Lacework Security Audit is available for multiple accounts. During initial setup, a single account will be added to Security Audit. Subsequent accounts can be added directly from the Lacework UI.
During integration, Lacework will create a least privilege IAM role. To grant Lacework permission to create this role, you will need to login to your AWS account as a user with administrator credentials [arn:aws:iam::aws:policy/AdministratorAccess]. You will not be able to complete the integration without the required credentials.
1. To add an Account
Select Integrations > AWS Security Audit from the UI and click the [+ Add Integration] button.
2. Choose an Integration Method
You will be given the option to either run or download the CloudFormation template. The download option is helpful if you need to distribute the template to different account owners. For initial setup, we recommend that you choose the ‘Run CloudFormation Template’ option.
1a) Option 1: [Click Here to Configure Directly in AWS CloudFormation] requires fewer steps and less user interaction. For this option, please disable your browser pop-up blocker.
1b) Option 2: [Download CloudFormation Template] requires more user interaction, but may be useful if you have multiple accounts with distributed ownership.
3. Click on the Chosen Integration Method
3a) Option 1: Click [Run CloudFromation template] button
You will be redirected to the AWS Create stack > Select Template page. The Lacework script populates the Specify an Amazon S3 template URL for you.
- After reviewing the page, click the [Next] button.
3b) Option 2: Click the [Download CloudFormation Template] button
- Download the template locally
- Login to your AWS account
- Select the CloudFormation service and click the [Create New Stack] button, which will bring you to the Create stack > Select Template page
- Upload the Lacework template and click the [Next] button
For more information on Selecting a Stack Template, please refer to the AWS Documentation library.
4. Specify Details
You should now be on the Create Stack - Specify Details page.
- Create a Stack name [for example, Lacework-AWS-Config] or use the default.
- Resource name prefix is populated with the account name of the first account configured to use Lacework for AWS Config if the direct configuration method was chosen. When adding accounts, you can select to keep this prefix or enter a different prefix to ensure account uniqueness. If you chose to upload the template during initial installation, Resource name prefix will be empty. Enter a prefix such as account name.
- Lacework populates ExternalID, but can be changed if you follow a defined naming policy.
After completing the above, click the [Next] button.
You should now be on the Create stack - Options page, which requires no changes. Click the [Next] button
You should now be on the Create stack - Review page.
- Check I acknowledge that AWS CloudFormation might create IAM resources with custom names.
- Click the [Create] button
7. CloudFormation page
After clicking [Create], you will be redirected back to the CloudFormation page. If you do not see your new stack in the table, refresh the page. Select your stack to see the event log as it is being created. When the stack is CREATE-COMPLETE, Security Audit integration for a single account is complete.