Skip to main content

AWS Integration - Terraform from AWS CloudShell

Overview

This topic describes how to integrate with AWS by running Lacework Terraform modules from AWS CloudShell.

If you are new to the Lacework Terraform provider, or Lacework Terraform modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider.

note

Lacework Terraform modules for AWS do not support GovCloud integration yet.

Resources Provisioned by Lacework Terraform Modules

To integrate AWS with Lacework, Lacework Terraform modules provision the following resources in the designated AWS account:

  • IAM Cross-Account Role - A cross-account role is required to give access to Lacework access for assessments of cloud resource configurations and for analysis of CloudTrail events. The cross-account role is given the following policies:
    • SecurityAudit - AWS-managed policy to provide read-only access to cloud resource configurations.
    • Lacework Custom IAM Policy - A custom policy that provides Lacework read-only access to ingest CloudTrail logs.
  • CloudTrail - Lacework can create a new trail or use an existing CloudTrail.
  • S3 Bucket - An S3 bucket is required for all CloudTrail integrations. Lacework can use an existing bucket or create a new bucket in the designated account.
  • SNS Topic - An SNS topic is required for all CloudTrail integrations. Terraform can use an existing SNS topic or create one if an SNS topic has not been added to an existing CloudTrail.
  • SQS Queue - An SQS queue is required for all CloudTrail integrations and monitored by Lacework.

Requirements

  • AWS Account Admin - The account used to run AWS CloudShell inherits the permissions of the user that starts CloudShell.
  • Lacework Administrator - You must have a Lacework account with administrator privileges.

Module Inputs Reference

For an up-to-date guide on all available configuration inputs, refer to the documentation on the Terraform registry:

Module Dependencies

Lacework Terraform modules for AWS have the following dependencies that are installed when running terraform init:

For detailed information on these dependencies, visit Lacework on the Terraform registry.

AWS CloudShell Configuration

AWS CloudShell is a browser-based shell that makes it easy to securely manage, explore, and interact with your AWS resources. CloudShell is pre-authenticated with your AWS console credentials. Common development and operations tools are pre-installed, so no local installation or configuration is required. With CloudShell, you can quickly run scripts with the AWS CLI, experiment with AWS service APIs using the AWS SDKs, or use a range of other tools to be productive. You can use CloudShell right from your browser and at no additional cost.

Lacework provides a robust command-line interface that generates Terraform code, installs the Terraform CLI (if not already installed), and can run Terraform inside AWS CloudShell.

Install the Lacework CLI in AWS CloudShell

This section covers installing the Lacework CLI in AWS CloudShell.

  1. Log in to the AWS Console and go to AWS CloudShell.

  2. Launch a new CloudShell.

  3. Once CloudShell is provisioned, copy and paste the following commands to install the Lacework CLI:

    mkdir -p "$HOME"/bin
    curl https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.sh | bash -s -- -d "$HOME"/bin
note

Sometimes, you have to exit the CloudShell and reopen it for the Lacework CLI to be loaded in your $PATH.

Create Lacework API Key

The Lacework CLI requires an API key and secret to authenticate with Lacework. Lacework API keys can be created by Lacework account administrators via the Lacework Console. For more information, go to API Access Keys.

  1. Log in to the Lacework Console.
  2. Click Settings > Configuration > API keys.
  3. Click + Add New.
  4. Enter a name for the key and an optional description.
  5. Click Save.
  6. Click the ... icon and then Download to save the API key file locally.

The contents of your API key contain a keyId secret, subAccount, and account:

{
  "keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
  "secret": "_abc1234e243a645bcf173ef55b837c19",
  "subAccount": "myaccount",
  "account": "myaccount.lacework.net"
}

Configure the Lacework CLI

Use the lacework configure command in AWS CloudShell to configure the CLI with the API key downloaded from the previous step.

lacework configure
Account: example
Access Key ID: EXAMPLE_1234567890ABCDE1EXAMPLE1EXAMPLE123456789EXAMPLE
Secret Access Key: **********************************

You are all set!

The lacework configure command generates a file named .lacework.toml inside your home directory ($HOME/.lacework.toml) with a single profile named default.

Deployment Scenarios

Lacework Terraform modules for AWS support the following deployment scenarios:

Scenario 1 - Deploy New CloudTrail and Add Configuration Assessment

This scenario creates a new CloudTrail in an AWS account along with a cross-account IAM role to provide Lacework access to monitor CloudTrail, AWS resource configurations, and integrate the AWS account into Lacework.

Run the Lacework CLI in CloudShell

Inside your CloudShell, run the following Lacework CLI command:

lacework generate cloud-account aws       \
  --config --cloudtrail --noninteractive  \
  --aws_region YourAWSRegion --apply
note

Lacework Terraform modules provide a number of inputs for customization. See the Terraform registry documentation for the complete list of inputs for each module.

Validate the Configuration

To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. You should see two integrations: AwsCfg for the Config integration, and AwsCtSqs for the CloudTrail integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Scenario 2 - Integrate Existing CloudTrail and Add Configuration Assessment

In this scenario, Terraform configures a cross-account IAM role to provide Lacework access to monitor an existing CloudTrail. That same cross-account role also provides Lacework permissions to audit AWS resource configurations, and integrate the AWS account into Lacework. An SQS queue is created for Lacework, and you can optionally deploy an SNS topic for that SQS queue if one does not already exist.

About SNS Topics

AWS CloudTrail provides an option to create an SNS topic, which is required to integrate AWS environments with Lacework. The Lacework Terraform module for CloudTrail creates a new SNS topic by default. The SNS topic must be created in the same region as the existing CloudTrail, and it must be manually attached to the CloudTrail by logging in to the AWS console, going to CloudTrail, and then selecting the new SNS topic.

Run the Lacework CLI in CloudShell

Inside your CloudShell, run the following Lacework CLI command:

lacework generate cloud-account aws            \
  --config --cloudtrail --noninteractive       \
  --aws_region YourRegionOfExistingCloudTrail  \
  --existing_bucket_arn YourExistingBucketARN  \
  --apply
note

The command must be run in the account that owns the S3 bucket used with the CloudTrail.

If you have an SNS topic configured on the existing CloudTrail, specify it using the --existing_sns_topic_arn YourExistingTopicARN flag.

If you do not have an existing SNS topic configured on the existing CloudTrail, then the Terraform module automatically creates one, but you must manually attach the SNS topic to the existing CloudTrail.

note

Lacework Terraform modules provide a number of inputs for customization. See the Terraform registry documentation for the complete list of inputs for each module.

Validate the Configuration

To confirm that the Cloud Account integrations are working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. You should see two integrations: AwsCfg for the Config integration, and AwsCtSqs for the CloudTrail integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Scenario 3 - Deploy New Consolidated CloudTrail and Configuration Assessment

Lacework supports the integration of consolidated CloudTrail deployments where multiple sub accounts send CloudTrail logs to a main CloudTrail account.

This scenario enables an organization CloudTrail and a cross-account IAM role to give Lacework access to CloudTrail and integrates the AWS accounts into Lacework.

Run the Lacework CLI in CloudShell

Inside your CloudShell, run the following Lacework CLI command:

lacework generate cloud-account aws       \
  --config --cloudtrail --noninteractive  \
  --aws_region RegionOfYourMainAccount    \
  --consolidated_cloudtrail --apply       \
  --aws_subaccount SubAccount:RegionOfYourSubAccount
note

The AWS sub accounts names you provide should match with the profile names in your ~/.aws/credentials.

If you are integrating more sub accounts, you can integrate them by provide multiple --aws_subaccount flags.

For more information on organization level CloudTrail deployments, see AWS documentation

note

Lacework Terraform modules provide a number of inputs for customization. See the Terraform registry documentation for the complete list of inputs for each module.

Validate the Configuration

To confirm that the Cloud Account integrations are working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. You should see at least two integrations (depending on how many --aws_subaccount flags you provided): one or more AwsCfg for the Config integration(s), and AwsCtSqs for the CloudTrail integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Scenario 4 - Integrate Existing Consolidated CloudTrail and Configuration Assessment

Lacework supports the integration of consolidated CloudTrail deployments where multiple sub accounts send CloudTrail logs to a main CloudTrail account.

This scenario uses an existing consolidated CloudTrail, and deploys a cross-account IAM role to give Lacework access to CloudTrail and integrates the AWS accounts into Lacework. The cross-account role also provides Lacework access to assess cloud resource configurations.

Run the Lacework CLI in CloudShell

Inside your CloudShell, run the following Lacework CLI command:

lacework generate cloud-account aws            \
  --config --cloudtrail --noninteractive       \
  --aws_region RegionOfYourMainAccount         \
  --consolidated_cloudtrail --apply            \
  --existing_bucket_arn YourExistingBucketARN  \
  --aws_subaccount SubAccount:RegionOfYourSubAccount

If you have an SNS topic configured on the existing CloudTrail, specify it using the flag --existing_sns_topic_arn YourExistingTopicARN.

If you do not have an existing SNS topic configured on the existing CloudTrail, then the Terraform module automatically creates one, but you must manually attach the SNS topic to the existing CloudTrail.

For more information on organization-level CloudTrail deployments, see AWS documentation.

note

Lacework Terraform modules provide a number of inputs for customization. See the Terraform registry documentation for the complete list of inputs for each module.

Validate the Configuration

To confirm that the Cloud Account integrations are working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. You should see at least two integrations (depending on how many --aws_subaccount flags you provided): one or more AwsCfg for the Config integration(s), and AwsCtSqs for the CloudTrail integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Scenario 5 - Configure Multiple AWS Accounts

This scenario configures multiple AWS accounts for cloud resource configuration compliance only. You must have a corresponding AWS credentials file with the respective profiles listed in the example. For example, if your credentials file includes a profile named development, then use that name in the --aws_subaccount flag in the command.

Run the Lacework CLI in CloudShell

Inside your CloudShell, run the following Lacework CLI command:

lacework generate cloud-account aws --config --apply     \
  --noninteractive --aws_region RegionOfYourMainAccount  \
  --aws_subaccount SubAccount1:RegionOfYourSubAccount1   \
  --aws_subaccount SubAccount2:RegionOfYourSubAccount2   \
  --aws_subaccount SubAccount3:RegionOfYourSubAccount3
  1. Ensure you have the Lacework CLI installed and configured to the Lacework account you plan to integrate.
  2. Ensure you have your multiple account credentials in your ~/.aws/credentials file.
  3. Run the command above.
note

Lacework Terraform modules provide a number of inputs for customization. See the Terraform registry documentation for the complete list of inputs for each module.

Validate the Configuration

To confirm that the Cloud Account integrations are working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. You should see at as many AwsCfg integrations as flags (--aws_subaccount) you provided plus the main account.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Supplemental - For New or Existing CloudTrail with KMS Encrypted Buckets

Lacework supports reading from KMS-encrypted CloudTrail buckets by configuring the cross-account role to give Lacework access to the KMS key.

When the below inputs are added to your Terraform plan, your CloudTrail and S3 are configured to use the provided KMS key, and your cross-account role is updated to allow Lacework to read the KMS key.

InputDetails
bucket_sse_algorithmFor KMS, specify aws:kms
bucket_sse_key_arnSpecify the ARN of your KMS key. (Access to this key is granted to the Lacework IAM cross-account role.)

Example

module "aws_cloudtrail" {
  source  = "lacework/cloudtrail/aws"
  version = "~> 2.0"

  ... More code here ...

  bucket_sse_algorithm    = "aws:kms"
  bucket_sse_key_arn      = "arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd"
}