Skip to main content

AWS Inventory

Overview

The Lacework Console provides visibility into AWS resources that are integrated with Lacework. A resource can be any entity within the cloud deployment, such as an S3 bucket, security group, or EC2 instance. The AWS Resource Inventory page allows you to view and monitor in-use AWS resources’ risk, compliance, and configuration changes and provides visibility for team members with limited or no access to the AWS Management Console. Because Lacework takes regular snapshots of your resources, you can track their changes (diffs) through the Lacework Console. To access the Resource Inventory page, go to Resources > AWS Inventory.

Lacework takes a snapshot of resources every 24 hours. Depending on the time that Lacework takes the snapshot, changes may not be captured until up to 24 hours after the changes are made. See the following examples:

  • A resource change is made on Monday at 1:00 AM and Lacework takes a snapshot on Monday at 2:00 AM, the snapshot includes the change.
  • A resource change is made on Monday at 3:00 AM but Lacework took a snapshot on Monday at 2:00 AM, the snapshot does not include the change. The next snapshot on Tuesday at 2:00 AM will capture the change.
info

Lacework is currently expanding its service coverage in AWS. As we begin assessing these services for the first time, you may notice the New AWS service accessed in region alert on your Lacework Console. This alert will originate from Lacework Service IP Addresses and can be safely disregarded. If you have any questions regarding the alert, please contact Lacework Support for further assistance.

Region Compatibility for Session Tokens

Lacework uses a global (non-regional) security token service endpoint when establishing a cross-account session with AWS. Lacework recommends that you ensure the region compatibility of their STS service is set to Valid in all AWS Regions. Failure to do so could result in an inability for Lacework to crawl non-default regions. For detailed information on how to set the region compatibility, see Managing global endpoint session tokens.

Ingested AWS APIs

Lacework resource inventory ingests the following AWS APIs.

ServiceAPI
accessanalyzerlist-analyzers
acmlist-certificates

apigateway

Expand to view the list of APIs
  • get-api-keys
  • get-client-certificates
  • get-domain-names
  • get-rest-apis
  • get-sdk-types
  • get-usage-plans
  • get-vpc-links

apigatewayv2

Expand to view the list of APIs
  • get-apis
  • get-domain-names
  • get-vpc-links
appsync
Expand to view the list of APIs
  • list-domain-names
  • list-graphql-apis
autoscalingdescribe-launch-configurations
cloudfrontlist-distributions
cloudtraildescribe-trails
cloudwatchdescribe-alarm
config
Expand to view the list of APIs
  • describe-configuration-recorder-status
  • describe-configuration-recorders
  • describe-delivery-channel-status
  • describe-delivery-channels
dax
Expand to view the list of APIs
  • describe-clusters
  • describe-parameter-groups
  • describe-subnet-groups
dynamodblist-tables
ec2
Expand to view the list of APIs
  • describe-customer-gateways
  • describe-dhcp-options
  • describe-instances
  • describe-internet-gateways
  • describe-key-pairs
  • describe-nat-gateways
  • describe-network-interfaces
  • describe-regions
  • describe-route-tables
  • describe-security-groups
  • describe-snapshots
  • describe-subnets
  • describe-transit-gateways
  • describe-volumes
  • describe-vpcs
  • describe-vpc-endpoints
  • describe-flow-logs
  • describe-vpc-peering-connections
  • describe-vpn-connections
  • describe-vpn-gateways
ecrdescribe-repositories
ecs
Expand to view the list of APIs
  • list-clusters
  • list-container-instances
  • list-services
  • list-task-definitions
  • list-tasks
ekslist-clusters
elasticachedescribe-replication-groups
elbdescribe-load-balancers
elbv2
Expand to view the list of APIs
  • describe-load-balancers
  • describe-ssl-policies
  • describe-target-groups
  • describe-listeners
eslist-domain-names
firehose list-delivery-streams
iam
Expand to view the list of APIs
  • get-account-password-policy
  • get-account-summary
  • get-credential-report
  • list-groups
  • list-policies
  • list-roles
  • list-saml-providers
  • list-server-certificates
  • list-users
  • list-virtual-mfa-devices
identitystore
Expand to view the list of APIs
  • list-groups
  • list-users
kms
Expand to view the list of APIs
  • list-aliases
  • list-keys
laceworkaccountdetailsbuild-integration-account-urn
lambdalist-functions
logs describe-log-groups
network-firewall
Expand to view the list of APIs
  • list-firewalls
  • list-firewall-policies
  • list-rule-groups
opensearch list-domain-names
organization-details describe-organization
organizations
Expand to view the list of APIs
  • list-accounts
  • list-delegated-administrators
  • describe-organization
  • list-aws-service-access-for-organization
  • describe-effective-policy
  • list-policies
  • describe-resource-policy
  • list-roots
rds
Expand to view the list of APIs
  • describe-db-clusters
  • describe-db-cluster-snapshots
  • describe-db-instances
  • describe-event-subscriptions
redshift redshift
route53
Expand to view the list of APIs
  • get-checker-ip-ranges
  • list-cidr-collections
  • list-geo-locations
  • list-health-checks
  • list-hosted-zones
  • list-query-logging-configs
  • list-reusable-delegation-sets
  • list-traffic-policies
  • list-traffic-policy-instances
route53domains
Expand to view the list of APIs
  • view-billing
  • list-domains
  • list-operations
  • list-prices
s3 list-buckets
s3control get-public-access-block
sagemaker
Expand to view the list of APIs
  • list-actions
  • list-algorithms
  • list-apps
  • list-app-image-configs
  • list-artifacts
  • list-auto-ml-jobs
  • list-code-repositories
  • list-compilation-jobs
  • list-contexts
  • list-data-quality-job-definitions
  • list-devices
  • list-device-fleets
  • list-domains
  • list-edge-deployment-plans
  • list-edge-packaging-jobs
  • list-endpoints
  • list-endpoint-configs
  • list-experiments
  • list-feature-groups
  • list-flow-definitions
  • list-human-task-uis
  • list-hyper-parameter-tuning-jobs
  • list-images
  • list-inference-experiments
  • list-inference-recommendations-jobs
  • list-labeling-jobs
  • list-lineage-groups
  • list-models
  • list-model-bias-job-definitions
  • list-model-cards
  • list-model-explainability-job-definitions
  • list-model-packages
  • list-model-package-groups
  • list-model-quality-job-definitions
  • list-monitoring-schedules
  • list-notebook-instances
  • list-notebook-instance-lifecycle-configs
  • list-pipelines
  • list-processing-jobs
  • list-projects
  • list-spaces
  • list-studio-lifecycle-configs
  • list-subscribed-workteams
  • list-training-jobs
  • list-transform-jobs
  • list-trials
  • list-trial-components
  • list-user-profiles
  • list-workforces
  • list-workteams
secretsmanager list-secrets
sns
Expand to view the list of APIs
  • list-subscriptions
  • list-topics
sqslist-queues

sso-admin

list-instances
waf
Expand to view the list of APIs
  • list-activated-rules-in-rule-group
  • list-byte-match-sets
  • list-geo-match-sets
  • list-ip-sets
  • list-logging-configurations
  • list-rate-based-rules
  • list-regex-match-sets
  • list-regex-pattern-sets
  • list-rules
  • list-rule-groups
  • list-size-constraint-sets
  • list-sql-injection-match-sets
  • list-web-acls
  • list-xss-match-sets
waf-regional
Expand to view the list of APIs
  • list-byte-match-sets
  • list-geo-match-sets
  • list-ip-sets
  • list-rate-based-rules
  • list-regex-match-sets
  • list-regex-pattern-sets
  • list-rules
  • list-rule-groups
  • list-size-constraint-sets
  • list-sql-injection-match-sets
  • list-web-acls
wafv2
Expand to view the list of APIs
  • list-ip-sets
  • list-managed-rule-sets
  • list-regex-pattern-sets
  • list-rule-groups
  • list-web-acls

Resource Summary

Lacework populates this page after at least one AWS Config integration is configured. The date/time range filter and any optional filters at top of the page apply to all data displayed on the page. If nothing is displayed, consider increasing the date range.

Above the right side of the table, the following icons are available:

IconLabel**Description
download_csv.pngDownload in CSV formatClick the Download in CSV format icon to get a comma-separated file of the table contents.
select_columns.pngSelect display columnsClick the Select display columns icon to hide or show the set of columns that are displayed in the table.
Refresh.pngRefresh dataClick the Refresh data icon to refresh the table data.
full_screen.pngFull screenClick the Full screen icon to show the table on the entire screen.

The columns in the Resources Summary table are described below. Each row in the table represents a resource.

ColumnDescription
Resource Name (ARN)Displays the name of the resource. Click the name to open the resource’s configuration.
Recently Updated (24hrs)Displays whether there was an update in the last 24 hours.
Account IDDisplays the AWS account ID that the resource belongs to.
Account AliasDisplays the AWS account alias for the account ID.
ServiceDisplays the AWS service that the resource corresponds to.
TypeDisplays the type of resource. Possible types include instance, security-group, network-acl, cluster, db, loadbalancer, and bucket.
Resource IDThe ID of the resource.
RegionDisplays the region where the resource is located.
StatusDisplays the status of data collection from the resource.
TagsClick {...} to open the resource’s tags.
Last Discovered TimeDisplays the last time the Lacework agent discovered the resource.

Configuration Diffs

To view a configuration diff, click a resource name under the Resource Name (ARN) column. This opens a pane with configuration details. When a diff is present, it is always compared to the current configuration. If more than two configuration histories exist, click View more to display the Configuration History page.

To view a resource’s tag information, click {...} in the Tags column.

note

If you change an ingested AWS API (primary API) configuration, then it appears as a diff on the Lacework Console.

However, Lacework does not support Console diffs for secondary resources. See Ingested AWS APIs for a list of primary APIs that Lacework supports.

Configuration History

This page provides configuration histories for a resource. To open the Configuration History page, click View more. The link is available only if the resource has more than two configuration histories.

To compare two configurations, select their checkboxes and click the diff configurations icon.

The columns in the Configuration History table are described below.

ColumnDescription
ConfigurationClick to view the configuration.
Start TimeDisplays when data collection started.
End TimeDisplays when data collection ended.

Migration Considerations for Resource Management Version 2 Upgrade

Lacework platform v4.40 upgrades its implementation of ingestion services for resource management data. Resource management v2 allows the Lacework platform to automatically and continuously consume your AWS resource configurations. This is an important step in enabling you to query and define policies specific to your environment.

As a result of the upgrade's implementation changes, you will encounter the following behavior and changes after the migration:

  • All resources will be displayed as Recently Updated (24hrs) upon the first collection after the upgrade, and the Configuration Diff will display the resource in a new format (Latest Configuration) compared to before the upgrade (Historical Configuration).

  • The PROPS:apiVersion field for Data Share will be incremented from a value of 1.0.0 to a value of 2.0.

  • The PROPS:serviceAwsSdkVersion field for Data Share will be changed from a value of 1.12.22 to a value of botocore-1.21.52

  • All content in the RESOURCE_CONFIG column for Data Share will be formatted differently than the data from before the migration.

  • For Data Share, the iam:list_role_policies model will change. A row will exist for each policy returned, instead of an unbounded list of policies in a single row.

  • The iam:list-groups resource will have RESOURCE_ID populated with GroupName instead of GroupID. The ARN also includes the GroupName.

  • The following RESOURCE_TYPE values will change as described in this table:

    Version 1 Resource TypeVersion 2 Resource Type
    autoscaling:launch-configurationautoscaling:launchConfiguration
    ec2:flow-logec2:vpc-flow-log
    ec2:nat-gatewayec2:natgateway
    elb:load-balancerelb:loadbalancer
    elbv2:load-balancerelbv2:loadbalancer
    iam:credential-reportiam:user
    iam:password-policyiam:account-password-policy
    iam:useriam:group
    lambda:functionlambda:lambda
    rds:db-clusterrds:cluster
    rds:db-cluster-snapshotrds:cluster-snapshot
    rds:db-instancerds:db