Lacework Security Audit is available for multiple accounts. During the initial setup, a single account will be added to the Security Audit. Subsequent accounts can be added directly from the Lacework Console.
During integration, Lacework creates an IAM role with the least privileges. To grant Lacework permission to create this role, you must log in to your AWS account as a user with administrator credentials [arn:aws:iam::aws:policy/AdministratorAccess]. You cannot complete the integration without the required credentials.
1. To add an Account
Select Integrations > AWS Security Audit from the Lacework Console and click + Add Integration.
2. Choose an Integration Method
You are given the option to either run or download the CloudFormation template. The download option is helpful if you need to distribute the template to different account owners. For the initial setup, we recommend that you choose the Run CloudFormation Template option.
a) Option 1: The Click Here to Configure Directly in AWS CloudFormation option requires fewer steps and less user interaction. For this option, please disable your browser pop-up blocker.
b) Option 2: The Download CloudFormation Template option requires more user interaction, but may be useful if you have multiple accounts with distributed ownership.
3. Click on the Chosen Integration Method
a) Option 1: Click Run CloudFromation template.
You are redirected to the AWS Create stack > Select Template page. The Lacework script populates the Specify an Amazon S3 template URL for you.
After reviewing the page, click Next.
b) Option 2: Click Download CloudFormation Template.
- Download the template locally
- Log in to your AWS account
- Select the CloudFormation service and click Create New Stack, which brings you to the Create stack > Select Template page.
- Upload the Lacework template and click Next.
For more information on Selecting a Stack Template, please refer to the AWS Documentation library.
4. Specify Details on the Create Stack - Specify Details page.
- Create a Stack name [for example, Lacework-AWS-Config] or use the default.
- Resource name prefix is populated with the account name of the first account configured to use Lacework for AWS Config if the direct configuration method was chosen. When adding accounts, you can select to keep this prefix or enter a different prefix to ensure account uniqueness. If you chose to upload the template during initial installation, Resource name prefix will be empty. Enter a prefix such as an account name.
- Lacework populates ExternalID, but can be changed if you follow a defined naming policy.
After completing the above steps, click Next.
No changes are required on the Create stack - Options page. Click Next.
On the Create stack - Review page, complete the following steps:
- Check I acknowledge that AWS CloudFormation might create IAM resources with custom names.
- Click Create.
7. CloudFormation page
After clicking Create, you are redirected back to the CloudFormation page. If you do not see your new stack in the table, refresh the page. Select your stack to see the event log as it is being created. When the stack is CREATE-COMPLETE, Security Audit integration for a single account is complete.