Skip to main content

Setup of Organization AWS CloudTrail Integration

If your Lacework accounts are enrolled in a Lacework organization, you can configure a consolidated AWS CloudTrail integration that maps CloudTrail activity from your AWS accounts to selected Lacework accounts within your organization.

When you create a CloudTrail integration for an organization, you define the following:

  • The External ID and Role ARN for Lacework to use
  • The SQS queue URL for the integration to use
  • The data flow from one or more AWS accounts to one or more Lacework accounts

Upon completion, the results from analyzing the specified AWS account CloudTrail activity appear in the mapped Lacework account.

Note the following about CloudTrail integrations:

  • Each account integration is expected to be mapped to one Lacework account.
  • The mapping that you configure for an organization integration is in addition to what is already configured for the CloudTrail account integration. It doesn't override the existing account integration.

Follow these steps to configure a CloudTrail integration for a Lacework organization.

  1. Log in to the Lacework Console as an organization administrator.
  2. Switch to the organization.
  3. Navigate to Settings > Integrations > Cloud Accounts and create a new integration.
  4. For Cloud Account and Type, select AWS and CloudTrail, and then click Next.
  5. Name the integration and click Next.
  6. Enter the following information to use for this integration:
    • External ID
    • Role ARN
    • SQSQueueURL
  7. For Account Mapping File, click Choose File and select the mapping file to use. See Account Mapping File for details.
  8. Click Save.

The CloudTrail integrations configured at the organization level appear within their respective Lacework accounts’ Cloud Accounts Summary as read-only integrations. It may take up to a couple minutes for new data to reach Lacework.

Account Mapping File

The account mapping file is a JSON file that maps AWS accounts to Lacework accounts within a Lacework organization.

An example mapping file

{
"defaultLaceworkAccountAws": "lw_account_1",
"integration_mappings": {
"lw_account_2": {
"aws_accounts": [
"234556677",
"774564564"
]
},
"lw_account_3": {
"aws_accounts": [
"553453453",
"934534535"
]
}
}
}

  • “defaultLaceworkAccountAws” - Required. The value is a Lacework account name, for example, “lw_account_1”. Any CloudTrails that are not explicitly mapped to a Lacework account go to this default account.
  • “integration_mappings” - Required. Fields within “integration_mappings” must be a Lacework account name, for example: “lw_account_2”, “lw_account_3”. Account names are not case-sensitive.
  • “aws_accounts” - Required. An array of AWS account IDs (string), for example "234556677", "774564564".