Articles in this section

Azure Compliance & Activity Log Integrations - Terraform using Azure Cloud Shell

Lacework integrates with Microsoft Azure to monitor Activity Logs and cloud resource configurations for designated tenants and subscriptions. This procedure covers how to integrate Microsoft Azure and Lacework running Lacework Terraform Modules from Azure Cloud Shell.

If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider and more.

The approach outlined in this document is suitable for one-off integrations where the user does not plan to continue to use Terraform to manage the configuration of Lacework and Azure.

If you plan to continue to manage the state of the integration between Microsoft Azure and Lacework, and/or store the configuration in a source control management tool such as Git, review the following steps in Azure Compliance & Activity Log Integrations - Terraform From Any Supported Host.

Overview of Azure Compliance and Activity Log Integration

For Lacework to monitor Microsoft Azure Activity Logs and Compliance, the following resources need to be provisioned in the Tenant being integrated:

  • Azure AD Application - An Azure AD Application is required in order to delegate Identity and Access Management functions to Azure AD in the Azure AD Tenant. The following API Permissions will be granted to the Azure AD Application:

    API Permission Type Description Admin Consent RQD
    Azure Active Directory Graph Directory.Read.All Application Read directory data Yes
    Azure Key Vault user_impersonation Delegated Have full access to Azure Key Vault service on behalf of the signed in user. This permission does not grant Lacework full access to the Azure Key Vault -
    Azure Storage user_impersonation Delegated This permission gives the Lacework AD Application access to the Azure Storage REST APIs. However, Lacework access is limited by the role of Reader -
    Microsoft Graph User.Read.All Application Read the full profiles for all userss Yes
  • Azure Resource Group - An Azure Resource Group will be created to store all resources provisioned the integration
  • Azure Storage Account - Storage account is used to store Activity Logs.
    • Azure Storage Queue - Azure queue to hold activity log data
  • Azure Event Grid Subscription - Used to send notifications about events in Activity Logs

Requirements

The following is a list of requirements to run Lacework Terraform Modules for Azure:

  • Azure Global Administrator - You must have an Azure Portal account that has a Global Administrator role for your tenant's directory.
  • Azure Owner Role - Your Azure Portal account must have Owner role in all the subscriptions that you want to monitor.
  • Azure CLI - The Terraform Provider for Azure leverages configuration from the Azure CLI to configure resources in Azure
  • Lacework Administrator - You must have Lacework account with administrator privileges.
  • Terraform - >= 0.12.31, ~> 0.13, ~> 0.14, ~> 0.15.

Module Dependencies

Lacework Terraform modules for Azure have the following dependencies that will be installed when running terraform init:

For detailed information on these dependencies, visit Lacework on the Terraform Registry.

Terraform and Azure Cloud Shell

Azure Cloud Shell is an embedded terminal/command-line interface that can be used within the Azure Portal. This shell automatically authenticates the user that launches Cloud Shell with Azure AD and comes with tools pre-installed such as the Azure CLI and Terraform to manage and automate your Azure environment. For more information on Azure Cloud Shell, see the documentation Overview of Azure Cloud Shell.

Open Azure Cloud Shell within Azure Portal

To open the Azure Cloud Shell, click on the Cloud Shell icon in the header bar of the Azure Portal, and it will open the Cloud Shell in a pane at the bottom of the browser. Cloud Shell defaults to PowerShell, but also supports a Bash prompt if preferred.

Open Azure Cloud Shell

Install and Configure the Lacework CLI in Azure Cloud Shell

The Terraform Provider for Lacework leverages configuration from the Lacework CLI to authenticate with Lacework's API server to configure accounts. Lacework has created a shell script to install the Lacework CLI to Azure Cloud Shell.

Additionally, the script will validate that the user running Cloud Shell has the permissions required to integrate Azure with Lacework described above.

Install the Lacework CLI Using the shell_startup.sh Script

Open Cloud Shell and run the following command:

curl https://raw.githubusercontent.com/lacework/terraform-provisioning/master/azure/shell_startup.sh | bash

When the script completes, type exit followed by hitting the ENTER key to exit your shell. After a few seconds a prompt will appear to reconnect to Azure Shell. Once reconnected, the Lacework CLI will be ready for use.

Configure the Lacework CLI

Proceed to configure the Lacework CLI by using the command lacework configure. The Lacework CLI needs the following:

  • account: Account subdomain of URL (i.e. YourAccount.lacework.net)
  • api_key: API Access Key
  • api_secret: API Access Secret

To create a set of API keys, log in to your Lacework account via WebUI and navigate to Settings > API Keys and click Create New. Enter a name for the key and an optional description, then click Save. Download the generated API key file.

The Azure Cloud Shell allows you to drag-and-drop the generated KEY.json to upload it automatically.

Download-Drag-and-Drop Lacework API key

Finally, run the command:

$ lacework configure -j CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEF715.json
▸ Account: customerdemo
▸ Access Key ID: CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEF715
▸ Secret Access Key: (*****************************26a0)

You are all set!

For more information, see Lacework CLI documentation

Enable Azure Compliance and Activity Log Integrations

This section covers running Terraform within your Azure Tenant. By default, only the primary subscription will be integrated for a given tenant, but all subscriptions can be integrated via the all_subscriptions = true input. Additionally, an array of subscriptions can be passed with the subscription_ids = [] input.

About Granting Admin Consent

Before running Terraform, it is important to understand the Azure Active Directory Application created for Lacework requires granting admin consent before the integration will work. Granting admin consent is not possible natively using Terraform, but the Lacework Terraform Module will attempt to automate this process by running the following command the Azure CLI:

# Attempt to grant admin consent via the Azure CLI or print a URL to grant admin consent manually

az ad app permission admin-consent --id ${local.application_id} && echo SUCCESS!! \
|| echo ERROR!!! Unable to grant admin consent, grant it manually by following the URL: \
https://login.microsoftonline.com/${local.tenant_id}/adminconsent?client_id=${local.application_id}

If the granting admin consent fails, click the link to login to the Azure console and grant admin consent manually.

Run Terraform

terraform {
  required_providers {
    azuread = {
      source = "hashicorp/azuread"
    }
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "2.26"
    }
    lacework = {
      source = "lacework/lacework"
      version = "~> 0.3"
    }
  }
}

provider "azurerm" {
  features {}
}

module "az_config" {
  source  = "lacework/config/azure"
  version = "~> 0.1"
}

module "az_activity_log" {
  source  = "lacework/activity-log/azure"
  version = "~> 0.1"

  use_existing_ad_application = true
  application_id              = module.az_config.application_id
  application_password        = module.az_config.application_password
  service_principal_id        = module.az_config.service_principal_id
}
  1. Azure Cloud Shell has a built-in IDE for editing files. Run the command code main.tf in Azure Cloud Shell to create and open a Terraform template named main.tf.
  2. The code snippet above configures monitoring of Azure Cloud resource configuration for compliance, and monitoring of Activity Log. Copy/Paste the code snippet above into the main.tf file, and then save (Ctrl + S on Windows or Cmd + S on MacOS) the file.
  3. Run the command terraform init to download the necessary plugins and modules required to run this automation.
  4. Next run terraform apply to create a "plan" of the resources that will be created. Hit Yes
  5. Once the plan has been reviewed, type 'yes' to proceed with running Terraform and configure the integration with Azure and Lacework.
  6. When Terraform completes, validate whether admin consent was granted using the Azure CLI, or follow the link (see above) to manually grant admin consent via the Azure Console.

NOTE: To learn about using Terraform inputs to customize Lacework Terraform Modules, see documentation on the Terraform Registry.

Validate The Configuration

Once Terraform finishes applying changes, use the Lacework CLI or the Lacework console to confirm the integration is working.

For the CLI open a Terminal and run lacework integrations list (you should see the two AZURE_CFG and AZURE_AL_SEQ Integrations listed).

To validate the integration via the Lacework Console, Log in to your account and go to Settings > Integrations > Cloud Accounts.