Update the External ID of an Existing AWS Integration
Overview
To strengthen our security posture, Lacework is introducing a new external ID format for all AWS integrations. The new format allows you to prevent the confused deputy problem and cross-service impersonation.
This topic describes how to update the external ID format of an existing AWS integration.
Integrations to Update
You must update the external IDs for the following AWS integrations:
- Configuration
- CloudTrail+Configuration
- EKS Audit Log
- Agentless Workload Scanning (single account)
- Agentless Workload Scanning (organization)
- AWS Security Hub
- Amazon Elastic Container Registry (with IAM role-based authentication)
- S3 data export
Update Methods
The method you used to create the original integration determines which method you should use to update the external ID format.
| Integration | Original Integration Method | Recommended Update Method |
|---|---|---|
| Configuration (compliance, resource management) or CloudTrail+Configuration (activity monitoring, compliance, resource management) | Manual | Manual update |
| CloudFormation | Delete and recreate | |
| Control Tower with CloudFormation | Delete and recreate stack | |
| Terraform | Terraform update | |
| EKS Audit Log (Kubernetes audit log monitoring) | CloudFormation | Delete and recreate |
| Terraform | Terraform update | |
| Agentless Workload Scanning (single account) (AWS account vulnerability scanning) or Agentless Workload Scanning (organization) (AWS organization vulnerability scanning) | CloudFormation | Delete and recreate |
| Terraform | Terraform update | |
| AWS Security Hub (Amazon security findings collection) | CloudFormation | Delete and recreate |
| Amazon Elastic Container Registry (with IAM role-based authentication) (Platform Scanner) | Manual | Manual update |
| S3 data export (export from Lacework to S3) | Manual | Manual update |
| CloudFormation | Delete and recreate | |
| Terraform | Terraform update |
Manual Update
If you created the initial integration manually or you used CloudFormation, you can follow the steps in these sections to update the external ID format.
Generate a New External ID in the Lacework Console
- Log in to the Lacework Console as a user with cloud accounts write permissions.
- Go to Settings > Cloud accounts and click the existing AWS integration that needs a new external ID.
- Click the Edit icon.
- Click the Refresh icon next to the External ID. This generates a new external ID that complies with the new format.
- Click the Copy icon next to the External ID.
- Leave the cloud account edit window open and unsaved.note
The Lacework Console does not allow you to save the updated external ID unless it matches the external ID configured in the IAM policy.
Update the External ID in the AWS Console
- Log in to your AWS account.
- Go to the Identity and Access Management (IAM) dashboard.
- Click Roles in the left sidebar. A list of existing IAM roles appears.
- Choose the role you want to update, which is one of the following:
- For existing integrations - The role that the existing integration uses. You can view this role in the Lacework Console by going to Settings > Cloud accounts and clicking the existing integration.
- For new integrations - The cross-account IAM role you created when completing the AWS integration prerequisites.
- Click Trust relationships.
- Click Edit trust policy.
- Change the value for
"sts:ExternalId":to the external ID that you copied from the Lacework Console. - Click Update policy.
Save the Integration in the Lacework Console
- Return to the cloud account edit window in the Lacework Console.
- Click Save to finish the external ID update.
External ID Format
The Lacework-generated external ID follows this format:
lweid:<csp>:<version>:<tenant_name>:<aws_account_id>:<random_string_size_10>
Example:
lweid:aws:v2:acmeinc:123456789012:dkl31.09ip
Where:
: - Used as a delimiter.
lweid - A static string.
<csp> - The cloud service provider, for AWS integrations it uses aws.
<version> - The EID format version, this is version 2 so it uses the static string v2.
<tenant_name> - The unique tenant name, part of the URL <account>.lacework.net (examples: acmeinc, supercompany).
<aws_account_id> - The AWS account being integrated.
<random_string_size_10> - A random string of size = 10 that can ONLY contain letters, numbers, and these special characters = , . @ : / -
Additional AWS documentation reference information for IAM and AWS STS quotas.
Terraform Update
If you used Terraform to create the initial integration, update the following AWS Terraform modules to the versions indicated.
- lacework/terraform-aws-agentless-scanning v0.14.0 or later
- lacework/terraform-aws-cloudtrail v1.0.3 or later
- lacework/terraform-aws-config v0.7.2 or later
- lacework/terraform-aws-alerts-to-s3 v0.4.1 or later
- lacework/terraform-aws-iam-role v0.4.1 or later
- lacework/terraform-aws-cloudtrail-controltower v0.4.0 or later
After the Terraform modules have been updated, apply infrastructure changes.
Delete and Recreate CloudFormation Integrations
If you used CloudFormation to create the initial integration, you can delete the integration and recreate it. When you recreate the integration, it will have the new external ID format.
Delete the Integration
- Log in to the Lacework Console as a user with cloud accounts delete permissions.
- Go to Settings > Cloud accounts and click the existing AWS integration that you want to delete.
- Click the delete icon and confirm deletion.
Recreate the Integration
Follow the integration's steps to recreate the integration:
- AWS Configuration or Configuration+CloudTrail
- EKS
- Agentless Workload Scanning (single account)
- Agentless Workload Scanning (organization account)
- Security Hub
- S3 data export
Delete and Recreate Control Tower with CloudFormation Integrations
If you used Control Tower with CloudFormation to create the initial integration, you must delete and recreate the Lacework AWS Control Tower CloudFormation stack. When you recreate the stack, the integration will have the new external ID format.
- Navigate to the CloudFormation service in your AWS console.
- Select your existing Lacework AWS Control Tower CloudFormation stack.
- Select the Parameters tab.
- Record all of the listed Keys and Values. You will reuse them to recreate the stack.
- Ensure that you have the Lacework Access Key ID and Secret Key values.
- Click Delete to delete the existing stack.
- Monitor the progress of the stack deletion and ensure all resources are deleted successfully.
- To validate successful stack deletion, validate the following:
- Under CloudFormation StackSets, ensure Lacework-Control-Tower-xxxx stacksets do not exist.
- Under Lambda, ensure LaceworkSetup and LaceworkAccount functions do not exist.
- Use the Keys and Values from Step 4 and the Lacework Access Key ID and Secret Key values from Step 5 to complete the steps in Deploy the Lacework AWS Control Tower Integration with CloudFormation to recreate the stack.