Skip to main content

AWS Integration Using CloudFormation

Overview

Lacework integrates with AWS to analyze CloudTrail for monitoring cloud account security, and for cloud resource configuration compliance.

AWS CloudFormation gives you an easy way to model a collection of related AWS and third-party resources, provision them quickly and consistently, and manage them throughout their lifecycles, by treating infrastructure as code. A CloudFormation template describes your resources and their dependencies so you can launch and configure them together as a stack. You can use a template to create, update, and delete an entire stack as a single unit, as often as you need to, instead of managing resources individually. You can manage and provision stacks across multiple AWS accounts and AWS regions.

For details about AWS CloudFormation, see AWS CloudFormation.

This document describes how to integrate Lacework with AWS CloudFormation with one of the following configurations:

  • Configuration to analyze AWS configuration compliance
  • CloudTrail+Configuration to analyze CloudTrail activity for monitoring cloud account security and AWS configuration compliance

If you use AWS Organizations, see AWS Organizations and StackSets about how you can use the CloudFormation template to automatically add or remove new AWS accounts in Lacework.

AWS Configuration Compliance with CloudFormation

The procedures in this section configure an integration to analyze AWS configuration compliance only.

During initial Lacework account setup, you can add a single AWS account to Lacework. Later you can add additional accounts from the Lacework Console using a CloudFormation template that launches the AWS console. However, integrating multiple AWS accounts using the AWS console is not efficient because each integration requires you to log in to each account with administrative privileges and ensure there are no resource conflicts when creating the CloudFormation stack. Instead, you can integrate multiple AWS accounts using Terraform.

During integration, Lacework creates an IAM role with the least privileges. To grant Lacework permission to create this role, you must log in to your AWS account as a user with administrator credentials [arn:aws:iam::aws:policy/AdministratorAccess]. You cannot complete the integration without the required credentials.

AWS Configuration

In the Lacework Console you can either Run the CloudFormation Template or Download the CloudFormation Template.

  • Run CloudFormation Template - For the initial setup, Lacework recommends using this option, which requires fewer steps and less user interaction. Disable your browser pop-up blocker.
  • Download CloudFormation Template - This option requires more user interaction but may be useful if you have multiple accounts with distributed ownership.
note

Ensure that you are deploying the integration to a supported AWS region.

  1. Log in to the Lacework Console.
  2. Go to Settings > Integrations > Cloud account.
  3. Click + Add New.
  4. Click Amazon Web Services and select CloudFormation.
  5. Click Next.
  6. Select the integration type and click Run CloudFormation Template. If you are already logged in to your AWS account, this redirects you to the Create stack page. The template populates the Amazon S3 template URL for you.
  7. No changes are required. Click Next.
  8. Review the Specify stack details page. Resource name prefix is populated with the account name of the first account configured to use Lacework for AWS Configuration. When adding accounts, you can keep this prefix or enter a different prefix to ensure account uniqueness. Click Next.
  9. No changes are required on the Configure stack options page. Click Next.
  10. Verify the information on the Review page and click Submit.

CloudFormation Page

After clicking Submit, you are redirected back to the CloudFormation page. If you do not see your new stack in the table, refresh the page. Select your stack to see the event log as it is being created. When the stack is CREATE-COMPLETE, integration for a single account is complete.

AWS CloudTrail and Configuration Compliance with CloudFormation

The procedures in this section configure an integration that analyzes CloudTrail activity for monitoring cloud account security and AWS configuration compliance.

Account setup configures Lacework for CloudTrail analysis and Security Audit. After completion, a single CloudFormation stack is added to your account. If you have multiple accounts and you forward CloudTrail logs to a single S3 bucket, CloudTrail integration completes after the account setup. If you use multiple buckets, you can use the Lacework Console to add accounts after the account setup.

To analyze CloudTrail activity for monitoring cloud account security, Lacework requires that accounts be integrated individually. You can use the Lacework Console to add accounts after account setup.

During the account setup, the option to integrate with AWS follows the option to add users.

During integration, Lacework creates the least privilege IAM role. To grant Lacework permission to create this role, you must log in to your AWS account as a user with administrator credentials [arn:aws:iam::aws:policy/AdministratorAccess]. You cannot complete the integration without the required credentials.

note
  • AWS S3 object-level APIs are excluded from CloudTrail analysis. This means that AWS CloudTrail data events are not analyzed. CloudTrail management events, however, are analyzed.
  • For consolidated CloudTrails, Lacework maps the account ID to the account alias for the root account only. Other account IDs are not mapped to their account aliases.
  • If you consolidate CloudTrails from multiple AWS accounts into one bucket, Lacework maps the account ID to the account alias for the root account only. Other account IDs are not mapped to account aliases.

AWS CloudTrail and Configuration

You can either Run the CloudFormation Template or Download the CloudFormation Template.

  • Run CloudFormation Template - For the initial setup, Lacework recommends using this option, which requires fewer steps and less user interaction. For this option, disable your browser pop-up blocker.
  • Download CloudFormation Template - This option requires more user interaction, but may be useful if you have multiple accounts with distributed ownership.
note

Ensure that you are deploying the integration to a supported AWS region.

Follow the steps for the option you choose.

  1. Log in to the Lacework Console.
  2. Go to Settings > Integrations > Cloud account.
  3. Click + Add New.
  4. Click Amazon Web Services and select CloudFormation.
  5. Click Next.
  6. Click Run CloudFormation Template. If you are already logged in to your AWS account, this redirects you to the Create stack page. The template populates the Amazon S3 template URL for you.
  7. No changes are required. Click Next.
  8. On the Specify stack details page, you can either create a new trail and S3 bucket or use an existing trail.
    • Create a new trail and S3 bucket
      1. Resource name prefix is populated with your account name. It doesn't need to change unless:
        • You are creating a stack for each account, in which case it must be unique for each account as the S3 bucket namespace is global, or
        • You are creating multiple stacks, in which case it must be unique to avoid resource collision
      2. Set Create a new trail? to Yes.
      3. If you want a specific S3 bucket path for your logs, add a Log file prefix.
      4. Leave Bucket name and Topic ARN empty.
      5. Click Next.
    • Use an existing trail
      1. Resource name prefix is populated with your account name.
      2. Set Create a new trail? to No.
      3. Leave Log file prefix empty; it is not applicable.
      4. Enter the Bucket name (not ARN) associated with your existing trail.
      5. Enter the SNS Topic ARN of your existing trail. If the trail does not already have an SNS topic, create one.
      6. Click Next.
  9. Click Next.
  10. No changes are required on the Configure stack options page. Click Next.
  11. Verify the information on the Review page and click Submit.
note

If you are integrating an existing trail, you may be using server-side encryption.

  • For Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), key management is local to S3, so no changes are required.
  • For Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS), key management requires access to the AWS KMS service, so you must give the Lacework-created role the required permission. Refer to Integration with S3 Buckets Using SSE-KMS for instructions on how to update the inline policy associated with the Lacework-created role. If you are manually integrating Lacework, you must grant this same permission.

For more information on Selecting a Stack Template, refer to the AWS Documentation library.

CloudFormation Page

After clicking Submit, you are redirected back to the CloudFormation page. If you do not see your new stack in the table, refresh the page. Select your stack to see the event log as it is being created. When the stack is CREATE-COMPLETE, integration of both CloudTrail and Config for a single account is complete. If you consolidate CloudTrail logs in one S3 bucket, no additional CloudTrail configuration is required.

AWS Organizations and StackSets

If AWS Control Tower is not available, but you use AWS Organizations, you can deploy the Lacework CloudFormation template using StackSets. Using a stack set lets you automatically add or remove new AWS accounts in Lacework.

Use this Lacework CloudFormation template as a stack set.

For details about working with StackSets, refer to the AWS documentation.

Last updated on