Skip to main content

Configure Access to Tags and Metadata in AWS

The Lacework agent can retrieve user defined tags and other metadata from the AWS EC2 instances on which the agent is installed and display them in the Lacework Console. This enables you to do the following:

  • Use the tag and metadata values to identify AWS resources displayed in the Lacework Console.
  • Use the tags to filter information displayed in the Lacework Console. For example, you can use the Machine tags filter in the Host Vulnerabilities page to view only the vulnerabilities on hosts in a specific AWS account.


Configure DescribeTags and DescribeOrganization IAM Permissions

To provide the necessary permission, complete the following steps:

  1. Log in to the IAM service.

  2. Click Policies.

  3. Click Create policy.

  4. Click the JSON tab and replace the displayed policy with the following text.

       "Version": "2012-10-17",
       "Statement": [
             "Effect": "Allow",
             "Action": [
    "Resource": "*"
  5. Click Next: Tags

  6. Click Next: Review.

  7. Enter a policy name and description.

  8. Click Create policy.

After creating the policy, associate it with an IAM role that can be attached to EC2 instances.

  1. Log in to the IAM service.
  2. Click Roles.
  3. Click Create role.
  4. Select AWS service as the trusted entity type and EC2 as the use case.
  5. Click Next.
  6. Search for the policy you created, click it, and click Next.
  7. Enter a role name, update the description if you want, and click Create role.

After creating the policy and role, navigate to the EC2 service and do the following:

  1. Select the instance for which you want to retrieve the tags and metadata.

  2. Under Actions > Security > Modify IAM role, select the IAM role you created and click Update IAM role.

    The next time the Lacework agent forwards data, you will see the AWS tags and metadata in the Machine Tag Summary table in the Machines dashboard in the Lacework Console.


In addition to retrieving AWS tags and metadata, you can add local tags to agents. For details, see Add Agent Tags.