Set up a Lacework User in OCI
This topic describes the first step in integrating Lacework with Oracle Cloud Infrastructure (OCI), creating a user for Lacework in OCI. After creating the user in OCI, you can complete the integration steps described in Create the OCI Integration.
Overview
To set up a user for Lacework, you create a user account and group, and assign privileges to the user group.
There are two ways to set up a user, as described here:
The steps for configuring users in the OCI web console differ depending on whether you use Identity Domains or Oracle Identity Cloud Service (IDCS). Before starting, determine which one you use based on Does My Region Use IAM Identity Domains?.
These steps assume you use Identity Domains. To use the OCI web console to set up the user with IDCS instead, follow the steps on Set Up Users and Groups Using IDCS. You will need to provision the user with the permissions listed in Step 4: Add a Lacework Policy and follow the steps in Step 5: Generate and Upload the OCI API Key for adding an API key for the user to configure an API key for the user. Note that the CLI instructions work for both Identity Domains and IDCS.
Set Up a Lacework User with the OCI CLI
In the following steps, you create a user for Lacework and add the user to the OCI configuration using the OCI CLI. As an alternative, you can perform these steps in the OCI console, as described in Set up a Lacework User with the OCI Console.
To follow these steps, you should have the OCI CLI installed, along with access to OCI and Lacework accounts. For more information, see the OCI CLI documentation.
Step 1: Create the Lacework User
oci iam user create --name lacework_user_security_audit \
--description "A read only Lacework user to access resource configs." \
--email example@example.com
Note the ID you get from the response; you'll need this to set the user-id later.
Step 2: Create a Lacework Group
oci iam group create --name lacework_group_security_audit \
--description "A lacework group needed to assign necessary read only permissions to lacework_user_security_audit."
Note the ID you get from the response; you'll need this to set the group-id later.
Step 3: Add the Lacework User to the Lacework Group
Use the user-id and group-id you got from the previous two commands to execute the following command:
oci iam group add-user --user-id <lacework_user_ocid> \
--group-id <lacework_group_ocid>
Step 4: Add a Lacework Policy
Create a policy in OCI. See Common Policies in the Oracle Cloud Infrastructure documentation for more information.
oci iam policy create \
--compartment-id <root_compartment_ocid> \
--name lacework_policy_security_audit \
--description "Policy that grants necessary permissions to perform the security audit." \
--statements "[\"Allow group 'lacework_group_security_audit' to inspect compartments in tenancy\", \
\"Allow group 'lacework_group_security_audit' to read buckets in tenancy\", \
\"Allow group 'lacework_group_security_audit' to inspect volumes in tenancy\", \
\"Allow group 'lacework_group_security_audit' to inspect security-lists in tenancy\", \
\"Allow group 'lacework_group_security_audit' to read users in tenancy\", \
\"Allow group 'lacework_group_security_audit' to inspect groups in tenancy\", \
\"Allow group 'lacework_group_security_audit' to inspect policies in tenancy\", \
\"Allow group 'lacework_group_security_audit' to inspect domains in tenancy\", \
\"Allow group 'lacework_group_security_audit' to inspect tag-defaults in tenancy\", \
\"Allow group 'lacework_group_security_audit' to read instances in tenancy\", \
\"Allow group 'lacework_group_security_audit' to inspect subnets in tenancy\", \
\"Allow group 'lacework_group_security_audit' to read network-security-groups in tenancy\", \
\"Allow group 'lacework_group_security_audit' to inspect tenancies in tenancy\", \
\"Allow group 'lacework_group_security_audit' to inspect subnets in tenancy\", \
\"Allow group 'lacework_group_security_audit' to inspect route-tables in tenancy\", \
\"Allow group 'lacework_group_security_audit' to inspect internet-gateways in tenancy\", \
\"Allow group 'lacework_group_security_audit' to inspect load-balancers in tenancy\", \
\"Allow group 'lacework_group_security_audit' to read compute-clusters in tenancy\", \
\"Allow group 'lacework_group_security_audit' to inspect instance-images in tenancy\", \
\"Allow group 'lacework_group_security_audit' to inspect vnic-attachments in tenancy\", \
\"Allow group 'lacework_group_security_audit' to inspect volume-attachments in tenancy\", \
\"Allow group 'lacework_group_security_audit' to inspect vcns in tenancy\", \
\"Allow group 'lacework_group_security_audit' to inspect leaf-certificates in tenancy\", \
\"Allow group 'lacework_group_security_audit' to inspect vnics in tenancy\" ]"
Step 5: Generate and Upload the OCI API Key
In this step, you generate public and private keys for your Lacework user in OCI. The commands in this step represent Linux/Mac commands. For Windows OS or to learn more about these steps, see Required Keys and OCIDs in the OCI documentation.
To generate public and private keys for your Lacework user in OCI, follow these steps:
Create a directory for OCI if it does not exist. (You likely already have one if you have the OCI CLI):
mkdir ~/.oci
Generate the private key:
openssl genrsa -out ~/.oci/oci_api_key_lacework.pem 2048
Set appropriate permissions for the private key:
chmod go-rwx ~/.oci/oci_api_key_lacework.pem
Generate a public key from your private key:
openssl rsa -pubout -in ~/.oci/oci_api_key_lacework.pem -out ~/.oci/oci_api_key_lacework_public.pem
Upload the public key for the Lacework user:
oci iam user api-key upload --user-id <lacework_user_ocid> --key-file ~/.oci/oci_api_key_lacework_public.pem
After you've uploaded the first public key, you can use the UploadApiKey API to upload additional keys. A user can have up to three API key pairs. In an API request, you specify the key's fingerprint to indicate the key used to sign the request.
Step 6: Add the Lacework User to OCI Configuration
You can use the API key (i.e., the private key) you generated to set up the Python SDK to make calls to OCI. For more information relating to this step, see Required Keys and OCIDs in the OCI documentation.
Optionally, add a new profile for the user and API key you created to the CLI configuration, so that you can test permissions for making calls via the CLI.
First generate the fingerprint of the key, which will be needed to add the configuration, as follows:
openssl rsa -pubout -outform DER -in ~/.oci/oci_api_key_lacework.pem | openssl md5 -c
Edit ~/.oci/config
and add the following:
[lacework-integration]
user=<lacework_user_ocid>
fingerprint=<lacework_api_key_fingerprint>
tenancy=<tenant_id>
region=<home_region>
key_file=/path/to/key/oci_api_key_lacework.pem
Replace the placeholder values with the values appropriate for your environment. Also, note that the <home_region>
value must be your tenancy home region.
Now test the configuration with a simple OCI command:
oci --profile lacework-integration iam region list -- output table
You should get back a table with a list of available regions.
Set Up a Lacework User with the OCI Console
In these steps, you create a user for Lacework and add the user to the OCI configuration using the OCI Console. As an alternative, you can use the OCI CLI as described in Set up a Lacework User with the OCI CLI.
These steps assume that you use Identity Domains for identity and access management in OCI. If you use Oracle Identity Cloud Service (IDCS) instead, the steps for configuring a user and group for Lacework differ. See the introduction under Set up a Lacework User in OCI for more information.
Step 1: Create the Lacework Group
In the OCI console, open the navigation menu and click Identity & Security.
Under Identity, click Domains > Default.
Under the Identity domain resources, click Groups.
Click Create group.
In the Create group dialog, enter value for the following fields:
- Name: A unique name for your group, such as
lacework_group_security_audit
. The name cannot contain spaces. - Description: A description for your group, such as “group to assign audit permissions to lacework_security_audit_user“.
- Name: A unique name for your group, such as
Click Create.
Step 2: Create a Lacework User and Add the User to the Lacework Group
Open the navigation menu and click Identity & Security. Under Identity, click Domains.
Click Default to open the Default identity domain.
Under the Identity domain resources, click Users.
In the First name and Last name fields of the Create user window, enter a first and last name for the Lacework user, such as
lacework_security_audit_user
.Leave the default Use the email address as the username checkbox selected and enter the email address for the user account.
Under Select groups to assign this user to, select the checkbox for the group you just created,
lacework_security_audit_group
.Click Create.
Step 3: Add the Lacework Policy
Create a policy to give the lacework_group_security_audit
permissions in OCI:
Open the navigation menu and click Identity & Security.
Under Identity, click Domains > Default.
Under List Scope, ensure that you are in your root compartment.
Click Create Policy.
Enter a unique Name for the policy, such as
LaceworkPolicy
, and a Description (required) for the policy. The name cannot contain spaces.In Statements, enter the following:
Allow group 'lacework_group_security_audit' to inspect compartments in tenancy
Allow group 'lacework_group_security_audit' to read buckets in tenancy
Allow group 'lacework_group_security_audit' to inspect volumes in tenancy
Allow group 'lacework_group_security_audit' to inspect security-lists in tenancy
Allow group 'lacework_group_security_audit' to read users in tenancy
Allow group 'lacework_group_security_audit' to inspect groups in tenancy
Allow group 'lacework_group_security_audit' to inspect policies in tenancy
Allow group 'lacework_group_security_audit' to inspect domains in tenancy
Allow group 'lacework_group_security_audit' to inspect tag-defaults in tenancy
Allow group 'lacework_group_security_audit' to read instances in tenancy
Allow group 'lacework_group_security_audit' to inspect subnets in tenancy
Allow group 'lacework_group_security_audit' to read network-security-groups in tenancy
Allow group 'lacework_group_security_audit' to inspect tenancies in tenancy
Allow group 'lacework_group_security_audit' to inspect route-tables in tenancy
Allow group 'lacework_group_security_audit' to inspect internet-gateways in tenancy
Allow group 'lacework_group_security_audit' to inspect load-balancers in tenancy
Allow group 'lacework_group_security_audit' to read compute-clusters in tenancy
Allow group 'lacework_group_security_audit' to inspect instance-images in tenancy
Allow group 'lacework_group_security_audit' to inspect vnic-attachments in tenancy
Allow group 'lacework_group_security_audit' to inspect volume-attachments in tenancy
Allow group 'lacework_group_security_audit' to inspect vcns in tenancy
Allow group 'lacework_group_security_audit' to inspect leaf-certificates in tenancy
Allow group 'lacework_group_security_audit' to inspect vnics in tenancyClick Create.
Step 4: Generate an API Signing Key for the User in the OCI Console
Navigate to Users in the default identity domain.
Search for the user you create for Lacework and click the user.
Under resources, click API Keys.
If you need a key pair, generate the key pair here and download the private key. If you already have a key pair, you can upload or paste your public key file instead.
noteIf you’re generating the key, be sure to download the private key, we will need it complete the integration.
Click Add to preview the configuration file. Copy and paste the contents of the text box into your
\~/.oci/config
file and update thekey_file
parameter with the file path to your private key.\[lacework-integration\]
user=\<lacework_user_ocid\>
fingerprint=\<lacework_api_key_fingerprint\>
tenancy=\<tenant_id\>
region=\<home_region\>\
key_file=\<path to private keyfile\> \
Next Steps
After creating the user in OCI, complete the integration as described in Create the OCI Integration.