AWS Integration - Terraform from AWS CloudShell
Overview
This topic describes how to integrate with AWS by running Lacework Terraform modules from AWS CloudShell.
If you are new to the Lacework Terraform provider, or Lacework Terraform modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider.
note
Lacework Terraform modules for AWS do not support GovCloud integration yet.
Resources Provisioned by Lacework Terraform Modules
To integrate AWS with Lacework, Lacework Terraform modules provision the following resources in the designated AWS account:
- IAM Cross-Account Role - A cross-account role is required to give access to Lacework access for assessments of cloud resource configurations and for analysis of CloudTrail events. The cross-account role is given the following policies:
- SecurityAudit - AWS-managed policy to provide read-only access to cloud resource configurations.
- Lacework Custom IAM Policy - A custom policy that provides Lacework read-only access to ingest CloudTrail logs.
- CloudTrail - Lacework can create a new trail or use an existing CloudTrail.
- S3 Bucket - An S3 bucket is required for all CloudTrail integrations. Lacework can use an existing bucket or create a new bucket in the designated account.
- SNS Topic - An SNS topic is required for all CloudTrail integrations. Terraform can use an existing SNS topic or create one if an SNS topic has not been added to an existing CloudTrail.
- SQS Queue - An SQS queue is required for all CloudTrail integrations and monitored by Lacework.
Requirements
- AWS Account Admin - The account used to run AWS CloudShell inherits the permissions of the user that starts CloudShell.
- Lacework Administrator - You must have a Lacework account with administrator privileges.
Module Inputs Reference
For an up-to-date guide on all available configuration inputs, refer to the documentation on the Terraform registry:
Module Dependencies
Lacework Terraform modules for AWS have the following dependencies that are installed when running terraform init
:
For detailed information on these dependencies, visit Lacework on the Terraform registry.
AWS CloudShell Configuration
AWS CloudShell is a browser-based shell that makes it easy to securely manage, explore, and interact with your AWS resources. CloudShell is pre-authenticated with your AWS console credentials. Common development and operations tools are pre-installed, so no local installation or configuration is required. With CloudShell, you can quickly run scripts with the AWS CLI, experiment with AWS service APIs using the AWS SDKs, or use a range of other tools to be productive. You can use CloudShell right from your browser and at no additional cost.
Lacework provides a robust command-line interface that generates Terraform code, installs the Terraform CLI (if not already installed), and can run Terraform inside AWS CloudShell.
Install the Lacework CLI in AWS CloudShell
This section covers installing the Lacework CLI in AWS CloudShell.
Log in to the AWS Console and go to AWS CloudShell.
Launch a new CloudShell.
Once CloudShell is provisioned, copy and paste the following commands to install the Lacework CLI:
mkdir -p "$HOME"/bin
curl https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.sh | bash -s -- -d "$HOME"/bin
note
Sometimes, you have to exit the CloudShell and reopen it for the Lacework CLI to be loaded in your $PATH
.
Create Lacework API Key
The Lacework CLI requires an API key and secret to authenticate with Lacework. Lacework API keys can be created by Lacework account administrators via the Lacework Console. For more information, go to API Access Keys.
- Log in to the Lacework Console.
- Click Settings > Configuration > API keys.
- Click + Add New.
- Enter a name for the key and an optional description.
- Click Save.
- Click the ... icon and then Download to save the API key file locally.
The contents of your API key contain a keyId
secret
, subAccount
, and account
:
{
"keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
"secret": "_abc1234e243a645bcf173ef55b837c19",
"subAccount": "myaccount",
"account": "myaccount.lacework.net"
}
Configure the Lacework CLI
Use the lacework configure
command in AWS CloudShell to configure the CLI with the API key downloaded from the previous step.
lacework configure
Account: example
Access Key ID: EXAMPLE_1234567890ABCDE1EXAMPLE1EXAMPLE123456789EXAMPLE
Secret Access Key: **********************************
You are all set!
The lacework configure
command generates a file named .lacework.toml
inside your home directory ($HOME/.lacework.toml
) with a single profile named default
.
Deployment Scenarios
Lacework Terraform modules for AWS support the following deployment scenarios:
- Deploy New CloudTrail and Add Configuration Assessment - This deployment scenario configures a new CloudTrail in an AWS account, configures an AWS account for cloud resource configuration assessment, and integrates the AWS account with Lacework.
- Integrate Existing CloudTrail and add Configuration Assessment - This deployment scenario uses an existing CloudTrail, S3 bucket, and can create a new or use an existing SNS topic passed as inputs to the module. The example creates the SQS queue and IAM role for Lacework, and then configures both integrations with Lacework.
- New Consolidated CloudTrail - This scenario enables a new consolidated CloudTrail and IAM role for Lacework, then configures both integrations with Lacework. Finally, it configures a new CloudTrail trail in an AWS sub-account that points to the main CloudTrail.
- Existing Consolidated CloudTrail - This scenario uses an consolidated CloudTrail and creates an IAM role for Lacework, then configures all sub accounts to be integrated with Lacework.
- Configure Multiple AWS Accounts - This scenario configures multiple AWS accounts for cloud resource configuration compliance only.
- Supplemental: New or Existing CloudTrail with KMS Bucket Encryption - Additional parameters for use of KMS-encrypted S3 buckets.
Scenario 1 - Deploy New CloudTrail and Add Configuration Assessment
This scenario creates a new CloudTrail in an AWS account along with a cross-account IAM role to provide Lacework access to monitor CloudTrail, AWS resource configurations, and integrate the AWS account into Lacework.
Run the Lacework CLI in CloudShell
Inside your CloudShell, run the following Lacework CLI command:
lacework generate cloud-account aws \
--config --cloudtrail --noninteractive \
--aws_region YourAWSRegion --apply
note
Lacework Terraform modules provide a number of inputs for customization. See the Terraform registry documentation for the complete list of inputs for each module.
Validate the Configuration
To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.
To validate the integration using the CLI, run the lacework cloud-account list
command. You should
see two integrations: AwsCfg
for the Config integration, and AwsCtSqs
for the CloudTrail integration.
To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.
Scenario 2 - Integrate Existing CloudTrail and Add Configuration Assessment
In this scenario, Terraform configures a cross-account IAM role to provide Lacework access to monitor an existing CloudTrail. That same cross-account role also provides Lacework permissions to audit AWS resource configurations, and integrate the AWS account into Lacework. An SQS queue is created for Lacework, and you can optionally deploy an SNS topic for that SQS queue if one does not already exist.
About SNS Topics
AWS CloudTrail provides an option to create an SNS topic, which is required to integrate AWS environments with Lacework. The Lacework Terraform module for CloudTrail creates a new SNS topic by default. The SNS topic must be created in the same region as the existing CloudTrail, and it must be manually attached to the CloudTrail by logging in to the AWS console, going to CloudTrail, and then selecting the new SNS topic.
Run the Lacework CLI in CloudShell
Inside your CloudShell, run the following Lacework CLI command:
lacework generate cloud-account aws \
--config --cloudtrail --noninteractive \
--aws_region YourRegionOfExistingCloudTrail \
--existing_bucket_arn YourExistingBucketARN \
--apply
note
The command must be run in the account that owns the S3 bucket used with the CloudTrail.
If you have an SNS topic configured on the existing CloudTrail, specify it using the --existing_sns_topic_arn YourExistingTopicARN
flag.
If you do not have an existing SNS topic configured on the existing CloudTrail, then the Terraform module automatically creates one, but you must manually attach the SNS topic to the existing CloudTrail.
note
Lacework Terraform modules provide a number of inputs for customization. See the Terraform registry documentation for the complete list of inputs for each module.
Validate the Configuration
To confirm that the Cloud Account integrations are working, use the Lacework CLI or log in to the Lacework Console.
To validate the integration using the CLI, run the lacework cloud-account list
command. You should
see two integrations: AwsCfg
for the Config integration, and AwsCtSqs
for the CloudTrail integration.
To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.
Scenario 3 - Deploy New Consolidated CloudTrail and Configuration Assessment
Lacework supports the integration of consolidated CloudTrail deployments where multiple sub accounts send CloudTrail logs to a main CloudTrail account.
This scenario enables an organization CloudTrail and a cross-account IAM role to give Lacework access to CloudTrail and integrates the AWS accounts into Lacework.
Run the Lacework CLI in CloudShell
Inside your CloudShell, run the following Lacework CLI command:
lacework generate cloud-account aws \
--config --cloudtrail --noninteractive \
--aws_region RegionOfYourMainAccount \
--consolidated_cloudtrail --apply \
--aws_subaccount SubAccount:RegionOfYourSubAccount
note
The AWS sub accounts names you provide should match with the profile names in your ~/.aws/credentials
.
If you are integrating more sub accounts, you can integrate them by provide multiple --aws_subaccount
flags.
For more information on organization level CloudTrail deployments, see AWS documentation
note
Lacework Terraform modules provide a number of inputs for customization. See the Terraform registry documentation for the complete list of inputs for each module.
Validate the Configuration
To confirm that the Cloud Account integrations are working, use the Lacework CLI or log in to the Lacework Console.
To validate the integration using the CLI, run the lacework cloud-account list
command. You should
see at least two integrations (depending on how many --aws_subaccount
flags you provided): one or more
AwsCfg
for the Config integration(s), and AwsCtSqs
for the CloudTrail integration.
To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.
Scenario 4 - Integrate Existing Consolidated CloudTrail and Configuration Assessment
Lacework supports the integration of consolidated CloudTrail deployments where multiple sub accounts send CloudTrail logs to a main CloudTrail account.
This scenario uses an existing consolidated CloudTrail, and deploys a cross-account IAM role to give Lacework access to CloudTrail and integrates the AWS accounts into Lacework. The cross-account role also provides Lacework access to assess cloud resource configurations.
Run the Lacework CLI in CloudShell
Inside your CloudShell, run the following Lacework CLI command:
lacework generate cloud-account aws \
--config --cloudtrail --noninteractive \
--aws_region RegionOfYourMainAccount \
--consolidated_cloudtrail --apply \
--existing_bucket_arn YourExistingBucketARN \
--aws_subaccount SubAccount:RegionOfYourSubAccount
If you have an SNS topic configured on the existing CloudTrail, specify it using the flag
--existing_sns_topic_arn YourExistingTopicARN
.
If you do not have an existing SNS topic configured on the existing CloudTrail, then the Terraform module automatically creates one, but you must manually attach the SNS topic to the existing CloudTrail.
For more information on organization-level CloudTrail deployments, see AWS documentation.
note
Lacework Terraform modules provide a number of inputs for customization. See the Terraform registry documentation for the complete list of inputs for each module.
Validate the Configuration
To confirm that the Cloud Account integrations are working, use the Lacework CLI or log in to the Lacework Console.
To validate the integration using the CLI, run the lacework cloud-account list
command. You should
see at least two integrations (depending on how many --aws_subaccount
flags you provided): one or more
AwsCfg
for the Config integration(s), and AwsCtSqs
for the CloudTrail integration.
To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.
Scenario 5 - Configure Multiple AWS Accounts
This scenario configures multiple AWS accounts for cloud resource configuration compliance only. You
must have a corresponding AWS credentials file with the respective profiles listed in the example. For example,
if your credentials file includes a profile named development
, then use that name in the --aws_subaccount
flag in the command.
Run the Lacework CLI in CloudShell
Inside your CloudShell, run the following Lacework CLI command:
lacework generate cloud-account aws --config --apply \
--noninteractive --aws_region RegionOfYourMainAccount \
--aws_subaccount SubAccount1:RegionOfYourSubAccount1 \
--aws_subaccount SubAccount2:RegionOfYourSubAccount2 \
--aws_subaccount SubAccount3:RegionOfYourSubAccount3
- Ensure you have the Lacework CLI installed and configured to the Lacework account you plan to integrate.
- Ensure you have your multiple account credentials in your
~/.aws/credentials
file. - Run the command above.
note
Lacework Terraform modules provide a number of inputs for customization. See the Terraform registry documentation for the complete list of inputs for each module.
Validate the Configuration
To confirm that the Cloud Account integrations are working, use the Lacework CLI or log in to the Lacework Console.
To validate the integration using the CLI, run the lacework cloud-account list
command. You should
see at as many AwsCfg
integrations as flags (--aws_subaccount
) you provided plus the main account.
To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.
Supplemental - For New or Existing CloudTrail with KMS Encrypted Buckets
Lacework supports reading from KMS-encrypted CloudTrail buckets by configuring the cross-account role to give Lacework access to the KMS key.
When the below inputs are added to your Terraform plan, your CloudTrail and S3 are configured to use the provided KMS key, and your cross-account role is updated to allow Lacework to read the KMS key.
Input | Details |
---|---|
bucket_sse_algorithm | For KMS, specify aws:kms |
bucket_sse_key_arn | Specify the ARN of your KMS key. (Access to this key is granted to the Lacework IAM cross-account role.) |
Example
module "aws_cloudtrail" {
source = "lacework/cloudtrail/aws"
version = "~> 2.0"
... More code here ...
bucket_sse_algorithm = "aws:kms"
bucket_sse_key_arn = "arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd"
}