Lacework integrates with Microsoft Azure to monitor Activity Logs and cloud resource configurations for designated tenants and subscriptions. This procedure covers how to integrate Microsoft Azure and Lacework running Lacework Terraform Modules for Azure from any host that Terraform supports.
If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, be sure to read through the Terraform for Lacework Overview article to learn the basics on how to configure the provider, and more.
The approach outlined in this document is geared towards companies that store Terraform code in source control, and plan to continue to manage the state of the integration between Lacework and Azure using Terraform.
Lacework also supports running Terraform from Azure Cloud Shell, which comes with Terraform pre-installed. For instructions on running Terraform from Azure Cloud Shell, see Azure Compliance & Activity Log Integrations - Terraform using Azure Cloud Shell.
Overview of Azure Compliance and Activity Log Integration
For Lacework to monitor Microsoft Azure Activity Logs and Compliance, the following resources need to be provisioned in the Tenant being integrated:
Azure AD Application - An Azure AD Application is required in order to delegate Identity and Access Management functions to Azure AD in the Azure AD Tenant. The following API Permissions will be granted to the Azure AD Application:
API Permission Type Description Admin Consent RQD Azure Active Directory Graph Directory.Read.All
Application Read directory data Yes Azure Key Vault user_impersonation
Delegated Have full access to Azure Key Vault service on behalf of the signed in user. This permission does not grant Lacework full access to the Azure Key Vault - Azure Storage user_impersonation
Delegated This permission gives the Lacework AD Application access to the Azure Storage REST APIs. However, Lacework access is limited by the role of Reader - Microsoft Graph User.Read.All
Application Read the full profiles for all users Yes - Azure Resource Group - An Azure Resource Group will be created to store all resources provisioned the integration.
- Azure Storage Account - Storage account is used to store Activity Logs.
- Azure Storage Queue - Azure queue to hold activity log data.
- Azure Event Grid Subscription - Used to send notifications about events in Activity Logs.
Requirements
The following is a list of requirements to run Lacework Terraform Modules for Azure locally:
- Azure Global Administrator - You must have an Azure Portal account that has a Global Administrator role for your tenant's directory.
- Azure Owner Role - Your Azure Portal account must have Owner role in all the subscriptions that you want to monitor.
- Azure CLI - The Terraform Provider for Azure leverages configuration from the Azure CLI to configure resources in Azure
- Lacework Administrator - You must have Lacework account with administrator privileges.
- Terraform -
>= 0.12.26
,~> 0.13.0
,~> 0.14.0
.
Integrate Azure for Configuration Assessment and Activity Log monitoring
The next section covers running Lacework Terraform Modules for Azure to integrate Azure subscriptions and tenants with Lacework for Configuration Assessments, and Activity Log monitoring.
By default, the Lacework Modules only configures the default subsciption, but can be configured to integrate all subscriptions, or an array of specific subscriptions. For more details, see the complete list of module inputs.
Log in to Azure via the Azure CLI
To integrate Lacework with Azure you will need to log in to your Azure console via the Azure CLI by running the command:
$ az login
About Granting Admin Consent
Before running Terraform, it is important to understand the Azure Active Directory Application created for Lacework requires granting admin consent before the integration will work. Granting admin consent is not possible natively using Terraform, but the Lacework Terraform Module will attempt to automate this process by running the following command the Azure CLI:
# Attempt to grant admin consent via the Azure CLI or print a URL to grant admin consent manually az ad app permission admin-consent --id ${local.application_id} && echo SUCCESS!! \ || echo ERROR!!! Unable to grant admin consent, grant it manually by following the URL: \ https://login.microsoftonline.com/${local.tenant_id}/adminconsent?client_id=${local.application_id}
If the granting admin consent fails, click the link to login to the Azure console and grant admin consent manually.
Run Terraform
terraform { required_providers { azuread = { source = "hashicorp/azuread" } azurerm = { source = "hashicorp/azurerm" version = "2.26" } lacework = { source = "lacework/lacework" version = "~> 0.2.7" } } } provider "azurerm" { features {} } module "az_config" { source = "lacework/config/azure" version = "~> 0.1.2" } module "az_activity_log" { source = "lacework/activity-log/azure" version = "~> 0.1.2" use_existing_ad_application = true application_id = module.az_config.application_id application_password = module.az_config.application_password service_principal_id = module.az_config.service_principal_id }
- Open an Editor such as VSCode, Atom, or VIM and create a new file called
main.tf
. - Copy the code snippet above, and paste it into the
main.tf
. - Open a Terminal and change directories to the directory that contains the
main.tf
and runterraform init
to initialize the project and download the required modules. - Run
terraform plan
to validate the configuration and review pending changes. - When you have reviewed the pending changes run
terraform apply
to execute changes. - When Terraform completes, validate whether admin consent was granted using the Azure CLI, or follow the link (see above) to manually grant admin consent via the Azure Console.
Note: Lacework Terraform modules provide a number of inputs for customization. Visit the documentation on the Terraform Registry for the complete list of inputs for each module.
Validate The Configuration
Once Terraform finishes applying changes, use the Lacework CLI or log in to the Lacework Console to confirm the integration is working.
For the CLI open a Terminal and run lacework integrations list
(The integrations will be listed as AZURE_CFG
and AZURE_AL_SEQ
).
To validate the integration via the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.