Manage your Agentless Workload Scanning Integration in the Lacework Console
Overview
View your Agentless Workload Integrations by navigating to Settings > Integrations > Cloud accounts.
Enter Agentless in the search bar to look for Agentless Workload Scanning integrations.
View Integration Details in the Lacework Console
Select an Agentless Workload Scanning integration in the Cloud accounts table to view its details. The details vary depending on the cloud provider.
The majority of the non-editable fields are automatically populated after completing the integration.
AWS
| Title | Description | Example |
|---|---|---|
| Title | The name for the integration (as it will be displayed in the Lacework Console). | myAWSAgentlessIntegration |
| Account | The AWS Account ID for this integration. | 123456789012 |
| Provider | The Cloud Provider for the integration. | AWS |
| Type | AWS Integration Type | Agentless (Single account) or Agentless (Organization) |
| ID | The Lacework generated ID for the integration | MYACCOUNT_123ABC... |
| External ID | The AWS External ID for the integrated AWS account. | lweid:aws:v2:acmeinc:123456789012:dkl31.09ip |
| Role ARN | The AWS Role ARN created for the Agentless Workload Scanning integration. | arn:aws:iam::account:role/role-name-with-path |
| Management Account (Organization integrations only) | The ID of your AWS organization management account. | 123456789012 |
| Monitored Accounts (Organization integrations only) | The IDs of the Root, Organizational Unit(s), and/or accounts in your AWS organization on which agentless workload scanning will be run. | 123456789012 |
| Scanning Account (Organization integrations only) | The ID of the AWS account that was configured to scan your AWS organization during the agentless workload scanning integration. | 123456789012 |
| Bucket ARN | The S3 bucket ARN created for the Agentless Workload Scanning integration. | arn:aws:s3:::bucket_name/key_name |
| Limit Scanned Workloads | The LQL key and value to constrain the Agentless Workload Scanning to specific resources. If it is blank, Lacework will scan all resources available to the account or organization. See Limit Scanned Workloads for further guidance. | |
| Scan Frequency (hours) | How often your containers and hosts are scanned for vulnerabilities (in hours). The maximum scan frequency is 24 hours. | 24 |
| Scan containers | Whether your containers will be scanned for vulnerabilities. | true |
| Scan stopped instances | Whether stopped instances will be scanned. | true |
| Scan host vulnerabilities | Whether your hosts will be scanned for vulnerabilities. | true |
| Authorization Token | The Lacework authorization token for the integration. | _123456789abcdef123456789abcd |
| credentials.json | Click to download the Lacework authorization token for the integration in JSON format. | N/A |
| Updated | Displays the last time the integration was updated. | 5/25/2022 12:36 PM (PST) |
| Updated by | Displays the user that last updated the integration. | myemail@address |
| Status | The current status of the integration. | Success Pending Error |
AWS - Limit Scanned Workloads
If this field is left blank, Agentless Workload Scanning will scan all EC2 instances and their volumes in the integrated regions.
Using an LQL query, you can "target" specific instances and volumes rather than all available resources. Only resources returned from the LQL query are then scanned.
The LQL query must return the following:
- A single key/value.
- The key can be anything.
- A workload identifier (such as an EC2 instance ID) as the value.
- Any filter can be used as long as it returns a workload identifier.
The following is an example LQL query:
{
source {
LW_HE_MACHINES m
}
filter {
m.TAGS:VpcId = 'vpc-0d75bdd9f82d71669'
}
return {
m.TAGS:InstanceId::STRING as InstanceId
}
}
As per the example, the following will also apply to your query:
- The
returnclause in the query statement must return a single key value pair. Note that the result of running this query will return a list of these key value pairs, for example if you have many instances in this VPC. - On line 9, the returned value is an
InstanceId. - The name of the returned pair
InstanceIdis customizable, provide a name of your choice.
Google Cloud
| Title | Description | Example |
|---|---|---|
| Title | The name for the integration (as it will be displayed in the Lacework Console). | myGCPAgentlessIntegration |
| Account | The Google Cloud Organization or Project ID that has been integrated with Agentless Workload Scanning. | mygcpproject |
| Provider | The Cloud Provider for the integration. | GCP |
| Type | Google Cloud Integration Type | Agentless |
| ID | The Lacework generated ID for the integration. | MYACCOUNT_123ABC... |
| Client ID | The Google Cloud Client ID of the service account used for the integration. | 112233... |
| Private Key ID | The Private Key ID of the service account used for the integration. | abc123... |
| Client Email | The Google Cloud Client Email of the service account used for the integration. | serviceaccount@project.iam.gserviceaccount.com |
| Private Key | The Private Key of the service account used for the integration. | ***** |
| Token URI | The Token URI of the service account used for the integration. | https://oauth2.googleapis.com/token |
| Integration Level | The Google Cloud integration level (project or organization). | PROJECT |
| Scanning Project | The ID of the Google Cloud project where the Agentless scanning resources are deployed. | mygcpproject |
| Shared Bucket | The Google Cloud bucket used for the Agentless Workload Scanning integration. | mygcpbucketname |
| Limit Projects | Only relevant to Organization integrations. A list of comma-delimited Google Cloud project IDs and/or folders that will be scanned. If left blank, all projects and folders in the organization will be scanned. | myscannedproject1, myscannedproject2, folder/myscannedfolder1, folder/myscannedfolder2 |
| Limit Scanned Workloads | The LQL key and value to constrain the Agentless Workload Scanning to specific resources. If it is blank, Lacework will scan all resources available to the account or organization. See Limit Scanned Workloads for further guidance. | |
| Scan Frequency (hours) | How often your containers and hosts are scanned for vulnerabilities (in hours). The maximum scan frequency is 24 hours. | 24 |
| Scan containers | Whether your containers will be scanned for vulnerabilities. | true |
| Scan stopped instances | Whether stopped instances will be scanned. | true |
| Scan host vulnerabilities | Whether your hosts will be scanned for vulnerabilities. | true |
| Authorization Token | The Lacework authorization token for the integration. | _123456789abcdef123456789abcd |
| credentials.json | Click to download the Lacework authorization token for the integration in JSON format. | N/A |
| Updated | Displays the last time the integration was updated. | 5/25/2022 12:36 PM (PST) |
| Updated by | Displays the user that last updated the integration. | myemail@address |
| Status | The current status of the integration. | Success Pending Error |
Google Cloud - Limit Scanned Workloads
If this field is left blank, Agentless Workload Scanning will scan all virtual machines and their volumes in the integrated regions.
Using an LQL query, you can "target" specific instances and volumes rather than all available resources. Only resources returned from the LQL query are then scanned.
The LQL query must return the following:
- A single key/value.
- The key can be anything.
- A workload identifier (such as a virtual machine ID) as the value.
- Any filter can be used as long as it returns a workload identifier.
The following is an example LQL query:
{
source {
LW_HE_MACHINES m
}
filter {
m.TAGS:network = 'https://www.googleapis.com/compute/v1/projects/myproject/global/networks/default'
}
return {
m.TAGS:name::STRING as name
}
}
As per the example, the following will also apply to your query:
- The
returnclause in the query statement must return a single key value pair. Note that the result of running this query will return a list of these key value pairs, for example if you have many VMs in this VPC. - On line 9, the returned value is a
name. - The name of the returned pair
nameis customizable, provide a name of your choice.
Enable or Disable an Integration in the Lacework Console
Go to Settings > Integrations: Cloud accounts.
Find and select your integration in the table.
Click the Enable/Disable button
to enable or disable the integration.This can also be done when viewing the Cloud accounts table and clicking the Enable/Disable button in the State column for the integration.
Edit your Integration in the Lacework Console
Go to Settings > Integrations: Cloud accounts.
Find and select your integration in the table.
Click the Edit button
to start editing the integration settings.The settings vary depending on the Cloud Provider:
Delete your Integration in the Lacework Console
- Go to Settings > Integrations: Cloud accounts.
- Find and select your integration in the table.
- Click the Delete icon
to delete the integration.