Skip to main content

Amazon EventBridge

You can configure an Amazon EventBridge Event bus (formerly CloudWatch Event bus) as a Lacework alert channel called Amazon CloudWatch within the platform. For more information about sending and receiving events between AWS accounts, see Amazon CloudWatch EventBridge.

After event receipt onto the EventBridge instance, you may want to create an event rule with a custom pattern rule and forward the Lacework events to an SQS queue as described in the following example. If you don't already have an SQS queue configured, create one before you proceed.

A high level architectural overview:

LaceworkAlertChannel_CloudWatch_Arch.png

Create Resources within Your AWS Account

To connect an Amazon CloudWatch alert channel to an SQS queue, you must create the following resources within your account:

  • SQS queue
  • Event bus
  • Event bus rules

Create an SQS Instance

For a minimal queue:

  1. Open the Amazon SQS service and select Create Queue.
  2. Enter a Name (for example, Lacework_CloudWatch_Alerts).
  3. Leave all other configurations as-is, for a 'standard' type SQS queue.

Create an Event Bus

  1. Open the Amazon EventBridge Service and select Amazon EventBridge > Event Buses.

  2. Click Create event bus.

  3. Enter a Name (for example, Lacework_CloudWatch_Alerts_Bus).

  4. Add a resource-based policy to allow Lacework AWS account number 434813966438 to push events to your event bus:

    {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "allow_account_to_put_events",
            "Effect": "Allow",
            "Principal": {
              "AWS": "434813966438"
            },
            "Action": "events:PutEvents",
            "Resource": "arn:aws:events:<REGION>:<YOUR-ACCOUNT-ID>:event-bus/<YOUR-EVENT-BUS-NAME>"
          }
        ]
    }

aws-create-event-bus.png

Create an Event Rule

  1. Select Amazon EventBridge > Rules.

  2. In the Select event bus pane, select your newly created event bus by name (for example, Lacework_CloudWatch_Alerts_Bus ).

  3. Click Create rule.

  4. Enter a Name (for example, Lacework_CloudWatch_Alerts_Events_Rule).

    aws-create-event-rule-name.png

  5. For Define Pattern, select Event pattern and Custom pattern.

  6. In the Event Pattern pane, copy the follow JSON pattern snippet:

    {
      "account": ["434813966438"]
    }

    aws-create-event-rule-pattern.png

  7. Click Save.

  8. In the Select event bus pane, choose Custom or partner event bus and select your newly created event bus (for example, Lacework_CloudWatch_Alerts_Bus).

  9. Toggle Enable the rule on the selected event bus to on.

    aws-create-event-rule-bus.png

  10. In the Select targets pane, choose Target and select SQS queue

  11. For Queue, select your created queue (for example, Lacework_CloudWatch_Alerts).

    aws-create-event-rule-queue.png

  12. Click Create rule.

    This returns you to the Amazon EventBridge > Rules page, which displays your newly created rule.

    aws-eventbridge-rules.png

Create an Amazon CloudWatch Alert Channel from the Lacework Console

  1. Log in to the Lacework Console as a Lacework user with administrative privileges.
  2. Go to Settings > Notifications > Alert channels.
  3. Click + Add new.
  4. Select Amazon CloudWatch.
  5. Click Next.
  6. Follow the steps in the next section.

Create an Amazon CloudWatch Alert Channel

Ensure you have completed the preparatory steps described in Create Resources within Your AWS Account. Then complete the following steps:

  1. For Name, enter the name of the integration.
  2. For Group Issues by, select one of the options:
    • Events - Select this option if you want a single Amazon CloudWatch event to be created when compliance events of the same type but from different resources are detected by Lacework. For example, if three different S3 resources are generating the same compliance event, only one AWS event is created on the Amazon CloudWatch event bus.
    • Resources - Select this option if you want multiple Amazon CloudWatch events to be created when multiple resources are generating the same compliance event. For example, if three different S3 resources are generating the same compliance event, three AWS events are created on the Amazon CloudWatch event bus.
  3. Enter the ARN of your Amazon CloudWatch event bus, which uses the following format. Replace REGION , YOUR-ACCOUNT-ID and YOUR-EVENT-BUS-NAME with your values.
        arn:aws:events:<REGION>:<YOUR-ACCOUNT-ID>:event-bus/<YOUR-EVENT-BUS-NAME>
  4. Click Save.
  5. Click Alert rules and configure your required alert routing details/options by leveraging the alert channel you created.

You should now start to see Lacework events in your SQS queue.

Create an Amazon CloudWatch Alert Channel Using Terraform

For organizations using Terraform to manage their environments, Lacework maintains the Terraform provider for Lacework, which enables configuration of Lacework alert channels using automation.

If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read through the Terraform for Lacework Overview to learn the basics on how to configure the provider, and more.

For a complete list of custom Terraform resources to manage alert channels in Lacework, see Managing Alert Channels with Terraform.

resource "lacework_alert_channel_aws_cloudwatch" "all_events" {
  name            = "All events to default event-bus"
  event_bus_arn   = "arn:aws:events:<REGION>:<YOUR-ACCOUNT-ID>:event-bus/<YOUR-EVENT-BUS-NAME>"
  group_issues_by = "Events"
}

Additional information on the lacework_alert_channel_aws_cloudwatch resource can be found on the Terraform Registry.

You should now start to see Lacework events in your SQS queue.