Articles in this section

Multiple AWS Account Integration

You can integrate a single AWS account during the initial Lacework account setup or at any time thereafter using the Lacework Console. However, if you want to integrate multiple AWS accounts using the AWS console is not efficient because each integration requires you to log in to each account with administrative privileges and ensure there are no resource conflicts when creating the CloudFormation stack.

To integrate multiple accounts, you can now download a Lacework API token, script, and configuration file to automate the process.

  • The Lacework API token is required to complete the integration with your Lacework account and is downloaded from the Lacework Console.
  • The Lacework script creates a stack in each of your AWS accounts and downloaded from the Lacework GitHub repository.
  • The Lacework configuration file contains customizable parameters that are required by the script and is downloaded the Lacework GitHub repository.

Customizing the configuration file requires upfront work but reduces the total integration effort and time spent. The multiple account script supports the integrations per account: CloudTrail and Security Audit, CloudTrail only, and Security Audit only. For example, if you consolidate all of your CloudTrail logs into a single account and integrate both CloudTrail and Security Audit for this account during the account setup, you can use multiple account integration to configure Security Audit for your remaining accounts.

NOTE: AWS S3 object-level APIs are excluded from CloudTrail analysis.

Workflow

  1. Before running the script, you must have Python installed and the directory that contains the python executable must be included in your PATH.
  2. Log in to Lacework Console and download your access token.
  3. Download the Lacework script and configuration file from GitHub.
    1. Click https://github.com/lacework/csp-integrations.
    2. Click Clone or download.
    3. Click Download ZIP.
    4. Unzip the zip file.
    5. Go to the aws/multiple-account-integration directory that was just created.
  4. Customize the configuration file for your environment located in the aws/multiple-account-integration/config/params.yml as described in Example Configuration File and Customizing the Configuration File.

  5. Optional - If you want to review the AWS CloudFormation template, you can download it from the Lacework Console. However, the script uses the template stored in Lacework and not the local copy.

    1. Log in to the Lacework Console.
    2. Select Settings > Integrations > Cloud Accounts
    3. Click + Create New.
    4. Select AWS and either CloudTrail or Config.
    5. In the Name field, enter a name for the Integration.
    6. Click Download Cloud Formation Template.
      The script uses the template stored in Lacework and not the local copy.

  6. Run the script from the CLI as described below.

Example Configuration File

delete_on_rollback : "Yes/No"  
url:  
  type-cloudTrail-config: "%account/api/v1/external/downloads/templates/lacework-aws-ct-cfg-auto.json"  
  type-cloudTrail: "%account/api/v1/external/downloads/templates/lacework-aws-cloudtrail-auto.json"  
  type-config: "%account/api/v1/external/downloads/templates/lacework-aws-cfg-auto.json"
default-params:  
  region : ""  
  StackName : ""  
  ResourceNamePrefix : ""  
  CreateNewCloudTrail : "Yes/No"  
  NewTrailLogFilePrefix : ""  
  ExistingTrailBucketName : ""  
  ExistingTrailTopicArn : ""  
  default-tags:  
  key1 : "value1"
stacks: [  
  {  
    Name : "Account Name Identifier1",  
    Profile : ""  
    region : ""  
    aws_access_key_id : "",  
    aws_secret_access_key : "",  
    RoleArn : "",  
    type-cloudTrail :{  
      StackName : "aws-ct stack name",  
      ResourceNamePrefix : "",  
      CreateNewCloudTrail : "Yes/No",  
      NewTrailLogFilePrefix : "",  
      ExistingTrailBucketName : "",  
      ExistingTrailTopicArn : "",  
      tags : {  
        key2 : "value2"  
      }  
    },  
    type-cloudTrail-config:{  
      StackName : "aws-ct-cfg stack name",  
      ResourceNamePrefix : "",  
      CreateNewCloudTrail : "Yes/No",  
      NewTrailLogFilePrefix : "Yes/No",  
      ExistingTrailBucketName : "",  
      ExistingTrailTopicArn : "",  
      tags : {  
        key2 : "value2"  
      }  
    },  
    type-config:{  
      StackName : "aws-cfg stack name",  
      ResourceNamePrefix : "",  
      tags : {  
        key2 : "value2"  
      }  
    }  
  }  
]

Customizing the Configuration File

When customizing the configuration file, remove all unused fields to both make the file easier to read and to prevent conflicts. Stack creation fails if conflicting parameters are specified.

Global Configuration

delete_on_rollback : "Yes/No"  
  url:  
  type-cloudTrail-config: "%account/api/v1/external/downloads/templates/lacework-aws-ct-cfg-auto.json"  
  type-cloudTrail: "%account/api/v1/external/downloads/templates/lacework-aws-cloudtrail-auto.json"  
  type-config: "%account/api/v1/external/downloads/templates/lacework-aws-cfg-auto.json"

Delete_on_rollback (Yes/No) :

Select Yes to delete all rolled back stacks. To be able to review failed stack creations before manual deletion, select No.

url :

URL contains the different CloudFormation templates and is not meant to be changed.

Default Parameters

Default parameters are used by the Lacework script if no stack/account-specific parameters are found. Stack-specific parameters always take preference over default parameters with the exception of tags. Default and stack-specific tags will both be applied to created stacks.

default-params:  
  region : ""  
  StackName : ""  
  ResourceNamePrefix : ""  
  CreateNewCloudTrail : "Yes/No"  
  NewTrailLogFilePrefix : ""  
  ExistingTrailBucketName : ""  
  ExistingTrailTopicArn : ""  
  default-tags:  
    key1 : "value1"

region: "" - optional

Specify a default AWS region to use if no account-specific region is specified.

StackName : ""- optional

Enter a default stack name to use if no stack/account-specific names are created.

ResourceNamePrefix : ""- optional

Enter a default resource name prefix to use if no stack/account-specific names are created.

CreateNewCloudTrail : "Yes/No"

Select Yes if you want Lacework to create a new CloudTrail trail if no stack/account-specific configuration is found. Select No if you want Lacework to use an existing trail.

NewTrailLogFilePrefix : ""- optional

Enter a default log prefix to use if no stack/account-specific configuration is found.

ExistingTrailBucketName : ""

If CreateNewCloudTrail is set to No, enter the existing S3 bucket name. If CreateNewCloudTrails is set to Yes, delete this field.

ExistingTrailTopicArn : ""

If CloudTrail-Enabled is set to No, enter the existing S3 bucket SNS topic. If an SNS topic has not been created, you must create one. If CreateNewCloudTrails is set to Yes, delete this field.

Default-tags:
key1 : "value1"

Enter any optional default tags that you want to associate with the created stacks.

Stack/Account Parameters

One or two stacks will be created for each integrated AWS account. Parameters for each stack can be configured, which take precedence over the default parameters. When integrating multiple accounts, create a separate stack configuration for each account. The configuration file is formatted as an array of stacks.

The stack configuration governs what will be created. You can configure type-config, type-cloudTrail, and type-cloudTrail-config. Configuring both type-config and type-cloudTrail results in two stacks being created. Configuring type-cloudTrail-config also integrates both Lacework for CloudTrail and Security Audit, but creates a single stack. When using type-cloudTrail-config, configure only the one stack or an error will occur.

stacks: [  
  {  
    Name : "Account Name Identifier1",  
    Profile : ""  
    region : ""  
    aws_access_key_id : "",  
    aws_secret_access_key : "",  
    RoleArn : "",

Name : "Account Name Identifier"

A user-defined account/stack identifier.

Profile : ""- optional

Specify the AWS profile to use for this account/stack.

Region: ""- optional

Specify the AWS region to use for this account/stack.

aws_access_key_id : ""- optional

Specify the aws_access_key_id to use for this account/stack.

aws_secret_access_key : ""- optional

Specify the aws_secret_access_key to use for this account/stack.

RoleArn : ""- optional

Specify the RoleArn to use for this account/stack.

CloudTrail only

If enabling CloudTrail only for the account, configure the following parameters:

type-cloudTrail :{  
  StackName : "aws-ct stack name",  
  ResourceNamePrefix : "",  
  CreateNewCloudTrail : "Yes/No",  
  NewTrailLogFilePrefix : "",  
  ExistingTrailBucketName : "",  
  ExistingTrailTopicArn : "",  
  tags : {  
    key2 : "value2"  
  }  
}

StackName : ""- optional

Enter a stack name for this stack.

ResourceNamePrefix : ""

Enter a resource name prefix for this stack or leave blank; do not remove this line from the configuration.

CreateNewCloudTrail : "Yes/No"

Select Yes if you want Lacework to create a new CloudTrail trail or No if you want Lacework to use an existing trail.

NewTrailLogFilePrefix : ""- optional

Enter a log prefix to use if 'CreateNewCloudTrail' is set to Yes.

ExistingTrailBucketName : ""

If CreateNewCloudTrail is set to No, enter the existing S3 bucket name.

ExistingTrailTopicArn : ""

If CloudTrail-Enabled is set to No, enter the existing S3 bucket SNS topic. If an SNS topic has not been created, you must create one.

Default-tags:
key1 : "value1"

Enter any tags that you want to associate with this stack.

CloudTrail and Security Audit

If enabling CloudTrail and Security Audit for the account, configure the following parameters:

type-cloudTrail-config:{  
  StackName : "aws-ct-cfg stack name",  
  ResourceNamePrefix : "",  
  CreateNewCloudTrail : "Yes/No",  
  NewTrailLogFilePrefix : "Yes/No",  
  ExistingTrailBucketName : "",  
  ExistingTrailTopicArn : "",  
  tags : {  
    key2 : "value2"  
  }  
}

StackName : ""- optional

Enter a stack name for this stack.

ResourceNamePrefix : ""

Enter a resource name prefix for this stack or leave blank; do not remove this line from the configuration.

CreateNewCloudTrail : "Yes/No"

Select Yes if you want Lacework to create a new CloudTrail trail or No if you want Lacework to use an existing trail.

NewTrailLogFilePrefix : ""- optional

Enter a log prefix to use if 'CreateNewCloudTrail' is set to Yes.

ExistingTrailBucketName : ""

If CreateNewCloudTrail is set to No, enter the existing S3 bucket name.

ExistingTrailTopicArn : ""

If CloudTrail-Enabled is set to No, enter the existing S3 bucket SNS topic. If an SNS topic has not been created, you must create one.

Default-tags:
key1 : "value1"

Enter any tags that you want to associate with this stack.

Security Audit Only

If enabling Security Audit only for the account, configure the following parameters:

type-config:{  
  StackName : "aws-cfg stack name",  
  ResourceNamePrefix : "",  
  tags : {  
    key2 : "value2"  
  }  
}

StackName : ""- optional

Enter a stack name for this stack.

ResourceNamePrefix : ""

Enter a resource name prefix for this stack or leave blank; do not remove this line from the configuration.

Default-tags:
key1 : "value1"

Enter any tags that you want to associate with this stack.

Executing the Script

The script can be executed from a user shell on either a Linux or Apple using the following syntax:

./CloudFormation.sh configfile.yml execution_type access_token lacework_account_url.lacework.net
  • Where configfile.yml is the name of the customized configuration file and includes the file path
  • Where execution_type is either sync or async. If sync is specified, configuration proceeds one account at a time. When an integration completes, the configuration of a second account starts. If async is specified, the configuration of accounts proceeds in parallel.
  • Where access_token is the temporary access token generated using the Lacework API. For more information, see API Access Keys and Tokens.
  • Where lacework_account_url is the prefix of the URL for your Lacework application. It should not include https://.