AWS CloudTrail Account Mapping for Organizations

This topic describes how to map CloudTrail activity from your AWS accounts to selected Lacework accounts within your Lacework organization. The following CloudTrail integration methods allow you to provide a mapping file:

• CloudFormation
• Control Tower with CloudFormation
• Lacework CLI (with Control Tower, without Control Tower)
• Manually via Lacework Console
• Terraform (with Control Tower, without Control Tower)

note

• The Lacework organization feature must be enabled.
• When naming the OUs, do not include spaces in the names (hyphens are allowed).
  • ❌ Dev Infra
  • ✅ Dev-Infra

Account Mapping File

The account mapping file is a JSON file that maps AWS OUs (accounts) to Lacework sub-accounts within a Lacework organization.

Example mapping file

{
    "defaultLaceworkAccountAws": "lw_account_1",
    "integration_mappings": {
      "lw_account_2": {
        "aws_accounts": [
          "234556677",
          "774564564"
        ]
      },
      "lw_account_3": {
        "aws_accounts": [
          "553453453",
          "934534535"
        ]
      }
    }
  }

• "defaultLaceworkAccountAws" - Required. The value is a Lacework account name, for example, "lw_account_1". Any CloudTrails that are not explicitly mapped to a Lacework account go to this default account.
• "integration_mappings" - Required. Fields within "integration_mappings" must be a Lacework account name, for example: "lw_account_2", "lw_account_3". Account names are not case-sensitive.
• "aws_accounts" - Required. An array of AWS account IDs (string), for example "234556677", "774564564".

Example Mapping for AWS OUs

Below is an example of using AWS OUs:

• OU=Tech
  • AWSAccount 1 (techaws)
• OU=IT
  • AWSAccount 2 (itcloud)
• OU=Marketing (it has sublevels)
  • OU=prod
    • AWSAccount 3 (marketingprodUS)
    • AWSAccount 4 (marketingprodEU)
  • OU=dev
    • AWSAccount 5 (marketingdev1)
    • AWSAccount 6 (marketingdev2)

You can use the following mapping file:

{
    "defaultLaceworkAccountAws": "lw_account_1",
    "integration_mappings": {
      "Tech": {
        "aws_accounts": [
          "1"
        ]
      },
      "Marketing": {
        "aws_accounts": [
          "3",
          "4",
          "5",
          "6"
        ]
      }
    }
  }

note

If you consolidate CloudTrails from multiple AWS accounts into one bucket, Lacework maps the account ID to the account alias for the root account only. Other account IDs are not mapped to account aliases.