AWS - Integrate Agentless Workload Scanning with CloudFormation
This integration method uses AWS CloudFormation.
Overview
This article provides the prerequisites and troubleshooting steps for an Agentless Workload Scanning integration.
Once you have read through the access and resource requirements, complete the integration steps depending on your chosen integration level:
Access and Resource Requirements
A new VPC and Internet Gateway will be created in each scanning region. This applies to both integration types. In the AWS Organization integration, only one account is set up to perform scanning (a scanning account or security account). This is the only account where a new VPC and Internet Gateway is created.
The target AWS account must have Service Quotas allowing at least one more of these resources to be created in each region selected. One way to verify is to use AWS Trusted Advisor, then the Service limits link on the left and search by keyword "VPC" then expand both VPC and VPC Internet Gateways search results. Make sure at least one more of each can be created in each scanning region.
The Amazon Elastic Compute Service (ECS) is used in both the Single Account and Organization deployment methods. In the AWS Organization integration, only one account is set up to perform scanning (a scanning account or security account). This is the only account where ECS is used.
Single Account: Access Requirements
- Access to run CloudFormation Stacks. A StackSet will be run in each region selected.
- Access to create ECS clusters, and access to create a VPC, subnets, and Internet Gateway for the ECS cluster.
- IAM to create an ECS task execution role, task role, and an EventBridge role for starting ECS tasks.
- IAM to create a cross-account role that has permissions to read from a newly created S3 bucket and start ECS tasks.
- Access to create CloudWatch Log Groups and Streams.
- Access to create a new S3 bucket.
- Access to create a new secret in AWS Secrets Manager.
Organization: Access Requirements
Two separate CloudFormation StackSets will be run. One in a scanning account and another on the billing or main/top-level AWS account. There are access requirements specific to both of these.
The access requirements for the scanning account are the same as the requirements for the Single Account integration. See Single Account: Access requirements.
The access requirements for the top-level AWS account are:
- Access to the organization APIs.
- IAM to create a role to provide the scanning account the ability to list accounts in the organization.
- Access to run a CloudFormation StackSet on each Organization Unit (OU) or account selected in the template.
- Access to create an IAM role on each of the accounts mentioned above. This role will have access to create snapshots and optionally decrypt the content.
note
CloudFormation trusted access with AWS Organizations is required to create service-managed (or SERVICE_MANAGED) StackSets.
Troubleshooting
Installation
There are some known limitations:
- The Lacework Query Language (LQL) query you specify for an integration is not validated. If an improper query is specified, the scanning will fail with the status "fail closed".
- It is possible to create multiple agentless scanning integrations in the same region. If overlapping integrations are created, they are not optimized. This can result in hosts being snapshotted and scanned more than once.
CloudFormation
Service Quota reached for VPC or VPC Internet Gateway
The following error may indicate that Service Quotas have been reached for a region:
Embedded stack arn:aws:cloudformation:REGION:ACCOUNT_ID:stack/PREFIX-AgentlessScanRegionalStack-SUFFIX was not successfully created:
The following resource(s) failed to create: [AgentlessScanVPC, AgentlessScanInternetGateway].
The most likely root cause is that the maximum number of VPCs (20) or Internet Gateways (5) has been reached for a region. The solution is to request the soft quota limit to be increased through the Service Quotas tool.
note
Be aware that these requests may not be auto-approved and could take up to 24 hours.
Before starting the CloudFormation, the Trusted Advisor tool can be used to inspect Service limits for all regions.
Deleting Stacks fails to delete Regional StackSet
This error may occur if scanning is active. This means an ECS Task is running and CloudFormation will refuse to delete the ECS resources until the task stops. The recommended fix is to disable or delete the Lacework integration and wait for 2 hours. This will assure all Tasks have stopped.
Alternatively, locate the region where the Task is running.
- Use the AWS console to open the Elastic Container Service page.
- Find the name of the cluster associated with this integration. These clusters typically have a "lacework-agentless-" prefix.
- Click the cluster name and then click the Tasks tab.
- Check the Stop all button.
- Use the CloudFormation console to delete the Stack.
Uncommon CloudFormation errors
Here are uncommon situations that lead to errors, and example error messages.
A trailing comma exists in the Regions input field
Properties validation failed for resource AgentlessScanRegionalStackSet with message:
#: #: only 1 subschema matches out of 2 #/StackInstancesGroup/0/Regions/2: failed validation constraint for keyword [pattern]
In this situation the Regions input field contained a trailing comma or other invalid character.
A duplicate region exists in the Regions input field
Properties validation failed for resource AgentlessScanRegionalStackSet with message:
#: #: only 1 subschema matches out of 2 #/StackInstancesGroup/0/Regions: array items are not unique
In this situation the Regions input field contained a duplicate region name.
An invalid region was supplied in the Regions input field
Resource handler returned message: "Region $name is not supported (Service: CloudFormation, Status Code: 400, Request ID: $id)"
(RequestToken: $token, HandlerErrorCode: InvalidRequest)
In this situation the Regions input field contained an unknown or invalid region name.
Incorrect AWS Account ID or Organizational Unit used with Org-scanning
Properties validation failed for resource AgentlessSnapshotRoleServiceManagedStackSet with message:
#: #: only 1 subschema matches out of 2 #/StackInstancesGroup/0/DeploymentTargets/OrganizationalUnitIds/0: failed validation for keyword [pattern].
In this situation the Monitored Account Deployment selection (either SELF_MANAGED or SERVICE_MANAGED) did not match the input for Monitored Account IDs.
CloudFormation trusted access is not enabled for AWS Organizations
If the Step 2 CloudFormation for AWS Organizations fails with the following error:
You must enable organizations access to operate a service managed stack set
Then trusted access for AWS Organizations has not been enabled. The CloudFormation StackSets page will show a prompt and button to enable trusted access. The CloudFormation Stack must be run again after trusted access is enabled.
Updating CloudFormation StackSets
If a StackSet failed and you remedied the issue out of band, then existing StackSets can be updated.
- In the AWS Console on the CloudFormation page, select StackSets on the left-hand side menu.
- Select the radio StackSet Name for the Agentless scanning CloudFormation Stack.
- Click Actions in the top-right and select Edit StackSet Details.
- For "Choose a template", use the default values and click Next.
- For "Specify StackSet details", use the default values and click Next.
- For "Configure StackSet options", use the default values and click Next.
- For "Set deployment options", input the Account numbers used in this StackSet. This is usually a single AWS account number and the same one being used to update the StackSet. Then select Add all regions, and click Next.
- Scroll to the bottom and click Submit.