Articles in this section

Azure Compliance & Activity Log Integrations - Terraform using Azure Cloud Shell

Lacework integrates with Microsoft Azure to monitor Activity Logs and cloud resource configurations for designated tenants and subscriptions. This procedure covers how to integrate Microsoft Azure and Lacework running Lacework Terraform Modules from Azure Cloud Shell.

The approach outlined in this document is suitable for one-off integrations where the user does not plan to continue to use Terraform to manage the configuration of Lacework and Azure.

If you plan to continue to manage the state of the integration between Google Cloud and Lacework, and/or store the configuration in a source control management tool such as Git, review the following steps in Azure Compliance & Activity Log Integrations - Terraform From Any Supported Host.

Overview of Azure Compliance and Activity Log Integration

For Lacework to monitor Microsoft Azure Activity Logs and Compliance, the following resources need to be provisioned in the Tenant being integrated:

  • Azure AD Application - An Azure AD Application is required in order to delegate Identity and Access Management functions to Azure AD in the Azure AD Tenat. The following API Permissions will be granted to the Azure AD Application:

    API Permission Type Description Admin Consent RQD
    Azure Active Directory Graph Directory.Read.All Application Read directory data Yes
    Azure Key Vault user_impersonation Delegated Have full access to Azure Key Vault service on behalf of the signed in user. This permission does not grant Lacework full access to the Azure Key Vault -
    Azure Storage user_impersonation Delegated This permission gives the Lacework AD Application access to the Azure Storage REST APIs. However, Lacework access is limited by the role of Reader -
    Microsoft Graph User.Read.All Application Read the full profiles for all userss Yes
  • Azure Resource Group - An Azure Resource Group will be created to store all resources provisioned the integration
  • Azure Storage Account - Storage account is used to store Activity Logs.
    • Azure Storage Queue - Azure queue to hold activity log data
  • Azure Event Grid Subscription - Used to send notifications about events in Activity Logs

Requirements

The following is a list of requirements to run Lacework Terraform Modules for Azure:

  • Azure Global Administrator - You must have an Azure Portal account that has a Global Administrator role for your tenant's directory.
  • Azure Owner Role - Your Azure Portal account must have Owner role in all the subscriptions that you want to monitor.
  • Azure CLI - The Terraform Provider for Azure leverages configuration from the Azure CLI to configure resources in Azure
  • Lacework Administrator - You must have Lacework account with administrator privileges.
  • Lacework CLI - The Terraform Provider for Lacework leverages the configuration from the Lacework CLI. It is recommended to have the Lacework CLI installed and configured.
  • Terraform - >= 0.12.24, ~> 0.13.x.

Azure Cloud Shell

Azure Cloud Shell is an embedded terminal/command-line interface that can be used within the Azure Portal. This shell automatically authenticates the user that launches Cloud Shell with Azure AD and comes with tools pre-installed such as the Azure CLI and Terraform to manage and automate your Azure environment. For more information on Azure Cloud Shell, see the documentation Overview of Azure Cloud Shell.

Open Azure Cloud Shell within Azure Portal

To open the Azure Cloud Shell, click on the Cloud Shell icon in the header bar of the Azure Portal, and it will open the Cloud Shell in a pane at the bottom of the browser. Cloud Shell defaults to PowerShell, but also supports a Bash prompt if preferred.

Open Azure Cloud Shell

Install and Configure the Lacework CLI in Azure Cloud Shell

The Terraform Provider for Lacework leverages configuration from the Lacework CLI to authenticate with Lacework's API server to configure accounts. Lacework has created a shell script to install the Lacework CLI to Azure Cloud Shell.

Additionally, the script will validate that the user running Cloud Shell has the permissions required to integrate Azure with Lacework described above.

Install the Lacework CLI Using the shell_startup.sh Script

Open Cloud Shell and run the following command:

curl https://raw.githubusercontent.com/lacework/terraform-provisioning/master/azure/shell_startup.sh | bash

When the script completes, type exit followed by hitting the ENTER key to exit your shell. After a few seconds a prompt will appear to reconnect to Azure Shell. Once reconnected, the Lacework CLI will be ready for use.

Configure the Lacework CLI

Proceed to configure the Lacework CLI by using the command lacework configure. The Lacework CLI needs the following:

  • account: Account subdomain of URL (i.e. <ACCOUNT>.lacework.net)
  • api_key: API Access Key
  • api_secret: API Access Secret

To create a set of API keys, log in to your Lacework account via WebUI and navigate to Settings > API Keys and click + CREATE NEW. Enter a name for the key and an optional description, then click SAVE. Download the generated API key file.

The Azure Cloud Shell allows you to drag-and-drop the generated KEY.json to upload it automatically.

Download-Drag-and-Drop Lacework API key

Finally, run the command:

$ lacework configure -j CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEF715.json
▸ Account: customerdemo
▸ Access Key ID: CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEF715
▸ Secret Access Key: (*****************************26a0)

You are all set!

For more information, see Lacework CLI documentation

Enable Azure Compliance and Activity Log Integrations

  1. Cloud Shell also has a built-in IDE for editing files, use the following command to create a Terraform template named main.tf.

  2. The following code snippet configures monitoring of Azure Cloud resource configuration for compliance, and monitoring of Activity Log. The code leverages Lacework Terraform modules to create required resources in Azure Portal as well as connecting such resources to Lacework. Copy/Paste the following code snippet into the main.tf file and save it:

    terraform {
 required_providers {
   azuread = {
     source = "hashicorp/azuread"
   }
   azurerm = {
     source  = "hashicorp/azurerm"
     version = "2.26"
   }
   lacework = {
     source = "lacework/lacework"
   }
 }
}

provider "azurerm" {
 features {}
}

module "az_config" {
 source  = "lacework/config/azure"
 version = "~> 0.1.0"
}

module "az_activity_log" {
 source  = "lacework/activity-log/azure"
 version = "~> 0.1.0"

 use_existing_ad_application = true
 application_id              = module.az_config.application_id
 application_password        = module.az_config.application_password
 service_principal_id        = module.az_config.service_principal_id
}

    To customize these modules look at the following input parameters.

NOTE: Do not forget to save the file with Ctrl + S on Windows or Cmd + S on MacOS.

Run Terraform

  1. Run the command terraform init to download the necessary plugins and modules required to run this automation.

  2. Next run terraform apply to create a "plan" of the resources that will be created. Hit Yes

  3. Once the plan has been reviewed, type 'yes' to proceed with running Terraform and configure the integration with Azure and Lacework.

Validate The Configuration

Once Terraform finishes applying changes, use the Lacework CLI or the Lacework console to confirm the integration is working.

For the CLI open a Terminal and run lacework integrations list (you should see the two AZURE_CFG and AZURE_AL_SEQ Integrations listed).

To validate the integration via the Lacework Console, Log in to your account and go to Settings -> Integrations -> Cloud Accounts.