Lacework can be configured to send events to your AWS CloudTrail event bus. For more information about sending and receiving events between AWS accounts, please refer to the Amazon CloudWatch Events User Guide.
After event receipt, you may want to create a custom pattern rule and forward the Lacework events to an SQS queue as described in the following example. If you don't already have an SQS queue configured, you will want to create one before you start.
- Open the AWS CloudWatch Service and select CloudWatch > Event Buses.
- Click Add permission.
- Enter the Lacework AWS account number 434813966438 and click Add.
The Lacework account should now be listed in the Permissions table.
- Click Create rule, which will take you to Step 1: Create rule.
- Above Event Pattern Preview, select Edit.
- Add the following JSON snippet:
- Click Save.
- The custom event pattern should appear as follows:
- Click Add target and select type 'sqs queue'.
- From the drop-down, select your SQS queue.
- Click Configure details, which should take you to Step 2: Configure rule details
- Enter a name and description for your rule.
- Click Create rule, which will return you to the CloudWatch > Rules page where you will see your newly created rule.
- From the Lacework UI, navigate to Integrations - CloudWatch
- Click + Add Integration.
- Provide a name for your integration.
- Enter the arn of your AWS CloudWatch event bus, which is of the form:
- Click Save.
You should now start to see Lacework events in your SQS queue.