Skip to main content

Amazon GuardDuty

preview feature

The Amazon GuardDuty integration is currently in preview.


Findings from Amazon's native threat detection service, GuardDuty, expand Lacework's detection capabilities. Lacework collects GuardDuty findings through AWS Security Hub, correlates the entities in its graph-based known and unknown threat detection system, and displays relevant GuardDuty findings as Supporting Facts in Lacework Composite Alerts. This integration automates the evidence-gathering phase of incident investigations, providing security analysts with high-efficacy, low-volume alerts.


When Amazon GuardDuty and AWS Security Hub are enabled, GuardDuty automatically sends findings to AWS Security Hub.

Amazon GuardDuty Integration Architecture

CloudFormation is used to deploy the Lacework Amazon GuardDuty integration. The CloudFormation template creates the following resources:

  • An EventBridge rule that forwards GuardDuty findings to an SQS queue.
  • An SQS queue that receives the GuardDuty findings.
  • A cross-account IAM role that allows Lacework to access the SQS queue in order to receive the GuardDuty findings.

Security Hub Ingest Arch

Configure the Amazon GuardDuty Integration

In the Lacework Console you can either Run the CloudFormation Template or Download the CloudFormation Template.

  • Run CloudFormation Template - This option requires fewer steps and less user interaction. Disable your browser pop-up blocker.
  • Download CloudFormation Template - This option requires more user interaction but may be useful if you have multiple accounts with distributed ownership.
  1. Log in to the Lacework Console.
  2. Go to Settings > Integrations > Cloud account.
  3. Click + Add New.
  4. Click Amazon Web Services and select CloudFormation.
  5. Click Next.
  6. Select Security Hub and click Run CloudFormation Template. If you are already logged in to your AWS account, this redirects you to the Create stack page. The template populates the Amazon S3 template URL for you.
  7. No changes are required. Click Next.
  8. Review the Specify stack details page. Resource name prefix is populated with the account name of the first account configured to use Lacework for AWS Configuration. When adding accounts, you can keep this prefix or enter a different prefix to ensure account uniqueness. Click Next.
  9. No changes are required on the Configure stack options page. Click Next.
  10. Verify the information on the Review page and click Submit.

For more information on selecting a stack template, refer to AWS documentation.

CloudFormation Stack Progress

After clicking Submit, you are redirected back to the CloudFormation page.

If you do not see your new stack in the table, refresh the page. Select your stack to see the event log as it is being created. When the stack is CREATE-COMPLETE, the Amazon GuardDuty integration is complete.


The following IAM permissions are required to allow Lacework to receive GuardDuty findings. These are provisioned as part of the CloudFormation deployment.

Cross-Account IAM Role

Type: AWS::IAM::Role
RoleName: !Sub "${ResourceNamePrefix}-Lacework-Sec-Hub-Role"
Version: "2012-10-17"
- Effect: Allow
- sts:AssumeRole
AWS: !Join
- ''
- - 'arn:aws:iam::'
- !Ref LaceworkAWSAccountId
- ':role/lacework-platform'
!Ref ExternalID
Path: "/"
- PolicyName: LaceworkSecHubCrossAccountAccessRolePolicy
Version: "2012-10-17"
- Effect: Allow
- sqs:ListQueues
- sqs:GetQueueAttributes
- sqs:GetQueueUrl
- sqs:DeleteMessage
- sqs:ReceiveMessage
- !GetAtt LaceworkSecHubQueue.Arn


How do I know if the integration is working?

After configuring the Security Hub integration, the status in Lacework will show Pending until a new event is generated by Security Hub and delivered to Lacework. The status will then show Success. If there is an issue, you will see an error message.

Where can I see the GuardDuty findings in Lacework?

GuardDuty findings are only displayed when they correlate with a Lacework Composite Alert.

AWS Control Tower

For AWS Control Tower customers, Lacework is an AWS Built-in partner and provides a bundled solution with AWS Control Tower, Amazon GuardDuty, and AWS Security Hub. This solution is intended for AWS Control Tower customers that require a seamless and comprehensive security solution for all accounts in their AWS organization. For more information, see the Lacework AWS Built-in Package.