Agentless Workload Scanning for AWS - Organization Integration (CloudFormation)

Overview

This article describes how to integrate your AWS organization with Lacework's Agentless Workload Scanning. The high-level steps are summarized below:

1. Configure your integration in the Lacework Console.
2. Set Up Scanning Account (Step 1 for CloudFormation).
3. Integrate Scanning Account with your Organization (Step 2 for CloudFormation).
4. Verify your Agentless Workload Scanning Integration.

Configure the Integration in Lacework Console

1. Log in to the Lacework Console.
2. Select Settings > Integrations > Cloud accounts.
3. Click Add New.
4. Click Amazon Web Services and select Agentless Workload Scanning (Organization).
5. Click Next.
6. Click CloudFormation.
7. Fill in the settings as described in Configuration Settings.
8. Click Save.
9. Once the integration is created, the Status displays as Pending.
   Proceed to Step 1: Set Up Scanning Account to continue the integration.

Configuration Settings

Setting	Description	Example
Name	The name for the integration (as it will be displayed in the Lacework Console).	myAgentlessIntegration
Scanning AWS Account ID	The AWS Account ID where the scanning resources will be created.	123456789012
Limit Scanned Workloads	Use an LQL key and value to constrain the Agentless Workload Scanning to specific resources. If left blank, Lacework will scan all resources available to the account or organization. See Limit Scanned Workloads for further guidance.
Scan Frequency (hours)	How often your images, containers, and hosts are scanned for vulnerabilities (in hours).	24
Scan containers	Untick the checkbox if you don't want to scan containers for vulnerabilities.
Scan host vulnerabilities	Untick the checkbox if you don't want to scan hosts for vulnerabilities.

info

Once created, you can view all the Agentless Workload Scanning integration details in the Lacework Console.

Step 1: Set Up Scanning Account

Choose one of the following options to set up a scanning account for your AWS Organization integration using CloudFormation:

• Option 1: Run CloudFormation script
  • For the initial setup, Lacework recommends this method as it requires fewer steps and less user interaction.
• Option 2: Download CloudFormation script
  • This method requires more user interaction, but may be useful if you have multiple organizations with distributed ownership.

Option 1: Run CloudFormation Script

tip

For this option, disable your browser pop-up blocker, otherwise you may not be redirected to the AWS user portal during the initial steps.

1. In the Lacework Console, go to Settings > Integrations > Cloud accounts, and select the integration that you have just created. This displays the details of the integration.

2. Under Install using CloudFormation > Step 1: Set up AWS Scanning Account, click Run CloudFormation Template.

   This redirects you to the AWS Create stack > Specify Template page in a new tab. The Lacework script populates the Amazon S3 URL in Specify template for you.

3. Review the page and click Next.

4. On the Specify stack details page, enter a Stack name (for example: Lacework-AWS-Agentless-ScanAccount).

5. Check that the Regions list contains the appropriate regions for your account.

   • A VPC and Internet Gateway will be created in each region, please verify resource quotes have not been reached using the Service Quotas tool.
   • Regional STS must be enabled in each region selected.

   info

   Lacework checks your account and populates the Regions list automatically. If the check happens to fail, all regions will be listed by default.

6. For Is there an available VPC and VPC Internet Gateway in each selected Region?

   • See Access and Resource Requirements for guidance on how to check if the required VPC resources can be created.
   • Select Yes once you have completed the quotas check.

7. Review the page and click Next.

8. On Configure stack options, review the page and click Next (no changes are required).

   • If you would like to add custom Tags, use the option here. These tags will be propagated to all resources created by the agentless scanner.

9. On the Review page, check the acknowledgements in the Capabilities section:

   • I acknowledge that AWS CloudFormation might create IAM resources with custom names.
   • I acknowledge that AWS CloudFormation might require the following capability:
     CAPABILITY_AUTO_EXPAND

10. Click Create stack.

11. You are then redirected to the CloudFormation > Stacks page. Select your stack to see the event log as it is being created. If you do not see your new stack in the table, refresh the page.

    Up to three stacks are created for the purposes of the scanning account, the descriptions for each are as follows:

    • Lacework AWS Agentless Workload Scanning Organization Integration - Scanning Resources
    • Lacework AWS Agentless Workload Scanning Integration - Global
    • Lacework AWS Agentless Workload Scanning Integration - Regional

    When the Status of each of these stacks reaches CREATE_COMPLETE, the first part of the integration is complete.

12. Note down the following key values from the first stack that was created (and named by you). They can be found on the Outputs tab when viewing the stack:

    1. CrossAccountRoleArn
    2. ECSTaskRoleArn
    3. ExternalId
    4. S3BucketArn

    These are entered during the stack deployment in step 2.

13. Proceed to Step 2: Integrate Scanning Account with your Organization to continue the integration.

Option 2: Download CloudFormation Script

1. In the Lacework Console, go to Settings > Integrations > Cloud accounts, and select the integration that you have just created. This displays the details of the integration.

2. Under Install using CloudFormation > Step 1: Set up AWS Scanning Account, click Download CloudFormation Template.

   When prompted, choose a suitable location to save the JSON file on your local machine.

3. Log in to your AWS account.

4. Select the CloudFormation service and click Create stack > With new resources (standard).

5. Under Specify template, select Upload a template file. Click Choose file and upload the CloudFormation script that was downloaded earlier.

6. Click Next.

7. On the Specify stack details page, enter a Stack name (for example: Lacework-AWS-Agentless-ScanAccount).

8. Check that the Regions list contains the appropriate regions for your account.

   • A VPC and Internet Gateway will be created in each region, please verify resource quotes have not been reached using the Service Quotas tool.
   • Regional STS must be enabled in each region selected.

   info

   Lacework checks your account and populates the Regions list automatically. If the check happens to fail, all regions will be listed by default.

9. For Is there an available VPC and VPC Internet Gateway in each selected Region?

   • See Access and Resource Requirements for guidance on how to check if the required VPC resources can be created.
   • Select Yes once you have completed the quotas check.

10. Review the page and click Next.

11. On Configure stack options, review the page and click Next (no changes are required).

    • If you would like to add custom Tags, use the option here. These tags will be propagated to all resources created by the agentless scanner.

12. On the Review page, check the acknowledgements in the Capabilities section:

    • I acknowledge that AWS CloudFormation might create IAM resources with custom names.
    • I acknowledge that AWS CloudFormation might require the following capability:
      CAPABILITY_AUTO_EXPAND

13. Click Create stack.

14. You are then redirected to the CloudFormation > Stacks page. Select your stack to see the event log as it is being created. If you do not see your new stack in the table, refresh the page.

    Up to three stacks are created for the purposes of the scanning account, the descriptions for each are as follows:

    • Lacework AWS Agentless Workload Scanning Organization Integration - Scanning Resources
    • Lacework AWS Agentless Workload Scanning Integration - Global
    • Lacework AWS Agentless Workload Scanning Integration - Regional

    When the Status of each of these stacks reaches CREATE_COMPLETE, the first part of the integration is complete.

15. Note down the following key values from the first stack that was created (and named by you). They can be found on the Outputs tab when viewing the stack:

    1. CrossAccountRoleArn
    2. ECSTaskRoleArn
    3. ExternalId
    4. S3BucketArn

    These are entered during the stack deployment in step 2.

16. Proceed to Step 2: Integrate Scanning Account with your Organization to continue the integration.

Step 2: Integrate Scanning Account with your Organization

Choose one of the following options to integrate the scanning account with your AWS Organization using CloudFormation:

• Option 1: Run CloudFormation script
  • For the initial setup, Lacework recommends this method as it requires fewer steps and less user interaction.
• Option 2: Download CloudFormation script
  • This method requires more user interaction, but may be useful if you have multiple organizations with distributed ownership.

Option 1: Run CloudFormation Script

tip

For this option, disable your browser pop-up blocker, otherwise you may not be redirected to the AWS user portal during the initial steps.

1. In the Lacework Console, go to Settings > Integrations > Cloud accounts, and select the agentless integration that you have just set up a scanning account for. This displays the details of the integration.

2. Under Install using CloudFormation > Step 2: Integrate AWS Scanning Account with your AWS Organization, click Run CloudFormation Template.

   This redirects you to the AWS Create stack > Specify Template page in a new tab. The Lacework script populates the Amazon S3 URL in Specify template for you.

3. Review the page and click Next.

4. On the Specify stack details page, enter a Stack name (for example: Lacework-AWS-Agentless-OrgIntegration).

5. For the following named fields, enter the equivalent key values obtained from the scanning account stack (Outputs tab) created in Step 1.

   1. CrossAccountRoleArn
   2. ECSTaskRoleArn
   3. ExternalId
   4. S3BucketArn

6. For Monitored Account Deployment, select one of the following options:

   1. SERVICE_MANAGED (Organizational Units) - Select this option if you want to monitor the whole organization from the Root or specific Organizational Units (OUs).
   2. SELF_MANAGED (Account IDs) - Select this option if you only want to monitor one or more specific accounts within the organization.

   info

   See AWS Organizations terminology and concepts for further guidance on AWS Organizational structure.

7. For Monitored Account IDs, there are a number of options available:

   1. Enter the AWS Organization Root ID if you want to monitor the whole organization. Ensure SERVICE_MANAGED (Organizational Units) has been selected in the Monitored Account Deployment dropdown.

   2. Enter one or more Organization unit (OU) IDs if you want to monitor specific OUs. Ensure SERVICE_MANAGED (Organizational Units) has been selected in the Monitored Account Deployment dropdown.

   3. Enter the Account IDs that you want to monitor specific accounts within the organization. Ensure SELF_MANAGED (Account IDs) has been selected in the Monitored Account Deployment dropdown.

8. For Is there an available VPC and VPC Internet Gateway in each selected Region?

   • See Access and Resource Requirements for guidance on how to check if the required VPC resources can be created.
   • Select Yes once you have completed the quotas check.

9. Review the page and click Next.

10. On Configure stack options, review the page and click Next (no changes are required).

    • If you would like to add custom Tags, use the option here. These tags will be propagated to all resources created by the agentless scanner.

11. On the Review page, check the acknowledgements in the Capabilities section:

    • I acknowledge that AWS CloudFormation might create IAM resources with custom names.
    • I acknowledge that AWS CloudFormation might require the following capability:
      CAPABILITY_AUTO_EXPAND

12. Click Create stack.

13. You are then redirected to the CloudFormation > Stacks page. Select your stack to see the event log as it is being created. If you do not see your new stack in the table, refresh the page.

    When the Status of the stack reaches CREATE_COMPLETE, the Agentless Workload Scanning integration for this AWS Organization is complete.

Option 2: Download CloudFormation Script

1. In the Lacework Console, go to Settings > Integrations > Cloud accounts, and select the agentless integration that you have just set up a scanning account for. This displays the details of the integration.

2. Under Install using CloudFormation > Step 2: Integrate AWS Scanning Account with your AWS Organization, click Download CloudFormation Template.

   When prompted, choose a suitable location to save the JSON file on your local machine.

3. Log in to your AWS account.

4. Select the CloudFormation service and click Create stack > With new resources (standard).

5. Under Specify template, select Upload a template file. Click Choose file and upload the CloudFormation script that was downloaded earlier.

6. Click Next.

7. On the Specify stack details page, enter a Stack name (for example: Lacework-AWS-Agentless-OrgIntegration).

8. For the following named fields, enter the equivalent key values obtained from the scanning account stack (Outputs tab) created in Step 1.

   1. CrossAccountRoleArn
   2. ECSTaskRoleArn
   3. ExternalId
   4. S3BucketArn

9. For Monitored Account Deployment, select one of the following options:

   1. SERVICE_MANAGED (Organizational Units) - Select this option if you want to monitor the whole organization from the Root or specific Organizational Units (OUs).
   2. SELF_MANAGED (Account IDs) - Select this option if you only want to monitor one or more specific accounts within the organization.

   info

   See AWS Organizations terminology and concepts for further guidance on AWS Organizational structure.

10. For Monitored Account IDs, there are a number of options available:

    1. Enter the AWS Organization Root ID if you want to monitor the whole organization. Ensure SERVICE_MANAGED (Organizational Units) has been selected in the Monitored Account Deployment dropdown.

    2. Enter one or more Organization unit (OU) IDs if you want to monitor specific OUs. Ensure SERVICE_MANAGED (Organizational Units) has been selected in the Monitored Account Deployment dropdown.

    3. Enter the Account IDs that you want to monitor specific accounts within the organization. Ensure SELF_MANAGED (Account IDs) has been selected in the Monitored Account Deployment dropdown.

11. For Is there an available VPC and VPC Internet Gateway in each selected Region?

    • See Access and Resource Requirements for guidance on how to check if the required VPC resources can be created.
    • Select Yes once you have completed the quotas check.

12. Review the page and click Next.

13. On Configure stack options, review the page and click Next (no changes are required).

    • If you would like to add custom Tags, use the option here. These tags will be propagated to all resources created by the agentless scanner.

14. On the Review page, check the acknowledgements in the Capabilities section:

    • I acknowledge that AWS CloudFormation might create IAM resources with custom names.
    • I acknowledge that AWS CloudFormation might require the following capability:
      CAPABILITY_AUTO_EXPAND

15. Click Create stack.

16. You are then redirected to the CloudFormation > Stacks page. Select your stack to see the event log as it is being created. If you do not see your new stack in the table, refresh the page.

    When the Status of the stack reaches CREATE_COMPLETE, the Agentless Workload Scanning integration for this AWS Organization is complete.

Verify your Agentless Workload Scanning Integration

Verify CloudFormation StackSet Instances Completed

These steps will verify that CloudFormation installed a StackSet for each Region selected in the Stack Regions. Note that it is possible that the CloudFormation Stack completed successfully but one or more regional StackSet Instances failed.

1. In the AWS Console open the CloudFormation page. Make sure you have selected the AWS region where the Agentless Scanning template was installed.
2. On the left-hand side menu click StackSets.
3. Click on the link for the StackSet matching the name of the CloudFormation Stack created above.
4. Click on the Stack Instances tab.
5. Review each Instance and check that the Detailed Status is "Success", if there is an error then the Status Reason will provided a detailed error message.

Verify Lacework Integration Completed

In the Lacework console, the status of the integration at Settings > Integrations > Cloud accounts will update from Pending to Success if all resources are installed correctly.

You may need to refresh the page when returning from the AWS Console after completing the integration steps.

If the periodic scanning encounters an error, the status will display the error details.

Remove an Agentless Workload Scanning Integration

Follow these steps if you want to remove your organization integration.

Start in the Lacework console.

1. In Settings > Integrations > Cloud accounts, find the integration that you would like to remove.
2. Note the name of the integration, this will be used to locate the CloudFormation Stack later.
3. Toggle the integration State to disabled, or Delete the integration using the actions menu on the right.

Once complete, remove the integration within AWS using the AWS Console.

1. Log in to your AWS account.
2. Select the CloudFormation service and find the Stacks with the associated names from the integration.
3. Click the Delete button then Delete stack to confirm deleting.