Configure Access to Tags in AWS
The Lacework Windows agent can retrieve user defined tags and other metadata from the AWS EC2 instances on which the agent is installed and display them in the Lacework Console. This enables you to do the following:
- Use the tag and metadata values to identify AWS resources displayed in the Lacework Console.
- Use the tags to filter information displayed in the Lacework Console. For example, you can use the Machine tags filter in the Host Vulnerabilities page to view only the vulnerabilities on hosts in a specific AWS account.
To enable the agent to retrieve tags from AWS, you create an allow policy for DescribeTags, and associate it with the AWS EC2 instance by doing the following:
- Log in to the AWS Identity and Access Management (IAM) service.
- Select Policies.
- Click Create policy.
- Select the JSON tab and replace the displayed policy with the following text. Replace the date specified for the
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeTags",
"Resource": "*"
}
]
}Versionkey if required. - Click Next: Tags
- Click Next: Review.
- Enter a policy name and description.
- Click Create policy.
Next, you associate the with an IAM role that can be attached to EC2 instances:
- Log in to the IAM service.
- Select Roles.
- Click Create role.
- Select AWS service as the trusted entity type and EC2 as the use case.
- Click Next.
- Search for your newly created policy, select it, and click Next.
- Enter a role name, update the description if you want, and click Create role.
After creating the policy and role, navigate to the EC2 service and select the instance for which you want to retrieve the external tags.
Under Actions > Security > Modify IAM role, select the IAM role you created and click Update IAM role. The next time the Lacework agent forwards data, you will see the external tags in the Lacework Console.
In addition to importing AWS tags, you can add local tags to agents. For details, see Add Custom Agent Tags.