Allocate Packages to Resource Groups
info
This page describes the new Lacework pricing and packaging model. For details on Lacework packages, contact your Lacework representative.
If you are using organizations to manage Lacework accounts, you can allocate Lacework packages to Lacework accounts.
Assign Packages to Accounts describes how an organization administrator makes package types available to Lacework accounts. This topic describes how an account administrator can apply the packages to resource groups within the Lacework account.
About Resource Groups
Lacework generates these default resource groups within every Lacework account:
- All AWS accounts
- All Tenants and Subscriptions (Azure)
- All Organizations and Projects (GCP)
- All Machine Tags
- All Container Labels
All AWS cloud integrations within the account are automatically included in All AWS accounts, integrated Azure tenants are included in All Tenants and Subscriptions, and so on. Machine tags apply to machines that have Lacework agents installed, as listed in the Machine tag summary table available in the Lacework Console on Resources > Host > Machines.
As an account administrator, you can allocate Lacework packages to resource groups individually based on the security resources of those groups, for example, by allocating Pro to All Organizations and Projects and Enterprise to All AWS accounts.
It's possible to have more than one type of package allocated to a single resource. For example, an AWS virtual machine that has the Lacework agent installed would belong to both the All AWS accounts and All Machine Tags resource groups. In this case, the higher level package applies, that is, if All AWS accounts is allocated Pro and All Machine Tags is allocated Enterprise, any AWS machine that has the Lacework Agent installed is subject to the Enterprise package.
Change the Default Package Allocation
By default, resource groups are allocated the lowest package available in that Lacework account. That is, if the organization administrator has assigned Pro and Enterprise to the account, all resource groups in the account are allocated the Pro package by default.
You can change the allocation for a specific resource group, as described in Allocate Subscription Level to Resource Groups, or set a new default. The new default applies to all resource groups.
As an account administrator, you can change the default allocation from the Package Allocation page. To change the default allocation, select the new subscription level from the Default package menu and click Save.
Allocate Packages to Resource Groups
You can allocate a subscription to resource groups as follows. The custom allocation rule you define here takes precedence over the default allocation rule. Note that you can change a package assignment no more than once every 24 hours.
To allocate a package to a resource group, follow these steps:
As a Lacework account administrator, click Subscription from the Lacework account menu.
Click the Package assignment tab.
Click Add new next to the Custom allocation section.
Enter a descriptive name for the allocation rule in the Rule name field.
Click the Resource groups field to bring up a menu of available resource groups and choose one or more resource groups to which the package should apply.
info
Only unassigned resource groups are available to be allocated. If the resource group is already allocated a package, it is grayed out in the menu and cannot be selected.
Select the package.
Click Save.