Add the OCI Integration
After configuring a user for Lacework in OCI, you can use that user's credentials to integrate an OCI Tenant with Lacework, as described here.
These instructions describe how to integration Lacework and OCI using two alternative methods:
To avoid errors, we recommend first trying the Lacework-provided Terraform. See Integrate OCI Using Terraform for more information.
Requirements
Before starting, make sure you have created a user in OCI for Lacework.
Access the OCI console and download the private key for the Lacework OCI user. To learn more about creating and managing keys in OCI, see Required Keys and OCIDs in the Oracle documentation.
Integrate an OCI Tenant with the Lacework Console
After creating and configuring a user for Lacework, integrate OCI tenants with Lacework in the Lacework Console as follows:
- Log in to the Lacework Console as a user with cloud accounts write permissions.
- Go to Settings > Integrations > Cloud accounts.
- Click + Add New.
- Click Oracle Cloud Infrastructure.
- Click Next.
- Enter a name for the integration.
- For the OCI Credentials, upload a PEM of the OCI private key associated with the Lacework user you created in OCI in Set up a Lacework User in OCI. Be sure to include the prefix, "-----BEGIN PRIVATE KEY-----" and postfix, "-----END PRIVATE KEY-----".
- Enter the fingerprint of the public key associated with the Lacework user.
- Choose the home region for the integrated OCI account, and then the tenant ID and tenant name of the integrated account.
- For the OCID, enter the Oracle-assigned unique ID for the Lacework user you created and click Save.
The new integration now appears in the Cloud accounts page.
Integrate an OCI Tenant with the Lacework API
After creating and configuring a user for Lacework, integrate OCI tenants with Lacework as follows:
Follow the steps in API Access Keys and Tokens to create an API key in the Lacework Console.
Download the API key and use the key ID and secret to generate an API access token. For more information, see Generate Access Tokens in the Lacework API documentation.
Use the generated API access token for all subsequent API requests, including create, update, and delete
OCI_CFG
cloud accounts. For more information, see Cloud Accounts API documentation.Now add an account. To add an account, send configuration data as the body payload to the following endpoint:
POST https://{your.lacework.url}.lacework.net/api/v2/CloudAccounts
. The body data is in the following format:{
"name": "{INTEGRATION_NAME}",
"type": "OciCfg",
"enabled": 1,
"data": {
"homeRegion": "{us-sanjose-1}",
"tenantId": "{ocid1.tenancy.oc1..your_id}",
"tenantName": "{TENANT_NAME}",
"userOcid": "{ocid1.user.oc1..your_id}",
"credentials": {
"fingerprint": "{FINGERPRINT}",
"privateKey": "{YOURKEY}"
}
}
}Since the format of configuration values in JSON may be error prone, especially formatting the private key, Lacework provides a helper script that formats the JSON body data for you. You only need to provide a few settings and run the script. To do so, follow these steps:
Download the following script from the Lacework scripts repository: lacework_integration_payload.
Edit the script, replacing the following placeholder values with values appropriate for your environment:
LACEWORK_OCI_USERNAME="<user_ocid>"
OCI_TENANCY_OCID="<tenancy_ocid>"
OCI_HOME_REGION="<home_region>"
OCI_TENANT_NAME="<tenant_name>"
LACEWORK_PRIVATE_KEY_PATH="<private_key_path>"
LACEWORK_PRIVATE_KEY_FINGERPRINT="<fingerprint>"Notice that you only need to provide the path to your private key file, not the value of the key itself.
Make sure the script is executable and run the script:
chmod u+x lacework_integration_payload.sh
./lacework_integration_payload.shThe script produces a file named
lacework_payload.json
in the current directory, which you can use as the body payload for the OCI integration API call.Now call the API using the Lacework CLI, passing the generated file. For example, using curl, the command would be:
lacework api post /api/v2/CloudAccounts -d "$(cat lacework_payload.json)"
If the request succeeds, you should get a response that shows the values you configured.
noteIf you choose not to use the script, Lacework recommends using a clipboard tool like pbcopy, xclip, or similar when pasting your private key value in a request (for example,
cat ~/.oci/oci_api_key_lacework.pem | pbcopy
). TheprivateKey
value has multi-lines, so be sure to escape each new line with\n
, for example,abc\nabc\nabc…
. Also,tenantName
should match that of your Oracle Cloud Infrastructure.Check the integration validated successfully by running the following command and checking for the new cloud integration in the output:
lacework cloud-accounts list
OCI integration is now configured. After Lacework's next resource collection cycle, you can query OCI data with LQL via the Lacework CLI.
Remove an OCI Integration
To remove the integration, use the following command, replacing <integration_guid>
with the GUID for the OCI account integration:
lacework cloud-accounts delete <integration_guid>
Next Steps
Now provision access to OCI resources in Lacework. Also, see OCI Frameworks for details on how to check whether your resources are compliant with CIS and other regulatory benchmarks.