Skip to main content

Configure Access to Tags in AWS

For the Lacework Windows agent to be able to retrieve externally-created tags, the AWS EC2 instance must have permission to DescribeTags. Note that doing this enables discovery of any external cloud tags, not just the custom agent tags for Lacework.

To provide the necessary permission, complete the following steps:

  1. Log in to the AWS Identity and Access Management (IAM) service.
  2. Select Policies.
  3. Click Create policy.
  4. Select the JSON tab and replace the displayed policy with the following text. 
    {
       "Version": "2012-10-17",
       "Statement": [
          {
             "Effect": "Allow",
             "Action": "ec2:DescribeTags",
             "Resource": "*"
          }
       ]
    }
    Replace the date specified for the Version key if required.
  5. Click Next: Tags
  6. Click Next: Review.
  7. Enter a policy name and description.
  8. Click Create policy.

After creating the policy, associate it with an IAM role that can be attached to EC2 instances:

  1. Log in to the IAM service.
  2. Select Roles.
  3. Click Create role.
  4. Select AWS service as the trusted entity type and EC2 as the use case.
  5. Click Next.
  6. Search for your newly created policy, select it, and click Next.
  7. Enter a role name, update the description if you want, and click Create role.

After creating the policy and role, navigate to the EC2 service and select the instance for which you want to retrieve the external tags.

Under Actions > Security > Modify IAM role, select the IAM role you created and click Update IAM role. The next time the Lacework agent forwards data, you will see the external tags in the Lacework Console.

In addition to importing AWS tags, you can add local tags to agents. For details, see Add Custom Agent Tags.