Articles in this section

Initial Setup of AWS CloudTrail & Config Integration

Follow the procedure in this section to configure both of the following integrations:

  • Configure an AWS CloudTrail integration to analyze CloudTrail activity for monitoring cloud account security.
  • Configure an AWS Config integration to analyze AWS configuration compliance.

To just configure an AWS Config integration to analyze AWS configuration compliance, follow the procedure provided in Initial Setup of AWS Config Integration.

You can choose to integrate Lacework with AWS during the initial Lacework account setup or at any time thereafter using the Lacework Console. During the account setup, Lacework is configured for both CloudTrail analysis and Security Audit. Upon completion, a single CloudFormation stack is added to your account.

If you have multiple accounts and you forward CloudTrail logs to a single S3 bucket, CloudTrail integration completes after the account setup. If you use multiple buckets, you can use the Lacework Console to add accounts after the account setup.

To analyze CloudTrail activity for monitoring cloud account security, Lacework requires that accounts be integrated individually. You can use the Lacework Console to add accounts after the account setup.

During the account setup, the option to integrate with AWS follows the option to add users.

NOTE: AWS S3 object-level APIs are excluded from CloudTrail analysis.

1. Choose an Integration Method

During integration, Lacework creates the least privilege IAM role. To grant Lacework permission to create this role, you must log in to your AWS account as a user with administrator credentials [arn:aws:iam::aws:policy/AdministratorAccess]. You cannot complete the integration without the required credentials.

To create a CloudTrail Integration, navigate to Settings > Cloud Accounts and click + Create New. From the Cloud Account drop-down, select AWS. From the Type drop-down, select CloudTrail+Config and click Next. Enter a name for the integration and click Next. Manually enter your CloudTrail configuration information or use a Lacework Cloud Formation template.

You are given the option to either run or download the CloudFormation template. The download option is helpful if you need to distribute the template to different account owners. For the initial setup, Lacework recommends the Run CloudFormation Template option.

1a) Option 1: The Run Cloud Formation Template option requires fewer steps and less user interaction. For this option, please disable your browser pop-up blocker.

1b) Option 2: The Download Cloud Formation Template requires more user interaction but may be useful if you have multiple accounts with distributed ownership.

2. Click the Chosen Integration Method

a) Option 1: Click Run Cloud Formation Template.

You are redirected to the AWS Create stack > Select Template page. The Lacework script populates the Specify an Amazon S3 template URL for you. After reviewing the page, click Next.

b) Option 2: Click Download CloudFormation Template.

  1. Download the template locally.
  2. Log in to your AWS account.
  3. Select the CloudFormation service and click Create New Stack. The Create stack > Select Template page displays.
  4. Upload the Lacework template and click Next.

For more information on Selecting a Stack Template, please refer to the AWS Documentation library.

3. Specify Details

On the Create stack > Specify Details page, you can either create a new trail and S3 bucket or use an existing trail. First, create a Stack name or choose the default.

a) Option 1 - create a new trail and S3 bucket

If you plan to integrate multiple accounts separately, the Resource Name Prefix must be different for each account because S3 bucket names are globally unique.

  1. Resource name prefix should be pre-populated with your account name. It doesn't need to change unless:
    1. You are creating a stack for each account in which case it needs to be unique for each account as the S3 bucket namespace is global, or
    2. You are creating multiple stacks in which case it must be unique to avoid resource collision
  2. ExternalID is populated by Lacework. It is not editable if you used the Run Cloud Formation Template option in the Lacework Console.
  3. Set Create a new trail? to Yes.
  4. A Log file prefix can be added if you want a specific S3 bucket path for your logs.
  5. Bucket name and Topic ARN should be left blank.
  6. Click Next. NewTrail.png

b) Option 2 - use an existing trail

  1. Resource name prefix should be pre-populated with your account name.
  2. ExternalID is populated by Lacework. It is not editable if you used the Run Cloud Formation Template option in the Lacework Console.
  3. Set Create a new trail? to No.
  4. A Log file prefix is not applicable as you are not creating a new trail.
  5. Enter the Bucket name associated with your existing trail.
  6. Add the SNS Topic ARN of your existing trail into Topic ARN. If the trail does not already have an SNS topic, you will need to create one.
  7. Click Next. ExistingTrail.png

NOTE: If you are integrating an existing trail, you may be using server-side encryption. If using Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), key management is local to S3, and therefore no changes are required. If you are using Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS), key management requires access to the AWS KMS service, and therefore you must give the Lacework-created role the required permission. See this article for instructions on how to update the inline policy associated with the Lacework created role. If you are manually integrating Lacework, you must grant this same permission.

4. Options

The Create stack > Options page displays. No changes need to be made to this page. Click Next.

5. Review

The Create stack > Review page displays.

  1. Check I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  2. Click Create.

6. CloudFormation page

After clicking Create, you will be redirected back to the CloudFormation page. If you do not see your new stack in the table, refresh the page. Select your stack to see the event log as it is being created. When the stack is CREATE-COMPLETE, integration of both CloudTrail and Config for a single account is complete. If you consolidate CloudTrail logs in one S3 bucket, no additional CloudTrail configuration is required.