Skip to main content

Configure Access to Tags and Metadata in AWS

The Lacework agent can retrieve user defined tags and other metadata from the AWS EC2 instances on which the agent is installed.

For the agent to retrieve user defined tags, the EC2 instance must have the DescribeTags IAM permission. For the agent to retrieve other metadata such as the ID of the organization in which the EC2 instance exists, the instance must have the DescribeOrganization IAM permission.

To provide the necessary permission, complete the following steps:

  1. Log in to the IAM service.

  2. Click Policies.

  3. Click Create policy.

  4. Click the JSON tab and replace the displayed policy with the following text.

       "Version": "2012-10-17",
       "Statement": [
             "Effect": "Allow",
             "Action": [
    "Resource": "*"
  5. Click Next: Tags

  6. Click Next: Review.

  7. Enter a policy name and description.

  8. Click Create policy.

After creating the policy, associate it with an IAM role that can be attached to EC2 instances.

  1. Log in to the IAM service.
  2. Click Roles.
  3. Click Create role.
  4. Select AWS service as the trusted entity type and EC2 as the use case.
  5. Click Next.
  6. Search for the policy you created, click it, and click Next.
  7. Enter a role name, update the description if you want, and click Create role.

After creating the policy and role, navigate to the EC2 service and do the following:

  1. Select the instance for which you want to retrieve the tags and metadata.

  2. Under Actions > Security > Modify IAM role, select the IAM role you created and click Update IAM role.

    The next time the Lacework agent forwards data, you will see the AWS tags and metadata in the Machine Tag Summary table in the Machines dossier in the Lacework Console.


In addition to retrieving AWS tags and metadata, you can add local tags to agents. For details, see Add Agent Tags.