Agentless Workload Scanning for AWS - Single Account Integration (CloudFormation)

Overview

This article describes how to integrate your AWS single account with Lacework's Agentless Workload Scanning. The high-level steps are summarized below:

1. Configure your integration in the Lacework Console.
2. Choose and execute your CloudFormation integration method.
3. Verify your Agentless Workload Scanning Integration.

Configure the Integration in Lacework Console

1. Log in to the Lacework Console.
2. Select Settings > Integrations > Cloud accounts.
3. Click Add New.
4. Click Amazon Web Services and select Agentless Workload Scanning (Single account).
5. Click Next.
6. Click CloudFormation.
7. Fill in the settings as described in Configuration Settings.
8. Click Save.
9. Once the integration is created, the Status displays as Pending.
   Choose a CloudFormation integration method to continue the integration.

Configuration Settings

Setting	Description	Example
Name	The name for the integration (as it will be displayed in the Lacework Console).	myAgentlessIntegration
Scanning AWS Account ID	The AWS Account ID where the scanning resources will be created.	123456789012
Limit Scanned Workloads	Use an LQL key and value to constrain the Agentless Workload Scanning to specific resources. If left blank, Lacework will scan all resources available to the account or organization. See Limit Scanned Workloads for further guidance.
Scan Frequency (hours)	How often your images, containers, and hosts are scanned for vulnerabilities (in hours).	24
Scan containers	Untick the checkbox if you don't want to scan containers for vulnerabilities.
Scan host vulnerabilities	Untick the checkbox if you don't want to scan hosts for vulnerabilities.

info

Once created, you can view all the Agentless Workload Scanning integration details in the Lacework Console.

Choose a CloudFormation Integration Method

Choose one of the following options to integrate with an AWS account using CloudFormation:

• Option 1: Run CloudFormation script
  • For the initial setup, Lacework recommends this method as it requires fewer steps and less user interaction.
• Option 2: Download CloudFormation script
  • This method requires more user interaction, but may be useful if you have multiple accounts with distributed ownership.

Option 1: Run CloudFormation Script

tip

For this option, disable your browser pop-up blocker, otherwise you may not be redirected to the AWS user portal during the initial steps.

1. In the Lacework Console, go to Settings > Integrations > Cloud accounts, and select the integration that you have just created. This displays the details of the integration.

2. Under Install using CloudFormation, click Run CloudFormation Template.

   This redirects you to the AWS Create stack > Specify Template page in a new tab. The Lacework script populates the Amazon S3 URL in Specify template for you.

3. Review the page and click Next.

4. On the Specify stack details page, enter a Stack name (for example: Lacework-AWS-Agentless-Config).

5. Check that the Regions list contains the appropriate regions for your account.

   • A VPC and Internet Gateway will be created in each region, please verify resource quotes have not been reached using the Service Quotas tool.
   • Regional STS must be enabled in each region selected.

   info

   Lacework checks your account and populates the Regions list automatically. If the check happens to fail, all regions will be listed by default.

6. For Is there an available VPC and VPC Internet Gateway in each selected Region?

   • See Access and Resource Requirements for guidance on how to check if the required VPC resources can be created.
   • Select Yes once you have completed the quotas check.

7. Review the page and click Next.

8. On Configure stack options, review the page and click Next (no changes are required).

   • If you would like to add custom Tags, use the option here. These tags will be propagated to all resources created by the agentless scanner.

9. On the Review page, check the acknowledgements in the Capabilities section:

   • I acknowledge that AWS CloudFormation might create IAM resources with custom names.
   • I acknowledge that AWS CloudFormation might require the following capability:
     CAPABILITY_AUTO_EXPAND

10. Click Create stack.

11. You are then redirected to the CloudFormation > Stacks page. Select your stack to see the event log as it is being created. If you do not see your new stack in the table, refresh the page.

    When the Status of the stack reaches CREATE_COMPLETE, the Agentless Workload Scanning integration for this AWS account is complete.

Option 2: Download CloudFormation Script

1. In the Lacework Console, go to Settings > Integrations > Cloud accounts, and select the integration that you have just created. This displays the details of the integration.

2. Under Install using CloudFormation, click Download CloudFormation Template.

   When prompted, choose a suitable location to save the JSON file on your local machine.

3. Log in to your AWS account.

4. Select the CloudFormation service and click Create stack > With new resources (standard).

5. Under Specify template, select Upload a template file. Click Choose file and upload the CloudFormation script that was downloaded earlier.

6. Click Next.

7. On the Specify stack details page, enter a Stack name (for example: Lacework-AWS-Agentless-Config).

8. Check that the Regions list contains the appropriate regions for your account.

   • A VPC and Internet Gateway will be created in each region, please verify resource quotes have not been reached using the Service Quotas tool.
   • Regional STS must be enabled in each region selected.

   info

   Lacework checks your account and populates the Regions list automatically. If the check happens to fail, all regions will be listed by default.

9. For Is there an available VPC and VPC Internet Gateway in each selected Region?

   • See Access and Resource Requirements for guidance on how to check if the required VPC resources can be created.
   • Select Yes once you have completed the quotas check.

10. Review the page and click Next.

11. On Configure stack options, review the page and click Next (no changes are required).

    • If you would like to add custom Tags, use the option here. These tags will be propagated to all resources created by the agentless scanner.

12. On the Review page, check the acknowledgements in the Capabilities section:

    • I acknowledge that AWS CloudFormation might create IAM resources with custom names.
    • I acknowledge that AWS CloudFormation might require the following capability:
      CAPABILITY_AUTO_EXPAND

13. Click Create stack.

14. You are then redirected to the CloudFormation > Stacks page. Select your stack to see the event log as it is being created. If you do not see your new stack in the table, refresh the page.

Verify your Agentless Workload Scanning Integration

Verify CloudFormation StackSet Instances Completed

These steps will verify that CloudFormation installed a StackSet for each Region selected in the Stack Regions. Note that it is possible that the CloudFormation Stack completed successfully but one or more regional StackSet Instances failed.

1. In the AWS Console open the CloudFormation page. Make sure you have selected the AWS region where the Agentless Scanning template was installed.
2. On the left-hand side menu click StackSets.
3. Click on the link for the StackSet matching the name of the CloudFormation Stack created above.
4. Click on the Stack Instances tab.
5. Review each Instance and check that the Detailed Status is "Success", if there is an error then the Status Reason will provided a detailed error message.

Verify Lacework Integration Completed

In the Lacework console, the status of the integration at Settings > Integrations > Cloud accounts will update from Pending to Success if all resources are installed correctly.

You may need to refresh the page when returning from the AWS Console after completing the integration steps.

If the periodic scanning encounters an error, the status will display the error details.

Remove an Agentless Workload Scanning Integration

Follow these steps if you want to remove your single account integration.

Start in the Lacework console.

1. In Settings > Integrations > Cloud accounts, find the integration that you would like to remove.
2. Note the name of the integration, this will be used to locate the CloudFormation Stack later.
3. Toggle the integration State to disabled, or Delete the integration using the actions menu on the right.

Once complete, remove the integration within AWS using the AWS Console.

1. Log in to your AWS account.
2. Select the CloudFormation service and find the Stack with the associated name from the integration.
3. Click the Delete button then Delete stack to confirm deleting.