AWS Inventory
Overview
The Lacework Console provides visibility into AWS resources that are integrated with Lacework. A resource can be any entity within the cloud deployment, such as an S3 bucket, security group, or EC2 instance. The AWS Resource Inventory page allows you to view and monitor in-use AWS resources’ risk, compliance, and configuration changes and provides visibility for team members with limited or no access to the AWS Management Console. Because Lacework takes regular snapshots of your resources, you can track their changes (diffs) through the Lacework Console. To access the Resource Inventory page, go to Resources > AWS Inventory.
Lacework takes a snapshot of resources every 24 hours. Depending on the time that Lacework takes the snapshot, changes may not be captured until up to 24 hours after the changes are made. See the following examples:
- A resource change is made on Monday at 1:00 AM and Lacework takes a snapshot on Monday at 2:00 AM, the snapshot includes the change.
- A resource change is made on Monday at 3:00 AM but Lacework took a snapshot on Monday at 2:00 AM, the snapshot does not include the change. The next snapshot on Tuesday at 2:00 AM will capture the change.
Region Compatibility for Session Tokens
Lacework uses a global (non-regional) security token service endpoint when establishing a cross-account session with AWS. Lacework recommends that you ensure the region compatibility of their STS service is set to Valid in all AWS Regions. Failure to do so could result in an inability for Lacework to crawl non-default regions. For detailed information on how to set the region compatibility, see Managing global endpoint session tokens.
Ingested AWS APIs
Lacework resource inventory ingests the following AWS APIs.
| Service | API |
|---|---|
| accessanalyzer | list-analyzers |
| acm | list-certificates |
| autoscaling | describe-launch-configurations |
| cloudfront | list-distributions |
| cloudtrail | describe-trails |
| cloudwatch | describe-alarm |
| config | describe-configuration-recorder-status describe-configuration-recorders describe-delivery-channel-status describe-delivery-channels |
| ec2 | describe-customer-gateways describe-dhcp-options describe-instances describe-internet-gateways describe-key-pairs describe-nat-gateways describe-network-acls describe-network-interfaces describe-regions describe-route-tables describe-security-groups describe-snapshots describe-subnets describe-transit-gateways describe-volumes describe-vpcs describe-vpc-endpoints describe-flow-logs describe-vpc-peering-connections describe-vpn-connections describe-vpn-gateways |
| ecr | describe-repositories |
| ecs | list-clusters list-container-instances list-services list-task-definitions list-tasks |
| eks | list-clusters |
| elb | describe-load-balancers |
| elbv2 | describe-load-balancers describe-ssl-policies describe-target-groups describe-listeners |
| es | list-domain-names |
| dynamodb | list-tables |
| iam | get-account-password-policy get-account-summary get-credential-report list-groups list-policies list-roles list-saml-providers list-server-certificates list-users list-virtual-mfa-devices |
| kms | list-aliases list-keys |
| lambda | list-functions |
| logs | describe-log-groups |
| rds | describe-db-clusters describe-db-cluster-snapshots describe-db-instances describe-event-subscriptions |
| redshift | describe-clusters |
| s3 | list-buckets |
| s3control | get-public-access-block |
| sns | list-subscriptions list-topics |
Because this API isn't currently included in the security audit policy attached to Lacework's IAM role for AWS config integration, you must add permissions for it. Update the following permissions: EC2 > Read > GetEbsEncryptionByDefault (ec2:GetEbsEncryptionByDefault).
Resource Summary
Lacework populates this page after at least one AWS Config integration is configured. The date/time range filter and any optional filters at top of the page apply to all data displayed on the page. If nothing is displayed, consider increasing the date range.
Above the right side of the table, the following icons are available:
| Icon | Label** | Description |
|---|---|---|
 | Download in CSV format | Click the Download in CSV format icon to get a comma-separated file of the table contents. |
 | Select display columns | Click the Select display columns icon to hide or show the set of columns that are displayed in the table. |
 | Refresh data | Click the Refresh data icon to refresh the table data. |
 | Full screen | Click the Full screen icon to show the table on the entire screen. |
The columns in the Resources Summary table are described below. Each row in the table represents a resource.
| Column | Description |
|---|---|
| Resource Name (ARN) | Displays the name of the resource. Click the name to open the resource’s configuration. |
| Recently Updated (24hrs) | Displays whether there was an update in the last 24 hours. |
| Account ID | Displays the AWS account ID that the resource belongs to. |
| Account Alias | Displays the AWS account alias for the account ID. |
| Service | Displays the AWS service that the resource corresponds to. |
| Type | Displays the type of resource. Possible types include instance, security-group, network-acl, cluster, db, loadbalancer, and bucket. |
| Resource ID | The ID of the resource. |
| Region | Displays the region where the resource is located. |
| Status | Displays the status of data collection from the resource. |
| Tags | Click {...} to open the resource’s tags. |
| Last Discovered Time | Displays the last time the Lacework agent discovered the resource. |
Configuration Diffs
To view a configuration diff, click a resource name under the Resource Name (ARN) column. This opens a pane with configuration details. When a diff is present, it is always compared to the current configuration. If more than two configuration histories exist, click View more to display the Configuration History page.
To view a resource’s tag information, click {...} in the Tags column.
If you change an ingested AWS API (primary API) configuration, then it appears as a diff on the Lacework Console.
However, Lacework does not support Console diffs for secondary resources. See Ingested AWS APIs for a list of primary APIs that Lacework supports.
Configuration History
This page provides configuration histories for a resource. To open the Configuration History page, click View more. The link is available only if the resource has more than two configuration histories.
To compare two configurations, select their checkboxes and click the diff configurations icon.
The columns in the Configuration History table are described below.
| Column | Description |
|---|---|
| Configuration | Click to view the configuration. |
| Start Time | Displays when data collection started. |
| End Time | Displays when data collection ended. |
Migration Considerations for Resource Management Version 2 Upgrade
Lacework platform v4.40 upgrades its implementation of ingestion services for resource management data. Resource management v2 allows the Lacework platform to automatically and continuously consume your AWS resource configurations. This is an important step in enabling you to query and define policies specific to your environment.
As a result of the upgrade's implementation changes, you will encounter the following behavior and changes after the migration:
All resources will be displayed as Recently Updated (24hrs) upon the first collection after the upgrade, and the Configuration Diff will display the resource in a new format (Latest Configuration) compared to before the upgrade (Historical Configuration).
The
PROPS:apiVersionfield for Data Share will be incremented from a value of 1.0.0 to a value of 2.0.The
PROPS:serviceAwsSdkVersionfield for Data Share will be changed from a value of 1.12.22 to a value of botocore-1.21.52All content in the
RESOURCE_CONFIGcolumn for Data Share will be formatted differently than the data from before the migration.For Data Share, the
iam:list_role_policiesmodel will change. A row will exist for each policy returned, instead of an unbounded list of policies in a single row.The
iam:list-groupsresource will haveRESOURCE_IDpopulated withGroupNameinstead ofGroupID. The ARN also includes theGroupName.The following
RESOURCE_TYPEvalues will change as described in this table:Version 1 Resource Type Version 2 Resource Type autoscaling:launch-configuration autoscaling:launchConfiguration ec2:flow-log ec2:vpc-flow-log ec2:nat-gateway ec2:natgateway elb:load-balancer elb:loadbalancer elbv2:load-balancer elbv2:loadbalancer iam:credential-report iam:user iam:password-policy iam:account-password-policy iam:user iam:group lambda:function lambda:lambda rds:db-cluster rds:cluster rds:db-cluster-snapshot rds:cluster-snapshot rds:db-instance rds:db