Articles in this section

Azure Compliance & Activity Log Integrations - Terraform using Azure Cloud Shell

Lacework integrates with Microsoft Azure to monitor Activity Logs and cloud resource configurations for designated tenants and subscriptions. This procedure covers how to integrate Microsoft Azure and Lacework running Lacework Terraform Modules from Azure Cloud Shell.

If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider and more.

The approach outlined in this document is suitable for one-off integrations where the user does not plan to continue to use Terraform to manage the configuration of Lacework and Azure.

If you plan to continue to manage the state of the integration between Microsoft Azure and Lacework, and/or store the configuration in a source control management tool such as Git, review the following steps in Azure Compliance & Activity Log Integrations - Terraform From Any Supported Host.

Overview of Azure Compliance and Activity Log Integration

To monitor Microsoft Azure Activity Logs and Compliance, Lacework requires the following resources:

  • Azure AD Application - An AD application with permissions to read directory information (using the Directory Reader Role)
  • Azure Resource Group - A resource group is created to store all resources provisioned the integration
  • Azure Storage Account - A storage account is used to store Activity Logs
  • Azure Storage Queue - A queue to hold activity log data
  • Azure Event Grid Subscription - Used to send notifications about events in Activity Logs

Requirements

The following is a list of requirements to run Lacework Terraform Modules for Azure:

  • Azure Global Administrator - You must have an Azure Portal account that has a Global Administrator role for your tenant's directory.
  • Azure Owner Role - Your Azure Portal account must have Owner role in all the subscriptions that you want to monitor.
  • Azure CLI - The Terraform Provider for Azure leverages configuration from the Azure CLI to configure resources in Azure
  • Lacework Administrator - You must have Lacework account with administrator privileges.
  • Terraform - >= 0.12.31, ~> 0.13, ~> 0.14, ~> 0.15.

Module Dependencies

Lacework Terraform modules for Azure have the following dependencies that will be installed when running terraform init:

For detailed information on these dependencies, visit Lacework on the Terraform Registry.

Terraform and Azure Cloud Shell

Azure Cloud Shell is an embedded terminal/command-line interface that you can use within the Azure Portal. This shell automatically authenticates the user that launches Cloud Shell with Azure AD and comes with pre-installed tools to manage and automate your Azure environment such as the Azure CLI and Terraform. For more information on Azure Cloud Shell, see the Overview of Azure Cloud Shell.

Open Azure Cloud Shell within Azure Portal

To open the Azure Cloud Shell, click the Cloud Shell icon in the header bar of the Azure Portal. This opens the Cloud Shell in a pane at the bottom of the browser. Cloud Shell defaults to PowerShell but also supports a Bash prompt.

Open Azure Cloud Shell

Install and Configure the Lacework CLI in Azure Cloud Shell

To configure accounts, the Terraform Provider for Lacework leverages the Lacework CLI configuration to authenticate with Lacework's API server. Lacework provides a shell script to install the Lacework CLI to Azure Cloud Shell.

Additionally, the script will validate that the user running Cloud Shell has the permissions required to integrate Azure with Lacework described above.

Install the Lacework CLI Using the shell_startup.sh Script

Open Cloud Shell and run the following command:

curl https://raw.githubusercontent.com/lacework/terraform-provisioning/master/azure/shell_startup.sh | bash

When the script completes, type exit followed by hitting the ENTER key to exit your shell. After a few seconds a prompt will appear to reconnect to Azure Shell. Once reconnected, the Lacework CLI will be ready for use.

Configure the Lacework CLI

Proceed to configure the Lacework CLI by using the command lacework configure. The Lacework CLI needs the following:

  • account: Account subdomain of URL (i.e. YourAccount.lacework.net)
  • api_key: API Access Key
  • api_secret: API Access Secret

To create a set of API keys, log in to your Lacework account via WebUI and navigate to Settings > API Keys and click Create New. Enter a name for the key and an optional description, then click Save. Download the generated API key file.

The Azure Cloud Shell allows you to drag-and-drop the generated KEY.json to upload it automatically.

Download-Drag-and-Drop Lacework API key

Finally, run the command:

$ lacework configure -j CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEF715.json
▸ Account: customerdemo
▸ Access Key ID: CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEF715
▸ Secret Access Key: (*****************************26a0)

You are all set!

For more information, see Lacework CLI documentation

Enable Azure Compliance and Activity Log Integrations

This section covers running Terraform within your Azure Tenant. By default, only the primary subscription will be integrated for a given tenant, but all subscriptions can be integrated via the all_subscriptions = true input. Additionally, an array of subscriptions can be passed with the subscription_ids = [] input.

Run Terraform

provider "azuread" {
}
provider "azurerm" {
 features {}
}

module "az_ad_application" {
 source  = "lacework/ad-application/azure"
 version = "~> 1.0"
}

module "az_config" {
 source = "lacework/config/azure"
 version = "~> 1.0"
 all_subscriptions = true
 use_existing_ad_application = true
 application_id        = module.az_ad_application.application_id
 application_password  = module.az_ad_application.application_password
 service_principal_id  = module.az_ad_application.service_principal_id
}

module "az_activity_log" {
 source = "lacework/activity-log/azure"
 version = "~> 1.0"
 all_subscriptions = true
 use_existing_ad_application = true
 application_id        = module.az_ad_application.application_id
 application_password  = module.az_ad_application.application_password
 service_principal_id  = module.az_ad_application.service_principal_id
}
  1. Azure Cloud Shell has a built-in IDE for editing files. Run the command code main.tf in Azure Cloud Shell to create and open a Terraform template named main.tf.
  2. The code snippet above configures monitoring of Azure Cloud resource configuration for compliance, and monitoring of Activity Log. Copy/Paste the code snippet above into the main.tf file, and then save (Ctrl + S on Windows or Cmd + S on MacOS) the file.
  3. Run the command terraform init to download the necessary plugins and modules required to run this automation. If you are upgrading an old integration (v0.x), use the upgrade flag terraform init --upgrade. The v1.0 version for this module uses a new Azure AD provider via MS Graph API, check the upgrade documentation in case of issues.
  4. Run terraform apply to create a "plan" of the resources that will be created. Note that there is a well-known bug with the new Azure AD provider when executed on Azure Cloud Shell (which uses MSI tokens to interact with MS Graph API), which makes Terraform fail to get a valid MSI token. To workaround this, put unset MSI_ENDPOINT before calling Terraform, or do az login and re-authenticate.
  5. After you review the plan, type yes to proceed with the Azure and Lacework integration.

NOTE: To learn about using Terraform inputs to customize Lacework Terraform Modules, see documentation on the Terraform Registry.

Validate The Configuration

After Terraform finishes applying changes, use the Lacework CLI or the Lacework Console to confirm the integration is working.

For the CLI, open a Terminal and run lacework integrations list (you should see the two AZURE_CFG and AZURE_AL_SEQ integrations listed).

To validate the integration via the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Deprecated Alternative Procedure for v0.x of the modules

The deprecated v0.x of the modules use Azure AD Graph API, deprecated by Microsoft, and required specific API permissions

  • Azure AD Application - API Permissions

    API Permission Type Description Admin Consent RQD
    Azure Active Directory Graph Directory.Read.All Application Read directory data Yes
    Azure Key Vault user_impersonation Delegated Have full access to Azure Key Vault service on behalf of the signed in user. This permission does not grant Lacework full access to the Azure Key Vault -
    Azure Storage user_impersonation Delegated This permission gives the Lacework AD Application access to the Azure Storage REST APIs. However, Lacework access is limited by the role of Reader -
    Microsoft Graph User.Read.All Application Read the full profiles for all users Yes

Using API permissions, the Azure Active Directory Application created for Lacework requires granting admin consent before the integration will work. Granting admin consent is not possible natively using Terraform, but the Lacework Terraform module will attempt to automate this process by running the following command the Azure CLI:

# Attempt to grant admin consent via the Azure CLI or print a URL to grant admin consent manually

az ad app permission admin-consent --id ${local.application_id} && echo SUCCESS!! \
|| echo ERROR!!! Unable to grant admin consent, grant it manually by following the URL: \
https://login.microsoftonline.com/${local.tenant_id}/adminconsent?client_id=${local.application_id}

If granting admin consent fails, click the link to log in to the Azure console and grant admin consent manually.