Users can choose to integrate Lacework with AWS during initial account setup or at any time thereafter using the Lacework UI. During account setup, Lacework will be configured for both CloudTrail analysis and Security Audit. Upon completion, a single CloudFormation stack will be added to your account.
If you have multiple accounts and you forward CloudTrail logs to a single S3 bucket, CloudTrail integration will be complete after account setup. If you use multiple buckets, you can use the Lacework UI to add accounts after account setup.
Lacework Security Audit requires that accounts be integrated individually. You can use the Lacework UI to add accounts after account setup.
During account setup, the option to integrate with AWS follows the option to add users.
1. Choose an Integration Method
During integration, Lacework will create a least privilege IAM role. To grant Lacework permission to create this role, you will need to login to your AWS account as a user with administrator credentials [arn:aws:iam::aws:policy/AdministratorAccess]. You will not be able to complete the integration without the required credentials.
You will be given the option to either run or download the CloudFormation template. The download option is helpful if you need to distribute the template to different account owners. For initial setup, we recommend that you choose the ‘Run CloudFormation Template’ option.
1a) Option 1: [Click Here to Configure Directly in AWS CloudFormation] requires fewer steps and less user interaction. For this option, please disable your browser pop-up blocker.
1b) Option 2: [Download CloudFormation Template] requires more user interaction, but may be useful if you have multiple accounts with distributed ownership.
2. Click on the Chosen Integration Method
2a) Option 1: Click [Run CloudFromation template] button
You will be redirected to the AWS Create stack > Select Template page. The Lacework script populates the Specify an Amazon S3 template URL for you.
- After reviewing the page, click the [Next] button.
2b) Option 2: Click the [Download CloudFormation Template] button
- Download the template locally
- Login to your AWS account
- Select the CloudFormation service and click the [Create New Stack] button, which will bring you to the Create stack > Select Template page
- Upload the Lacework template and click the [Next] button
For more information on Selecting a Stack Template, please refer to the AWS Documentation library.
3. Specify Details
On the Create stack > Specify Details page, you can either create a new trail and S3 bucket or use an existing trail.
- First, create a Stack name or choose the default
3a) Option 1 - create a new trail and S3 bucket
If you plan to separately integrate multiple accounts, the Resource Name Prefix must be different for each account as S3 bucket names are globally unique.
- Resource name prefix should be pre-populated with your account name. It doesn't need to be changed unless:
- you are creating a stack for each account in which case it needs to be unique for each account as the S3 bucket namespace is global, or
- you are creating multiple stacks in which case it needs to be unique to avoid resource collision
- ExternalID is populated by Lacework, but you can change it if you follow a defined naming convention
- Set Create a new trail? to 'Yes'
- A Log file prefix can be added if you want a specific S3 bucket path for your logs
- Bucket name and Topic ARN should be left blank
- Click the [Next] button
3b) Option 2 - use an existing trail
- Resource name prefix should be pre-populated with your account name
- ExternalID is populated by Lacework, but you can change it if you follow a defined naming convention.
- Set Create a new trail? to 'No'
- A Log file prefix is not applicable as you are not creating a new trail
- Enter the Bucket name associated with your existing trail
- Add the SNS Topic ARN of your existing trail into Topic ARN. If the trail does not already have an SNS topic, you will need to create one.
- Click the [Next] button
|If you are integrating an existing trail, you may be using server-side encryption. If using Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), key management is local to S3, and therefore no changes are required. If you are using Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS), key management requires access to the AWS KMS service, and therefore you will need to give the Lacework-created role the required permission. See this article for instructions on how to update the inline policy associated with the Lacework created role. If you are manually integrating Lacework, you will need to grant this same permission.|
You do not need to change any settings on the Create stack > Options page. Click the [Next] button
You should now be on the Create stack > Review page.
- Check I acknowledge that AWS CloudFormation might create IAM resources with custom names
- Click the [Create] button
6. CloudFormation page
After clicking [Create], you will be redirected back to the CloudFormation page. If you do not see your new stack in the table, refresh the page. Select your stack to see the event log as it is being created. When the stack is CREATE-COMPLETE, integration of both CloudTrail and Config for a single account is complete. If you consolidate CloudTrail logs in one S3 bucket, no additional CloudTrail configuration is required.