You can configure Lacework to forward events to this Google Cloud Pub/Sub asynchronous messaging service using the Lacework Google Cloud Pub/Sub alert channel. For more information about Google Cloud's asynchronous messaging service, see Google Cloud Pub/Sub.
Prerequisites
Before creating Lacework Google Cloud Pub/Sub alert channel, complete the following prerequisites steps:
- You must enable the Resource Manager API for the Google Cloud Project you want to send Lacework events to. This is available in the API Library on GCP.
- You must create a topic and a subscription in the Google Cloud Pub/Sub to receive the Lacework events. For instructions, see Create a topic and Add a subscription.
- You must create a Custom IAM Role with the following permissions:
pubsub.topics.publish resourcemanager.projects.get
- You must create a new service account, using the custom IAM role created in Step 2, and download the Service Account credentials as a JSON file as described in Setting up authentication.
Lacework recommends downloading a JSON file that contains credential information including your service account key rather than entering the credential information manually in the Lacework Console. You can then upload this JSON file when creating the Lacework GCP Pub/Sub Alert Channel in the Lacework Console to populate the credential information as described in the process below.
Create a Lacework GCP Pub/Sub Alert Channel
- Log in to the Lacework Console with a Lacework user that has administrative privileges.
- Navigate to Settings > Alert Channels.
- Click + Create New.
- Select GCP Pub/Sub.
- In the Name field, enter a name for the channel that is visible in the Lacework Console.
- Lacework recommends uploading a JSON file with necessary credential information rather than manually entering this information using the Lacework Console. Click Choose File to select the JSON file that contains credential information including your service account key as described in the previous section.
- From the Group Issues by drop-down, select one of the options:
- Events—Select this option if you want a single GCP message to be created when compliance events of the same type but from different resources are detected by Lacework. For example, if three different S3 resources are generating the same compliance event, only one GCP message is created.
- Resources—Select this option if you want multiple GCP messages to be created when multiple resources are generating the same compliance event. For example, if three different S3 resources are generating the same compliance event, three GCP messages are created.
- If you did not upload the JSON file, enter values for following credential fields:
- Client ID
- Private Key ID
- Client Email
- Private Key
- Project ID
- In the Topic ID field, enter the GCP topic ID that you are using in your GCP Pub/Sub (eg:
lacework-alerts). NOTE: Do not use the fully qualified path, only use the ID provided when you created the topic. - Click Save.
Create a Lacework GCP Pub/Sub Alert Channel Using Terraform
For organziations using Terraform to manage their environments, Lacework maintains the Terraform Provider for Lacework which enables configuration of Lacework Alert Channels using automation.
If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read through the Terraform for Lacework Overview to learn the basics on how to configure the provider, and more.
# Configure GCP credentials
locals {
gcp_credentials = jsondecode(file("/path/to/creds.json"))
}
# Configure GCP Pub/Sub Alert Channel in Lacework
resource "lacework_alert_channel_gcp_pub_sub" "example" {
name = "gcp-pub_sub"
project_id = "lacework-191923"
topic_id = "lacework-alerts"
credentials {
client_id = local.gcp_credentials["client_id"]
client_email = local.gcp_credentials["client_email"]
private_key_id = local.gcp_credentials["private_key_id"]
private_key = local.gcp_credentials["private_key"]
}
}
Additional information on the lacework_alert_channel_gcp_pub_sub resource can be found on the Terraform Registry.