].

In this situation the Monitored Account Deployment selection (either SELF_MANAGED or SERVICE_MANAGED) did not match the input for Monitored Account IDs.

CloudFormation trusted access is not enabled for AWS Organizations

If the Step 2 CloudFormation for AWS Organizations fails with the following error:

You must enable organizations access to operate a service managed stack set

Then trusted access for AWS Organizations has not been enabled. The CloudFormation StackSets page will show a prompt and button to enable trusted access. The CloudFormation Stack must be run again after trusted access is enabled.

Updating CloudFormation StackSets

If a StackSet failed and you remedied the issue out of band, then existing StackSets can be updated.

  1. In the AWS Console on the CloudFormation page, select StackSets on the left-hand side menu.
  2. Select the radio StackSet Name for the Agentless scanning CloudFormation Stack.
  3. Click Actions in the top-right and select Edit StackSet Details.
  4. For "Choose a template", use the default values and click Next.
  5. For "Specify StackSet details", use the default values and click Next.
  6. For "Configure StackSet options", use the default values and click Next.
  7. For "Set deployment options", input the Account numbers used in this StackSet. This is usually a single AWS account number and the same one being used to update the StackSet. Then select Add all regions, and click Next.
  8. Scroll to the bottom and click Submit.
Last updated on