Skip to main content

AWS - Agentless Workload Scanning Prerequisites

Summary of Access and Resource Requirements

For each region you choose to scan, a new Virtual Private Cloud (VPC) and Internet Gateway will be created. This applies to both integration types: Single Account and Organization. For an organization integration, a scanning account is created. The scanning account will contain a new VPC and Internet Gateway for each region.

The target AWS account must have Service Quotas allowing at least one more of these resources to be created in each region selected. One way to verify is to use AWS Trusted Advisor, then the Service limits link on the left and search by keyword "VPC" then expand both VPC and VPC Internet Gateways search results. Make sure at least one more of each can be created in each scanning region.

The Amazon Elastic Compute Service (ECS) is used in both the Single Account and Organization deployment methods for each region you choose to scan. For the organization integration, the scanning account will have ECS set up specifically for each region.

Integration Requirements

  • Sufficient AWS IAM Permissions - See Required Permissions for Deployment to create your own custom IAM roles to ensure least-privilege access during deployment.
    • The IAM/user used to run Terraform must have sufficient privileges to create IAM roles on every AWS account or organization you intend to integrate with Lacework.
  • AWS CLI - The Terraform Provider for AWS leverages the configuration from the AWS CLI, and it is recommended the AWS CLI is installed and configured with API Keys for the account being integrated.
  • Lacework Administrator - You must have a Lacework account with administrator privileges.
  • Lacework CLI - Lacework leverages the configuration from the Lacework CLI. It is recommended the Lacework CLI is installed and configured.
  • Terraform - ~> 0.14, ~> 0.15, ~> 1.0, ~> 1.1.

Module Dependencies

Lacework Terraform modules for AWS Agentless Workload Scanning have the following dependencies that will be installed when running terraform init:

Last updated on