Lacework integrates with Microsoft Azure to monitor Activity Logs and cloud resource configurations for designated tenants and subscriptions. This procedure covers how to integrate Microsoft Azure and Lacework running Lacework Terraform Modules from Azure Cloud Shell.
If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider and more.
The approach outlined in this document is suitable for one-off integrations where the user does not plan to continue to use Terraform to manage the configuration of Lacework and Azure.
If you plan to continue to manage the state of the integration between Microsoft Azure and Lacework, and/or store the configuration in a source control management tool such as Git, review the following steps in Azure Compliance & Activity Log Integrations - Terraform From Any Supported Host.
Overview of Azure Compliance and Activity Log Integration
For Lacework to monitor Microsoft Azure Activity Logs and Compliance, the following resources need to be provisioned in the Tenant being integrated:
Azure AD Application - An Azure AD Application is required in order to delegate Identity and Access Management functions to Azure AD in the Azure AD Tenant. The following API Permissions will be granted to the Azure AD Application:
API Permission Type Description Admin Consent RQD Azure Active Directory Graph Directory.Read.All
Application Read directory data Yes Azure Key Vault user_impersonation
Delegated Have full access to Azure Key Vault service on behalf of the signed in user. This permission does not grant Lacework full access to the Azure Key Vault - Azure Storage user_impersonation
Delegated This permission gives the Lacework AD Application access to the Azure Storage REST APIs. However, Lacework access is limited by the role of Reader - Microsoft Graph User.Read.All
Application Read the full profiles for all userss Yes - Azure Resource Group - An Azure Resource Group will be created to store all resources provisioned the integration
- Azure Storage Account - Storage account is used to store Activity Logs.
- Azure Storage Queue - Azure queue to hold activity log data
- Azure Event Grid Subscription - Used to send notifications about events in Activity Logs
Requirements
The following is a list of requirements to run Lacework Terraform Modules for Azure:
- Azure Global Administrator - You must have an Azure Portal account that has a Global Administrator role for your tenant's directory.
- Azure Owner Role - Your Azure Portal account must have Owner role in all the subscriptions that you want to monitor.
- Azure CLI - The Terraform Provider for Azure leverages configuration from the Azure CLI to configure resources in Azure
- Lacework Administrator - You must have Lacework account with administrator privileges.
- Terraform -
>= 0.12.26
,~> 0.13.0
,~> 0.14.0
.
Terraform and Azure Cloud Shell
Azure Cloud Shell is an embedded terminal/command-line interface that can be used within the Azure Portal. This shell automatically authenticates the user that launches Cloud Shell with Azure AD and comes with tools pre-installed such as the Azure CLI and Terraform to manage and automate your Azure environment. For more information on Azure Cloud Shell, see the documentation Overview of Azure Cloud Shell.
Open Azure Cloud Shell within Azure Portal
To open the Azure Cloud Shell, click on the Cloud Shell icon in the header bar of the Azure Portal, and it will open the Cloud Shell in a pane at the bottom of the browser. Cloud Shell defaults to PowerShell, but also supports a Bash prompt if preferred.
Install and Configure the Lacework CLI in Azure Cloud Shell
The Terraform Provider for Lacework leverages configuration from the Lacework CLI to authenticate with Lacework's API server to configure accounts. Lacework has created a shell script to install the Lacework CLI to Azure Cloud Shell.
Additionally, the script will validate that the user running Cloud Shell has the permissions required to integrate Azure with Lacework described above.
Install the Lacework CLI Using the shell_startup.sh Script
Open Cloud Shell and run the following command:
curl https://raw.githubusercontent.com/lacework/terraform-provisioning/master/azure/shell_startup.sh | bash
When the script completes, type exit
followed by hitting the ENTER key to exit your shell. After a few seconds a prompt will appear to reconnect to Azure Shell. Once reconnected, the Lacework CLI will be ready for use.
Configure the Lacework CLI
Proceed to configure the Lacework CLI by using the command lacework configure
. The Lacework CLI needs the following:
account
: Account subdomain of URL (i.e.YourAccount.lacework.net
)api_key
: API Access Keyapi_secret
: API Access Secret
To create a set of API keys, log in to your Lacework account via WebUI and navigate to Settings > API Keys and click + CREATE NEW. Enter a name for the key and an optional description, then click SAVE. Download the generated API key file.
The Azure Cloud Shell allows you to drag-and-drop the generated KEY.json
to upload it automatically.
Finally, run the command:
$ lacework configure -j CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEF715.json ▸ Account: customerdemo ▸ Access Key ID: CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEF715 ▸ Secret Access Key: (*****************************26a0) You are all set!
For more information, see Lacework CLI documentation
Enable Azure Compliance and Activity Log Integrations
This section covers running Terraform within your Azure Tenant. By default, only the primary subscription will be integrated for a given tenant, but all subscriptions can be integrated via the all_subscrptions = true
input. Additionally, an array of subscriptions can be passed with the subscription_ids = []
input.
About Granting Admin Consent
Before running Terraform, it is important to understand the Azure Active Directory Application created for Lacework requires granting admin consent before the integration will work. Granting admin consent is not possible natively using Terraform, but the Lacework Terraform Module will attempt to automate this process by running the following command the Azure CLI:
# Attempt to grant admin consent via the Azure CLI or print a URL to grant admin consent manually az ad app permission admin-consent --id ${local.application_id} && echo SUCCESS!! \ || echo ERROR!!! Unable to grant admin consent, grant it manually by following the URL: \ https://login.microsoftonline.com/${local.tenant_id}/adminconsent?client_id=${local.application_id}
If the granting admin consent fails, click the link to login to the Azure console and grant admin consent manually.
Run Terraform
terraform { required_providers { azuread = { source = "hashicorp/azuread" } azurerm = { source = "hashicorp/azurerm" version = "2.26" } lacework = { source = "lacework/lacework" version = "~> 0.2.7" } } } provider "azurerm" { features {} } module "az_config" { source = "lacework/config/azure" version = "~> 0.1.2" } module "az_activity_log" { source = "lacework/activity-log/azure" version = "~> 0.1.2" use_existing_ad_application = true application_id = module.az_config.application_id application_password = module.az_config.application_password service_principal_id = module.az_config.service_principal_id }
- Azure Cloud Shell has a built-in IDE for editing files. Run the command
code main.tf
in Azure Cloud Shell to create and open a Terraform template namedmain.tf
. - The code snippet above configures monitoring of Azure Cloud resource configuration for compliance, and monitoring of Activity Log. Copy/Paste the code snippet above into the
main.tf
file, and then save (Ctrl + S
on Windows orCmd + S
on MacOS) the file. - Run the command
terraform init
to download the necessary plugins and modules required to run this automation. - Next run
terraform apply
to create a "plan" of the resources that will be created. - Once the plan has been reviewed, type 'yes' to proceed with running Terraform and configure the integration with Azure and Lacework.
- When Terraform completes, validate whether admin consent was granted using the Azure CLI, or follow the link (see above) to manually grant admin consent via the Azure Console.
NOTE: To learn about using Terraform inputs to customize Lacework Terraform Modules, see documentation on the Terraform Registry.
Validate The Configuration
Once Terraform finishes applying changes, use the Lacework CLI or the Lacework console to confirm the integration is working.
For the CLI open a Terminal and run lacework integrations list
(you should see the two AZURE_CFG
and AZURE_AL_SEQ
Integrations listed).
To validate the integration via the Lacework Console, Log in to your account and go to Settings > Integrations > Cloud Accounts.