AWS GovCloud (US-East and US-West) are isolated regions within AWS for customers to host sensitive data for supporting their regulated workflows. The configuration workflow described below differs from AWS standard regions and is relevant for monitoring only AWS GovCloud environments within the Lacework application.
The initial setup of creating an integration between Lacework and an AWS GovCloud requires running steps in the AWS GovCloud console followed by running a second set of steps in the Lacework Console, as described below.
The steps below configure either an AWS CloudTrail (US GovCloud) or an AWS Config (US GovCloud) integration.
- Configure an AWS CloudTrail (US GovCloud) integration to analyze CloudTrail activity for monitoring cloud account security.
- Configure an AWS Config (US GovCloud) integration to analyze AWS configuration compliance.
If you want to analyze AWS configuration compliance and account security (CloudTrail), you must configure AWS CloudTrail (US GovCloud) and AWS Config (US GovCloud) integrations.
Create the Lacework AWS GovCloud CloudFormation Template
You must create an AWS GovCloud CloudFormation template file that creates a new AWS GovCloud CloudFormation stack.
To download and customize the template file:
- Open a text editor.
Click the following link: https://raw.githubusercontent.com/lacework/csp-integrations/master/aws-govcloud-template/lacework-aws-gov-cloud-ct-cfg.json
The Lacework AWS GovCloud CloudFormation template file displays in GitHub.Select all text in the GitHub window of the browser. (In Chrome, select Edit > Select All.)
- Copy the text. (In Chrome, select Edit > Copy.)
- Paste the text into the text editor.
- In the text editor, replace the %acnt string with the name of your AWS account.
"Parameters": { "ResourceNamePrefix": { ... "Default": "%acnt", ... },
- Save the file as lacework-aws-gov-cloud-ct-cfg.json in the text editor.
Create a Stack in CloudFormation Using the Customized CloudFormation Template
To create a new stack in the AWS GovCloud:
- Log in to an AWS account on the AWS GovCloud with administrative credentials. The AWS account used to create the stack must use a role with the aws:policy/SecurityAudit permission.
Select the CloudFormation service.
In the AWS console, select Services > Management Tools > CloudFormation. The Create Stack panel displays.From the Region drop-down located in the top left of the menu bar, select the appropriate region for your environment.
Click Create Stack.
The Select Template panel displays.Under Choose a template, select Upload a template to Amazon S3. Browse for the Lacework AWS GovCloud template file that you previously created and click Open.
Click Next.
The Specify Details page displays.In the Stack name field, enter a unique value.
- On the Create stack > Specify Details page, you can either create a new trail and S3 bucket or use an existing trail. Follow the appropriate procedure for your AWS GovCloud environment:
Option 1 - Create a New Trail and S3 Bucket
If you plan to separately integrate multiple accounts, the Resource Name Prefix must be different for each account because S3 bucket names are globally unique.
- Resource name prefix should be pre-populated with your account name. The value does not need to change unless:
- you are creating a stack for each account—For this case, the value must be unique for each account because the S3 bucket namespace is global.
- you are creating multiple stacks—For this case, the value must be unique to avoid a resource collision.
- Set Create a new trail? to Yes.
- If you want a specific S3 bucket path for your logs, add a Log file prefix.
- Leave the values for Bucket name and Topic ARN blank.
- Click Next.
Option 2 - Use an Existing Trail
- Resource name prefix should be pre-populated with your account name.
- Set Create a new trail? to No.
- The Log file prefix is not applicable because you are not creating a new trail.
- Enter the Bucket name associated with your existing trail.
- Add the SNS Topic ARN of your existing trail into Topic ARN. If the trail does not already have an SNS topic, you must create one.
- Click Next.
NOTE: If you are integrating an existing trail, you may be using server-side encryption. If using Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), key management is local to S3, and therefore no changes are required. If you are using Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS), key management requires access to the AWS KMS service, so you must give the Lacework-created role the required permission. See this article for instructions on how to update the inline policy associated with the Lacework-created role. If you are manually integrating Lacework, you will need to grant this same permission.
Continue Stack Creation and Gather Settings
Complete the creation of the stack in the AWS console and gather the required settings as described by the following steps.
- In the Create stack > Options page, no changes are required. Click Next.
- In the Create Stack > Review page, select the acknowledgment and click Create. After clicking Create, you are redirected back to the CloudFormation page.
- If you do not see your new stack in the table, refresh the page. Keep refreshing the page until the status of the stack is CREATE-COMPLETE.
- After the stack status is CREATE-COMPLETE, click the stack name link.
- Expand Outputs.
- Leave the AWS console open to this page so you can copy the following values about the stack: 1) AccountId 2) AccessKeyId 3) SecretAccessKey 4) SQSQueueURL You need these values when you finish creating the integration using the Lacework Console as described in the next procedure.
Finish Integration Using the Lacework Console
Finish the integration using the Lacework Console as described by the following steps.
- Log in to the Lacework Console.
- Select Settings > Integrations > Cloud Accounts.
- Click + Create New.
- Select AWS and one of the following options:
- Select CloudTrail (US GovCloud) to analyze CloudTrail activity for monitoring cloud account security.
- Select Config (US GovCloud) to analyze AWS configuration compliance.
- Click Next.
- In the Name field, enter a unique name for the integration.
- In the Account ID field, enter the AccountId value copied from the AWS console.
- In the Access Key ID field, enter the AccessKeyId value copied from the AWS console.
- In the Secret Access Key field, enter the SecretAccessKey value copied from the AWS console.
- If you are configuring an AWS CloudTrail (US GovCloud) integration, in the SQS Queue URL field enter the SQSQueueURL value copied from the AWS console. (This step is not required for an AWS Config (US GovCloud) integration.
- Click Save. A new integration displays in Cloud Accounts.
- When the integration is complete and successful, the status changes to Integration Successful.
To analyze CloudTrail activity for monitoring cloud account security and analyze AWS configuration compliance, you must create AWS CloudTrail (US GovCloud) and AWS Config (US GovCloud) integrations.
If you want to create a second integration, repeat the Finish Integration using the Lacework Console procedure. You can reuse the same set of stack values for the second integration.