Users can choose to configure Lacework for AWS CloudTrail during initial setup or at any time using the Lacework UI. During initial setup, the option to configure Lacework for AWS CloudTrail follows the option to add users. From the UI, users can navigate to Integrations > AWS CloudTrail.
Using either method, you will land on the same AWS CloudTrail page.
1. To Start
To configure Lacework for CloudTrail, click the [+ Add Integration] button.
2. Choose an Integration Method
To be able to analyze CloudTrail events, Lacework will create a least privilege IAM role. To grant Lacework permission to create this role, you will need to login to your AWS account as a user with administrator credentials. The integration will fail if you do not have the required credentials.
As administrator, you have two options to configure Lacework for AWS CloudTrail - using a Lacework script or by manually uploading the Lacework template.
Option 1: [Click Here to Configure Directly in AWS CloudTrail] requires fewer steps and less user interaction. For this option, please disable your browser pop-up blocker.
Option 2: [Download CloudTrail Template] requires more user interaction.
After the required changes have been made to your AWS account, you will need to return to the Lacework UI to complete the installation process using the following values from the AWS CloudFormation stack.
- External ID: the shared secret
- Role ARN: the Lacework IAM role
- Queue URL: the SQS URL
3. Click on the Chosen Integration Method
3a) Option 1: Click [Click Here to Configure Directly in AWS CloudTrail] button
You will be redirected to the AWS Create stack > Select Template page. The Lacework script populates the Specify an Amazon S3 template URL for you.
- After reviewing the page, click the [Next] button.
3b) Option 2: Click the [Download CloudTrail Template] button
- Download the template locally
- Login to your AWS account
- Select the CloudFormation service and click the [Create New Stack] button, which will bring you to the Create stack > Select Template page
- Upload the Lacework template and click the [Next] button
For more information on Selecting a Stack Template, please refer to the AWS Documentation library.
4. Specify Details
On the Create stack > Specify Details page, you can either create a new trail and S3 bucket or use an existing trail.
- First, create a Stack name or choose the default
Option 1 - create a new trail and S3 bucket
If you plan to separately integrate multiple accounts, the Resource Name Prefix must be different for each account as S3 bucket names are globally unique. See Multiple Account Options.
- Resource name prefix should be pre-populated with your account name. It doesn't need to be changed unless:
- you are creating a stack for each account in which case it needs to be unique for each account as the S3 bucket namespace is global, or
- you are creating multiple stacks in which case it needs to be unique to avoid resource collision
- ExternalID is populated by Lacework, but you can change it if you follow a defined framework
- Set Create a new trail? to 'Yes'
- A Log file prefix can be added if you want a specific S3 bucket path for your logs
- Bucket name and Topic ARN should be left blank
- Click the [Next] button
Option 2 - use an existing trail
- Resource name prefix should be pre-populated with your account name
- ExternalID is populated by Lacework, but you can change it if you follow a defined framework.
- Set Create a new trail? to 'No'
- A Log file prefix is not applicable as you are not creating a new trail
- Enter the Bucket name associated with your existing trail
- Add the SNS Topic ARN of your existing trail into Topic ARN. If the trail does not already have an SNS topic, you will need to create one.
- Click the [Next] button
Multiple Account Options
If you would like to send CloudTrail events from multiple accounts to Lacework, you have several options:
Separately integrate each account
Each account can be integrated separately following the procedures described in (6a) and (6b). If you choose to create trails and buckets (6a), a different resource name prefix is required for each account as the created S3 bucket name must be unique. If you have existing trails, you may already consolidate logs. If you do, you only need to integrate with the account in which the S3 bucket resides as described below.
Use an existing S3 bucket which receives CloudTrail logs from multiple accounts
If you already consolidate CloudTrail logs into one S3 bucket, you can follow the procedure described in Option 2 - use an existing trail. You will create the stack in the account which owns the S3 bucket.
- The S3 bucket must have a policy that allows CloudTrail to store logs from multiple accounts, which it should as multiple account logs are already being received.
- The SNS topic must have a policy that allows CloudTrail to publish to it. If it does not already exist, you may have to create the SNS Topic and policy, and all the trails in the accounts to be monitored must be configured to use the SNS Topic.
Create an S3 bucket which receives CloudTrail logs from multiple accounts
If you have not enabled CloudTrail across your accounts and are doing so for the first time, you may want to consolidate all of your CloudTrail logs into a single S3 bucket residing in one of your accounts and create the stack in this account. One approach is as follows:
- Follow the procedure described in Option 1 - create a new trail and S3 bucket to create a trail and S3 bucket in what we will call the primary account.
- Update the S3 bucket policy to accept logs from your other accounts. Please refer to AWS Setting Bucket Policy for Multiple Accounts.
- Although the created SNS Topic policy should work, you may want to review it and ensure that it allows CloudTrail to publish to it.
- Create a trail in each account that you want to integrate, configure it to use the S3 bucket in the primary account, and point it to the SNS Topic of the primary account
With all trails publishing to the same topic, the SQS queue will receive notifications for CloudTrail events across accounts.
You do not need to change any settings on the Create stack > Options page. Click the [Next] button
You should now be on the Create stack > Review page.
- Check I acknowledge that AWS CloudFormation might create IAM resources with custom names
- Click the [Create] button
7. CloudFormation page
After clicking [Create], you will be redirected back to the CloudFormation page. If you do not see your new stack in the stack table, refresh the page. Select your stack to see the event log as it is being created. When the stack is CREATE-COMPLETE, select the Outputs tab located below the stack table.
8. Outputs Tab
Copy the values from the ExternalID, SQSQueueURL and RoleARN fields into a text editor before returning to the Lacework UI.
9. Complete the Lacework CloudTrail Integration Form
You can now return to the Lacework UI to complete the installation.
- Choose a name and enter the values from the Outputs tab
- Click the [Save] button
Lacework will now begin to receive your CloudTrail logs for analysis. You can now continue the onboarding process or return to the Lacework UI.