Lacework can be configured to send events to your AWS CloudTrail event bus. For more information about sending and receiving events between AWS accounts, please refer to the Amazon CloudWatch Events User Guide.
After event receipt, you may want to create a custom pattern rule and forward the Lacework events to an SQS queue as described in the following example:
1. Navigate to CloudWatch - Event Buses
- Click ‘Add permission’
- Enter Lacework AWS account number 434813966438 and click the [Add] button. The Lacework account should be listed in the Permissions table.
2. Navigate to CloudWatch – Rules
- Click the [Create rule] button, which will take you to Step 1: Create rule
- Select [Edit] above the Event Pattern Preview
- Click the [Save] button, and the custom event pattern should appear as follows:
- Click the [Add target] button and select sqs queue
- Select your SQS queue form the dropdown
- Click the [Configure details] button, which should take you to Step 2: Configure rule details
- Enter a name and description for your rule
- Click the [Create rule] button, which will return you to the CloudWatch > Rules page, which will display your newly created rule.
3. From the Lacework UI, navigate to Integrations – CloudWatch
- Click the [+ Add Integration] button
- Provide a name for your integration
- Enter the arn of your AWS event bus, which should be in the form:
- Click ‘Save’
You should now start to see Lacework events in your SQS queue.