AWS Inventory

Overview

The Lacework Console provides visibility into AWS resources that are integrated with Lacework. A resource can be any entity within the cloud deployment, such as an S3 bucket, security group, or EC2 instance. The AWS Resource Inventory page allows you to view and monitor in-use AWS resources’ risk, compliance, and configuration changes and provides visibility for team members with limited or no access to the AWS Management Console. Because Lacework takes regular snapshots of your resources, you can track their changes (diffs) through the Lacework Console. To access the Resource Inventory page, go to Resources > AWS Inventory.

Lacework takes a snapshot of resources every 24 hours. Depending on the time that Lacework takes the snapshot, changes may not be captured until up to 24 hours after the changes are made. See the following examples:

• A resource change is made on Monday at 1:00 AM and Lacework takes a snapshot on Monday at 2:00 AM, the snapshot includes the change.
• A resource change is made on Monday at 3:00 AM but Lacework took a snapshot on Monday at 2:00 AM, the snapshot does not include the change. The next snapshot on Tuesday at 2:00 AM will capture the change.

info

Lacework is currently expanding its service coverage in AWS. As we begin assessing these services for the first time, you may notice the New service accessed in region alert on your Lacework Console. This alert will originate from Lacework Service IP Addresses and can be safely disregarded. If you have any questions regarding the alert, please contact Lacework Support for further assistance.

Region Compatibility for Session Tokens

Lacework uses a global (non-regional) security token service endpoint when establishing a cross-account session with AWS. Lacework recommends that you ensure the region compatibility of their STS service is set to Valid in all AWS Regions. Failure to do so could result in an inability for Lacework to crawl non-default regions. For detailed information on how to set the region compatibility, see Managing global endpoint session tokens.

Ingested AWS APIs

Lacework resource inventory ingests the following AWS APIs.

Service	API
accessanalyzer	list-analyzers
acm	list-certificates
apigateway	Expand to view the list of APIs get-api-keys get-client-certificates get-domain-names get-rest-apis get-sdk-types get-usage-plans get-vpc-links
apigatewayv2	Expand to view the list of APIs get-apis get-domain-names get-vpc-links
appsync	Expand to view the list of APIs list-domain-names list-graphql-apis
autoscaling	describe-launch-configurations
cloudfront	list-distributions
cloudtrail	describe-trails
cloudwatch	describe-alarm
config	Expand to view the list of APIs describe-configuration-recorder-status describe-configuration-recorders describe-delivery-channel-status describe-delivery-channels
dax	Expand to view the list of APIs describe-clusters describe-parameter-groups describe-subnet-groups
dynamodb	list-tables
ec2	Expand to view the list of APIs describe-customer-gateways describe-dhcp-options describe-instances describe-internet-gateways describe-key-pairs describe-nat-gateways describe-network-interfaces describe-regions describe-route-tables describe-security-groups describe-snapshots describe-subnets describe-transit-gateways describe-volumes describe-vpcs describe-vpc-endpoints describe-flow-logs describe-vpc-peering-connections describe-vpn-connections describe-vpn-gateways
ecr	describe-repositories
ecs	Expand to view the list of APIs list-clusters list-container-instances list-services list-task-definitions list-tasks
eks	list-clusters
elasticache	describe-replication-groups
elb	describe-load-balancers
elbv2	Expand to view the list of APIs describe-load-balancers describe-ssl-policies describe-target-groups describe-listeners
es	list-domain-names
firehose	list-delivery-streams
iam	Expand to view the list of APIs get-account-password-policy get-account-summary get-credential-report list-groups list-policies list-roles list-saml-providers list-server-certificates list-users list-virtual-mfa-devices
identitystore	Expand to view the list of APIs list-groups list-users
kms	Expand to view the list of APIs list-aliases list-keys
laceworkaccountdetails	build-integration-account-urn
lambda	list-functions
logs	describe-log-groups
network-firewall	Expand to view the list of APIs list-firewalls list-firewall-policies list-rule-groups
opensearch	list-domain-names
organization-details	describe-organization
organizations	Expand to view the list of APIs list-accounts list-delegated-administrators describe-organization list-aws-service-access-for-organization describe-effective-policy list-policies describe-resource-policy list-roots
rds	Expand to view the list of APIs describe-db-clusters describe-db-cluster-snapshots describe-db-instances describe-event-subscriptions
redshift	redshift
route53	Expand to view the list of APIs get-checker-ip-ranges list-cidr-collections list-geo-locations list-health-checks list-hosted-zones list-query-logging-configs list-reusable-delegation-sets list-traffic-policies list-traffic-policy-instances
route53domains	Expand to view the list of APIs view-billing list-domains list-operations list-prices
s3	list-buckets
s3control	get-public-access-block
sagemaker	Expand to view the list of APIs list-actions list-algorithms list-apps list-app-image-configs list-artifacts list-auto-ml-jobs list-code-repositories list-compilation-jobs list-contexts list-data-quality-job-definitions list-devices list-device-fleets list-domains list-edge-deployment-plans list-edge-packaging-jobs list-endpoints list-endpoint-configs list-experiments list-feature-groups list-flow-definitions list-human-task-uis list-hyper-parameter-tuning-jobs list-images list-inference-experiments list-inference-recommendations-jobs list-labeling-jobs list-lineage-groups list-models list-model-bias-job-definitions list-model-cards list-model-explainability-job-definitions list-model-packages list-model-package-groups list-model-quality-job-definitions list-monitoring-schedules list-notebook-instances list-notebook-instance-lifecycle-configs list-pipelines list-processing-jobs list-projects list-spaces list-studio-lifecycle-configs list-subscribed-workteams list-training-jobs list-transform-jobs list-trials list-trial-components list-user-profiles list-workforces list-workteams
secretsmanager	list-secrets
sns	Expand to view the list of APIs list-subscriptions list-topics
sqs	list-queues
sso-admin	list-instances
waf	Expand to view the list of APIs list-activated-rules-in-rule-group list-byte-match-sets list-geo-match-sets list-ip-sets list-logging-configurations list-rate-based-rules list-regex-match-sets list-regex-pattern-sets list-rules list-rule-groups list-size-constraint-sets list-sql-injection-match-sets list-web-acls list-xss-match-sets
waf-regional	Expand to view the list of APIs list-byte-match-sets list-geo-match-sets list-ip-sets list-rate-based-rules list-regex-match-sets list-regex-pattern-sets list-rules list-rule-groups list-size-constraint-sets list-sql-injection-match-sets list-web-acls
wafv2	Expand to view the list of APIs list-ip-sets list-managed-rule-sets list-regex-pattern-sets list-rule-groups list-web-acls

Resource Summary

Lacework populates this page after at least one AWS Config integration is configured. The date/time range filter and any optional filters at top of the page apply to all data displayed on the page. If nothing is displayed, consider increasing the date range.

Above the right side of the table, the following icons are available:

Icon	Label**	Description
	Download in CSV format	Click the Download in CSV format icon to get a comma-separated file of the table contents.
	Select display columns	Click the Select display columns icon to hide or show the set of columns that are displayed in the table.
	Refresh data	Click the Refresh data icon to refresh the table data.
	Full screen	Click the Full screen icon to show the table on the entire screen.

The columns in the Resources Summary table are described below. Each row in the table represents a resource.

Column	Description
Resource Name (ARN)	Displays the name of the resource. Click the name to open the resource’s configuration.
Recently Updated (24hrs)	Displays whether there was an update in the last 24 hours.
Account ID	Displays the AWS account ID that the resource belongs to.
Account Alias	Displays the AWS account alias for the account ID.
Service	Displays the AWS service that the resource corresponds to.
Type	Displays the type of resource. Possible types include instance, security-group, network-acl, cluster, db, loadbalancer, and bucket.
Resource ID	The ID of the resource.
Region	Displays the region where the resource is located.
Status	Displays the status of data collection from the resource.
Tags	Click {...} to open the resource’s tags.
Last Discovered Time	Displays the last time the Lacework agent discovered the resource.

Configuration Diffs

To view a configuration diff, click a resource name under the Resource Name (ARN) column. This opens a pane with configuration details. When a diff is present, it is always compared to the current configuration. If more than two configuration histories exist, click View more to display the Configuration History page.

To view a resource’s tag information, click {...} in the Tags column.

note

If you change an ingested AWS API (primary API) configuration, then it appears as a diff on the Lacework Console.

However, Lacework does not support Console diffs for secondary resources. See Ingested AWS APIs for a list of primary APIs that Lacework supports.

Configuration History

This page provides configuration histories for a resource. To open the Configuration History page, click View more. The link is available only if the resource has more than two configuration histories.

To compare two configurations, select their checkboxes and click the diff configurations icon.

The columns in the Configuration History table are described below.

Column	Description
Configuration	Click to view the configuration.
Start Time	Displays when data collection started.
End Time	Displays when data collection ended.

Migration Considerations for Resource Management Version 2 Upgrade

Lacework platform v4.40 upgrades its implementation of ingestion services for resource management data. Resource management v2 allows the Lacework platform to automatically and continuously consume your AWS resource configurations. This is an important step in enabling you to query and define policies specific to your environment.

As a result of the upgrade's implementation changes, you will encounter the following behavior and changes after the migration:

• All resources will be displayed as Recently Updated (24hrs) upon the first collection after the upgrade, and the Configuration Diff will display the resource in a new format (Latest Configuration) compared to before the upgrade (Historical Configuration).

• The PROPS:apiVersion field for Data Share will be incremented from a value of 1.0.0 to a value of 2.0.

• The PROPS:serviceAwsSdkVersion field for Data Share will be changed from a value of 1.12.22 to a value of botocore-1.21.52

• All content in the RESOURCE_CONFIG column for Data Share will be formatted differently than the data from before the migration.

• For Data Share, the iam:list_role_policies model will change. A row will exist for each policy returned, instead of an unbounded list of policies in a single row.

• The iam:list-groups resource will have RESOURCE_ID populated with GroupName instead of GroupID. The ARN also includes the GroupName.

• The following RESOURCE_TYPE values will change as described in this table:

  Version 1 Resource Type	Version 2 Resource Type
  autoscaling:launch-configuration	autoscaling:launchConfiguration
  ec2:flow-log	ec2:vpc-flow-log
  ec2:nat-gateway	ec2:natgateway
  elb:load-balancer	elb:loadbalancer
  elbv2:load-balancer	elbv2:loadbalancer
  iam:credential-report	iam:user
  iam:password-policy	iam:account-password-policy
  iam:user	iam:group
  lambda:function	lambda:lambda
  rds:db-cluster	rds:cluster
  rds:db-cluster-snapshot	rds:cluster-snapshot
  rds:db-instance	rds:db