Skip to main content

Agentless Workload Scanning for AWS - Single Account Integration (CloudFormation)

Overview

This article describes how to integrate your AWS single account with Lacework's Agentless Workload Scanning. The high-level steps are summarized below:

  1. Configure your integration in the Lacework Console.
  2. Choose and execute your CloudFormation integration method.
  3. Update the Default Security Group and Network ACL Rules for Least Privilege Access.
  4. Verify your Agentless Workload Scanning Integration.

Configure the Integration in Lacework Console

  1. Log in to the Lacework Console.
  2. Select Settings > Integrations > Cloud accounts.
  3. Click Add New.
  4. Click Amazon Web Services and select CloudFormation.
  5. Click Next.
  6. Click the Choose integration type dropdown and select Agentless Workload Scanning (Single account).
  7. Fill in the settings as described in Configuration Settings.
  8. Click Save.
  9. Once the integration is created, the Status displays as Pending.
    Choose a CloudFormation integration method to continue the integration.

Configuration Settings

SettingDescriptionExample
NameThe name for the integration (as it will be displayed in the Lacework Console).myAgentlessIntegration
Scanning AWS Account IDThe AWS Account ID where the scanning resources will be created.123456789012
Limit Scanned WorkloadsUse an LQL key and value to constrain the Agentless Workload Scanning to specific resources. If left blank, Lacework will scan all resources available to the account or organization. See Limit Scanned Workloads for further guidance.
Scan Frequency (hours)How often your images, containers, and hosts are scanned for vulnerabilities (in hours). This option can be changed at any time.

The maximum scan frequency is 24 hours.
24
Scan containersClear the checkbox if you don't want to scan containers for vulnerabilities. This option can be changed at any time.Ticked checkbox
Scan host vulnerabilitiesClear the checkbox if you don't want to scan hosts for vulnerabilities. This option can be changed at any time.Ticked checkbox
Scan secondary volumesSelect the checkbox if you want to scan additional volumes on hosts (other than the root or primary volume). This option can be changed at any time.Unticked checkbox
Scan stopped instancesSelect the checkbox if you want to scan stopped instances in your environment. This option can be changed at any time.Unticked checkbox

Choose a CloudFormation Integration Method

Choose one of the following options to integrate with an AWS account using CloudFormation:

Option 1: Run CloudFormation Script

tip

For this option, disable your browser pop-up blocker, otherwise you may not be redirected to the AWS user portal during the initial steps.

  1. In the Lacework Console, go to Settings > Integrations > Cloud accounts, and select the integration that you created using the Configure the Integration in Lacework Console procedure. This displays the details of the integration.

  2. Under Install using CloudFormation, click Run CloudFormation Template.

    This redirects you to the AWS Create stack > Specify Template page in a new tab. The Lacework script populates the Amazon S3 URL in Specify template for you.

  3. Review the page and click Next.

  4. On the Specify stack details page, enter a Stack name (for example: Lacework-AWS-Agentless-Config).

  5. Check that the Regions list contains the appropriate regions for your account.

    • A VPC and Internet Gateway will be created in each region, please verify resource quotas have not been reached using the Service Quotas tool.
    • Regional STS must be enabled in each region selected.
    info

    Lacework checks your account and populates the Regions list automatically. If the check fails, all regions will be listed by default.

  6. For Quota Check: Can a new VPC and VPC Internet Gateway be created in each selected Region?

    • See Access and Resource Requirements for guidance on how to check if the required VPC resources can be created.
    • Select Yes once you have completed the quotas check.
  7. Review the page and click Next.

  8. On Configure stack options, review the page and click Next (no changes are required).

    • If you would like to add custom Tags, use the option here. These tags will be propagated to all resources created by the agentless scanner.
  9. On the Review page, check the acknowledgements in the Capabilities section:

    • I acknowledge that AWS CloudFormation might create IAM resources with custom names.
    • I acknowledge that AWS CloudFormation might require the following capability:
      CAPABILITY_AUTO_EXPAND
  10. Click Create stack.

  11. You are then redirected to the CloudFormation > Stacks page. Select your stack to see the event log as it is being created. If you do not see your new stack in the table, refresh the page.

    When the Status of the stack reaches CREATE_COMPLETE, the Agentless Workload Scanning integration for this AWS account is complete.

Option 2: Download CloudFormation Script

You can use the AWS Console or the AWS CLI to run the CloudFormation script to integrate with an AWS account. For more information, see the following sections:

Use AWS Console to Run CloudFormation Script

  1. In the Lacework Console, go to Settings > Integrations > Cloud accounts, and select the integration that you created using the Configure the Integration in Lacework Console procedure. This displays the details of the integration.

  2. Under Install using CloudFormation, click Download CloudFormation Template.

    When prompted, choose a suitable location to save the JSON file on your local machine.

  3. Log in to your AWS account.

  4. Select the CloudFormation service and click Create stack > With new resources (standard).

  5. Under Specify template, select Upload a template file. Click Choose file and upload the CloudFormation script that was downloaded earlier.

  6. Click Next.

  7. On the Specify stack details page, enter a Stack name (for example: Lacework-AWS-Agentless-Config).

  8. Check that the Regions list contains the appropriate regions for your account.

    • A VPC and Internet Gateway will be created in each region, please verify resource quotas have not been reached using the Service Quotas tool.
    • Regional STS must be enabled in each region selected.
    info

    Lacework checks your account and populates the Regions list automatically. If the check fails, all regions will be listed by default.

  9. For Quota Check: Can a new VPC and VPC Internet Gateway be created in each selected Region?

    • See Access and Resource Requirements for guidance on how to check if the required VPC resources can be created.
    • Select Yes once you have completed the quotas check.
  10. Review the page and click Next.

  11. On Configure stack options, review the page and click Next (no changes are required).

  • If you would like to add custom Tags, use the option here. These tags will be propagated to all resources created by the agentless scanner.
  1. On the Review page, check the acknowledgements in the Capabilities section:
  • I acknowledge that AWS CloudFormation might create IAM resources with custom names.
  • I acknowledge that AWS CloudFormation might require the following capability:
    CAPABILITY_AUTO_EXPAND
  1. Click Create stack.
  2. You are then redirected to the CloudFormation > Stacks page. Select your stack to see the event log as it is being created. If you do not see your new stack in the table, refresh the page.

Use AWS CLI to Run CloudFormation Script

  1. In the Lacework Console, go to Settings > Integrations > Cloud accounts, and select the integration that you created using the Configure the Integration in Lacework Console procedure. This displays the details of the integration.

  2. Under Install using CloudFormation, click Download CloudFormation Template.

    When prompted, choose a suitable location to save the JSON file on your local machine.

  3. Run the downloaded CloudFormation template JSON file using the following AWS CLI command.

    aws cloudformation create-stack --profile YOUR_AWS_PROFILE_NAME --region REGION_FOR_STACK \
    --stack-name lacework-agentless-scanning \
    --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
    --template-body file://path/to/lacework-agentless-step1.json \
    --parameters \
    ParameterKey=VPCQuotaCheck,ParameterValue=Yes \
    ParameterKey=Regions,ParameterValue=\"us-east-1,us-west-1\"

    Where:

    • --profile specifies the profile you want to use from your AWS credential file.
    • --region specifies the region in which you want to create the CloudFormation stack.
    • --stack-name specifies the name of the CloudFormation stack you want to create.
    • --template-body specifies the path to the CloudFormation template JSON file you downloaded from the Lacework Console.
    • Regions parameter specifies the comma-separated list of regions in which you want to enable agentless scanning.

Update the Default Security Group and Network ACL Rules for Least Privilege Access

Due to AWS limitations with CloudFormation, the VPCs created for each region during Agentless deployment are assigned default security groups and default network ACLs.

To set up least privilege access rules instead of the default rules, see Alerts Triggering for lacework-global-87 and lacework-global-145 after Deployment.

Verify your Agentless Workload Scanning Integration

Verify CloudFormation StackSet Instances Completed

These steps will verify that CloudFormation installed a StackSet for each Region selected in the Stack Regions. Note that it is possible that the CloudFormation Stack completed successfully but one or more regional StackSet Instances failed.

  1. In the AWS Console open the CloudFormation page. Make sure you have selected the AWS region where the Agentless Scanning template was installed.
  2. On the left-hand side menu click StackSets.
  3. Click on the link for the StackSet matching the name of the CloudFormation Stack created above.
  4. Click on the Stack Instances tab.
  5. Review each Instance and check that the Detailed Status is "Success", if there is an error then the Status Reason will provided a detailed error message.

Verify Lacework Integration Completed

In the Lacework console, the status of the integration at Settings > Integrations > Cloud accounts will update from Pending to Success if all resources are installed correctly.

You may need to refresh the page when returning from the AWS Console after completing the integration steps.

If the periodic scanning encounters an error, the status will display the error details.

Remove an Agentless Workload Scanning Integration

Follow these steps if you want to remove your single account integration.

Start in the Lacework console.

  1. In Settings > Integrations > Cloud accounts, find the integration that you would like to remove.
  2. Note the name of the integration, this will be used to locate the CloudFormation Stack later.
  3. Toggle the integration State to disabled, or Delete the integration using the actions menu on the right.

Once complete, remove the integration within AWS using the AWS Console.

  1. Log in to your AWS account.
  2. Select the CloudFormation service and find the Stack with the associated name from the integration.
  3. Click the Delete button then Delete stack to confirm deleting.

Next Steps

  1. View scanning results in the Lacework Console.
  2. Read FAQs on Agentless Workload Scanning.