Skip to main content

Agentless Workload Scanning for AWS - Single Account Integration (Terraform)

Overview

This article describes how to integrate your AWS single account with Lacework's Agentless Workload Scanning.

tip

See Lacework Terraform Module for Agentless Workload Scanning on AWS for all available Terraform integration options and additional deployment examples.

AWS Single Account Integration

tip

Custom tags can be applied to add resources using default_tags within the AWS provider. If custom tags are used then those tags will be applied to any resources created by the scanner.

  1. Use the example below for your versions.tf file:

    terraform {
      required_version = ">= 0.15"

      required_providers {
        lacework = {
          source  = "lacework/lacework"
          version = "~> 1.0"
        }
      }
    }

  2. Use the example below for your main.tf file:

    note

    In this example, two regions have been configured: us-east-1 and us-west-2 (with an alias of usw2). You can configure as many regions as you want for your environment.

    # Set your Lacework profile here. With the Lacework CLI, use 
    # `lacework configure list` to get a list of available profiles.
    provider "lacework" {
      profile = "lw_agentless"
    }

    provider "aws" {
      region = "us-east-1"
    }

    provider "aws" {
      alias  = "usw2"
      region = "us-west-2"
    }

    // This module will create AWS account "global" resources such as IAM roles, an S3 bucket, and a Secret Manager secret.
    // This will also create a new Cloud Account Integration within the Lacework console.
    module "lacework_aws_agentless_scanning_global" {
      source  = "lacework/agentless-scanning/aws"
      version = "~> 0.6"

      global                    = true
      lacework_integration_name = "sidekick_from_terraform"
    }

    // The following modules should be included per-region where scanning will occur.
    // This creates an ECS cluster, a VPC and VPC IG for that cluster, and an EventBridge trigger in this region.
    // The trigger will start a periodic Task to snapshot and analyze EC2 volumes in this region.

    // Create regional resources in our first region
    module "lacework_aws_agentless_scanning_region" {
      source  = "lacework/agentless-scanning/aws"
      version = "~> 0.6"

      regional                = true
      global_module_reference = module.lacework_aws_agentless_scanning_global
    }

    // Create regional resources in our second region
    module "lacework_aws_agentless_scanning_region_usw2" {
      source  = "lacework/agentless-scanning/aws"
      version = "~> 0.6"

      providers = {
        aws = aws.usw2
      }

      regional                = true
      global_module_reference = module.lacework_aws_agentless_scanning_global
      // In this example the default VPC CIDR block is customized for this region.
      vpc_cidr_block          = "10.10.34.0/24"
    }

  3. Run terraform init to initialize the working directory (containing the Terraform files).

  4. Run terraform plan and review the changes that will be applied.

  5. Once satisfied with the changes that will be applied, run terraform apply to execute Terraform.

Verify your Agentless Workload Scanning Integration

In the Lacework console, the status of the integration at Settings > Integrations > Cloud accounts will display as Success if all resources are installed correctly. If the periodic scanning encounters an error, the status will display the error details.

Remove an Agentless Workload Scanning Integration

Start in the Lacework console.

  1. In Settings > Integrations > Cloud accounts, find the integration that you would like to remove.
  2. Toggle the integration State to disabled, or Delete the integration using the actions menu on the right.

Using Terraform, run terraform destroy for the Agentless module.

Next Steps

  1. View scanning results in the Lacework Console.
  2. Read FAQs on Agentless Workload Scanning.
Last updated on