Articles in this section

See more

Google Cloud Pub/Sub

You can configure Lacework to forward events to this Google Cloud Pub/Sub asynchronous messaging service using the Lacework Google Cloud Pub/Sub alert channel. For more information about Google Cloud's asynchronous messaging service, see Google Cloud Pub/Sub.

Prerequisites

Before creating Lacework Google Cloud Pub/Sub alert channel, complete the following prerequisites steps:

  1. You must enable the Resource Manager API for the Google Cloud Project you want to send Lacework events to. This is available in the API Library on GCP.
  2. You must create a topic and a subscription in the Google Cloud Pub/Sub to receive the Lacework events. For instructions, see Create a topic and Add a subscription.
  3. You must create a Custom IAM Role with the following permissions: 
     pubsub.topics.publish
 resourcemanager.projects.get
  4. You must create a new service account, using the custom IAM role created in Step 2, and download the Service Account credentials as a JSON file as described in Setting up authentication.

Lacework recommends downloading a JSON file that contains credential information including your service account key rather than entering the credential information manually in the Lacework Console. You can then upload this JSON file when creating the Lacework GCP Pub/Sub Alert Channel in the Lacework Console to populate the credential information as described in the process below.

Create a Lacework GCP Pub/Sub Alert Channel

  1. Log in to the Lacework Console with a Lacework user that has administrative privileges.
  2. Navigate to Settings > Alert Routing > Alert Channels.
  3. Click + Create New.
  4. Select GCP Pub/Sub.
  5. In the Name field, enter a name for the channel that is visible in the Lacework Console.
  6. Lacework recommends uploading a JSON file with necessary credential information rather than manually entering this information using the Lacework Console. Click Choose File to select the JSON file that contains credential information including your service account key as described in the previous section.
  7. From the Group Issues by drop-down, select one of the options:
    • Events—Select this option if you want a single GCP message to be created when compliance events of the same type but from different resources are detected by Lacework. For example, if three different S3 resources are generating the same compliance event, only one GCP message is created.
    • Resources—Select this option if you want multiple GCP messages to be created when multiple resources are generating the same compliance event. For example, if three different S3 resources are generating the same compliance event, three GCP messages are created.
  8. If you did not upload the JSON file, enter values for following credential fields:
    • Client ID
    • Private Key ID
    • Client Email
    • Private Key
    • Project ID
  9. In the Topic ID field, enter the GCP topic ID that you are using in your GCP Pub/Sub (eg: lacework-alerts). NOTE: Do not use the fully qualified path, only use the ID provided when you created the topic.
  10. Click Save.
  11. Click Alert Rules and configure your required alert routing details/options by leveraging the alert channel you created.

Create a Lacework GCP Pub/Sub Alert Channel Using Terraform

For organizations using Terraform to manage their environments, Lacework maintains the Terraform Provider for Lacework which enables configuration of Lacework Alert Channels using automation.

If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read through the Terraform for Lacework Overview to learn the basics on how to configure the provider, and more.

# Configure GCP credentials
locals {
  gcp_credentials = jsondecode(file("/path/to/creds.json"))
}

# Configure GCP Pub/Sub Alert Channel in Lacework
resource "lacework_alert_channel_gcp_pub_sub" "example" {
  name       = "gcp-pub_sub"
  project_id = "lacework-191923"
  topic_id   = "lacework-alerts"
  credentials {
    client_id      = local.gcp_credentials["client_id"]
    client_email   = local.gcp_credentials["client_email"]
    private_key_id = local.gcp_credentials["private_key_id"]
    private_key    = local.gcp_credentials["private_key"]
  }
}

Additional information on the lacework_alert_channel_gcp_pub_sub resource can be found on the Terraform Registry.