Amazon GuardDuty
The Amazon GuardDuty integration is currently in preview.
Overview
Findings from Amazon's native threat detection service, GuardDuty, expand Lacework's detection capabilities. Lacework collects GuardDuty findings through AWS Security Hub, correlates the entities in its graph-based known and unknown threat detection system, and displays relevant GuardDuty findings as Supporting Facts in Lacework Composite Alerts. This integration automates the evidence-gathering phase of incident investigations, providing security analysts with high-efficacy, low-volume alerts.
Prerequisites
- Enable Amazon GuardDuty - Follow the AWS documentation to enable Amazon GuardDuty in your AWS account.
- Enable AWS Security Hub - Follow the AWS documentation to enable AWS Security Hub in your AWS account.
- A Lacework Cloud Security Platform SaaS account.
- Ensure that you are deploying the integration to a supported AWS region.
When Amazon GuardDuty and AWS Security Hub are enabled, GuardDuty automatically sends findings to AWS Security Hub.
Amazon GuardDuty Integration Architecture
CloudFormation is used to deploy the Lacework Amazon GuardDuty integration. The CloudFormation template creates the following resources:
- An EventBridge rule that forwards GuardDuty findings to an SQS queue.
- An SQS queue that receives the GuardDuty findings.
- A cross-account IAM role that allows Lacework to access the SQS queue in order to receive the GuardDuty findings.
Configure the Amazon GuardDuty Integration
In the Lacework Console you can either Run the CloudFormation Template or Download the CloudFormation Template.
- Run CloudFormation Template - This option requires fewer steps and less user interaction. Disable your browser pop-up blocker.
- Download CloudFormation Template - This option requires more user interaction but may be useful if you have multiple accounts with distributed ownership.
Run CloudFormation Download CloudFormation
- Log in to the Lacework Console.
- Go to Settings > Integrations > Cloud account.
- Click + Add New.
- Click Amazon Web Services and select CloudFormation.
- Click Next.
- Select Security Hub and click Run CloudFormation Template. If you are already logged in to your AWS account, this redirects you to the Create stack page. The template populates the Amazon S3 template URL for you.
- No changes are required. Click Next.
- Review the Specify stack details page. Resource name prefix is populated with the account name of the first account configured to use Lacework for AWS Configuration. When adding accounts, you can keep this prefix or enter a different prefix to ensure account uniqueness. Click Next.
- No changes are required on the Configure stack options page. Click Next.
- Verify the information on the Review page and click Submit.
- Log in to the Lacework Console.
- Go to Settings > Integrations > Cloud account.
- Click + Add New.
- Click Amazon Web Services and select CloudFormation.
- Click Next.
- Select Security Hub and click Download CloudFormation Template.
- Log in to your AWS account.
- Select the CloudFormation service and click Create stack. The Create stack page displays.
- For Template source, click Upload a template file.
- Upload the Lacework template and click Next.
- On the Specify stack details page enter a Stack name (for example, Lacework-Amazon-GuardDuty).
- Enter a Resource name prefix such as an account name. Click Next.
- No changes are required on the Configure stack options page. Click Next.
- Verify the information on the Review page and click Submit.
For more information on selecting a stack template, refer to AWS documentation.
CloudFormation Stack Progress
After clicking Submit, you are redirected back to the CloudFormation page.
If you do not see your new stack in the table, refresh the page. Select your stack to see the event log as it is being created. When the stack is CREATE-COMPLETE, the Amazon GuardDuty integration is complete.
Permissions
The following IAM permissions are required to allow Lacework to receive GuardDuty findings. These are provisioned as part of the CloudFormation deployment.
Cross-Account IAM Role
LaceworkSecHubCrossAccountAccessRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${ResourceNamePrefix}-Lacework-Sec-Hub-Role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- sts:AssumeRole
Principal:
AWS: !Join
- ''
- - 'arn:aws:iam::'
- !Ref LaceworkAWSAccountId
- ':role/lacework-platform'
Condition:
StringEquals:
sts:ExternalId:
!Ref ExternalID
Path: "/"
Policies:
- PolicyName: LaceworkSecHubCrossAccountAccessRolePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- sqs:ListQueues
- sqs:GetQueueAttributes
- sqs:GetQueueUrl
- sqs:DeleteMessage
- sqs:ReceiveMessage
Resource:
- !GetAtt LaceworkSecHubQueue.Arn
FAQs
How do I know if the integration is working?
After configuring the Security Hub integration, the status in Lacework will show Pending until a new event is generated by Security Hub and delivered to Lacework. The status will then show Success. If there is an issue, you will see an error message.
Where can I see the GuardDuty findings in Lacework?
GuardDuty findings are only displayed when they correlate with a Lacework Composite Alert.
For AWS Control Tower customers, Lacework is an AWS Built-in partner and provides a bundled solution with AWS Control Tower, Amazon GuardDuty, and AWS Security Hub. This solution is intended for AWS Control Tower customers that require a seamless and comprehensive security solution for all accounts in their AWS organization. For more information, see the Lacework AWS Built-in Package.