You can choose to integrate Lacework with AWS during initial account setup or at any time thereafter using the Lacework Console. During account setup, Lacework will be configured for both CloudTrail analysis and Security Audit. Upon completion, a single CloudFormation stack will be added to your account.
If you have multiple accounts and you forward CloudTrail logs to a single S3 bucket, CloudTrail integration will be complete after account setup. If you use multiple buckets, you can use the Lacework Console to add accounts after account setup.
Lacework Security Audit requires that accounts be integrated individually. You can use the Lacework Console to add accounts after account setup.
During account setup, the option to integrate with AWS follows the option to add users.
1. Choose an Integration Method
During integration, Lacework will create a least privilege IAM role. To grant Lacework permission to create this role, you must log in to your AWS account as a user with administrator credentials [arn:aws:iam::aws:policy/AdministratorAccess]. You cannot complete the integration without the required credentials.
You are given the option to either run or download the CloudFormation template. The download option is helpful if you need to distribute the template to different account owners. For the initial setup, Lacework recommends the Run CloudFormation Template option.
1a) Option 1: [Click Here to Configure Directly in AWS CloudFormation] requires fewer steps and less user interaction. For this option, please disable your browser pop-up blocker.
1b) Option 2: [Download CloudFormation Template] requires more user interaction but may be useful if you have multiple accounts with distributed ownership.
2. Click on the Chosen Integration Method
2a) Option 1: Click Run CloudFormation template.
You are redirected to the AWS Create stack > Select Template page. The Lacework script populates the Specify an Amazon S3 template URL for you.
- After reviewing the page, click Next.
2b) Option 2: Click Download CloudFormation Template.
- Download the template locally.
- Log in to your AWS account.
- Select the CloudFormation service and click Create New Stack. The Create stack > Select Template page displays.
- Upload the Lacework template and click Next.
For more information on Selecting a Stack Template, please refer to the AWS Documentation library.
3. Specify Details
On the Create stack > Specify Details page, you can either create a new trail and S3 bucket or use an existing trail.
- First, create a Stack name or choose the default.
3a) Option 1 - create a new trail and S3 bucket
If you plan to separately integrate multiple accounts, the Resource Name Prefix must be different for each account as S3 bucket names are globally unique.
- Resource name prefix should be pre-populated with your account name. It doesn't need to change unless:
- you are creating a stack for each account in which case it needs to be unique for each account as the S3 bucket namespace is global, or
- you are creating multiple stacks in which case it needs to be unique to avoid resource collision
- ExternalID is populated by Lacework, but you can change it if you follow a defined naming convention
- Set Create a new trail? to Yes.
- A Log file prefix can be added if you want a specific S3 bucket path for your logs.
- Bucket name and Topic ARN should be left blank.
- Click Next.
3b) Option 2 - use an existing trail
- Resource name prefix should be pre-populated with your account name
- ExternalID is populated by Lacework, but you can change it if you follow a defined naming convention.
- Set Create a new trail? to No.
- A Log file prefix is not applicable as you are not creating a new trail
- Enter the Bucket name associated with your existing trail
- Add the SNS Topic ARN of your existing trail into Topic ARN. If the trail does not already have an SNS topic, you will need to create one.
- Click Next.
|If you are integrating an existing trail, you may be using server-side encryption. If using Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), key management is local to S3, and therefore no changes are required. If you are using Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS), key management requires access to the AWS KMS service, and therefore you will need to give the Lacework-created role the required permission. See this article for instructions on how to update the inline policy associated with the Lacework created role. If you are manually integrating Lacework, you will need to grant this same permission.|
The Create stack > Options page displays. No changes need to be made to this page. Click Next.
The Create stack > Review page displays.
- Check I acknowledge that AWS CloudFormation might create IAM resources with custom names.
- Click Create.
6. CloudFormation page
After clicking Create, you will be redirected back to the CloudFormation page. If you do not see your new stack in the table, refresh the page. Select your stack to see the event log as it is being created. When the stack is CREATE-COMPLETE, integration of both CloudTrail and Config for a single account is complete. If you consolidate CloudTrail logs in one S3 bucket, no additional CloudTrail configuration is required.