Skip to main content

AWS CloudTrail Integration for Organizations

This topic describes how to manually create an AWS CloudTrail integration for a Lacework organization.

If your Lacework accounts are enrolled in a Lacework organization, you can configure a consolidated AWS CloudTrail integration that maps CloudTrail activity from your AWS accounts to selected Lacework accounts within your organization.

Overview

When you create a CloudTrail integration for an organization, you define the following:

  • Role ARN for Lacework to use
  • A temporary external ID. You will replace this external ID with one generated by Lacework later in the onboarding process.
  • The SQS queue URL for the integration to use
  • The data flow from one or more AWS accounts to one or more Lacework accounts

Upon completion, the results from analyzing the specified AWS account CloudTrail activity appear in the mapped Lacework account.

note
  • Ensure that you are deploying the integration to a supported AWS region.
  • Each account integration is expected to be mapped to one Lacework account.
  • The mapping that you configure for an organization integration is in addition to what is already configured for the CloudTrail account integration. It doesn't override the existing account integration.
  • If you consolidate CloudTrails from multiple AWS accounts into one bucket, Lacework maps the account ID to the account alias for the root account only. Other account IDs are not mapped to account aliases.

Create an Integration in the Lacework Console

Follow these steps to configure a CloudTrail integration for a Lacework organization.

Ensure you have completed the prerequisites described in AWS CloudTrail Integration Prerequisites.

  1. Log in to the Lacework Console as an organization administrator.
  2. Switch to the organization.
  3. Go to Settings > Integrations > Cloud Accounts and create a new integration.
  4. Select AWS > Manual configuration, and then click Next.
  5. Select CloudTrail+Configuration for the integration type.
  6. For Name, enter a unique name that displays in the Lacework Console.
  7. For Account ID, enter your AWS account identifier or alias.
  8. For External ID, paste the external ID that you created when completing the AWS integration prerequisites. If the external ID does not comply with the format requirements, click the Refresh icon to generate a new one. Then follow the steps to update the external ID in the AWS console before returning here to finish the integration.
  9. For Role ARN, enter the ARN of the cross-account role that Lacework uses to access your AWS resources.
  10. For SQSQueueURL, enter the Amazon Simple Queue Service (SQS) URL value.
  11. For Account Mapping File, click Choose File and select the mapping file to use. Refer to Account Mapping File for details.
  12. Click Save.

The CloudTrail integrations configured at the organization level appear within their respective Lacework accounts’ Cloud Accounts Summary as read-only integrations. It may take up to a couple minutes for new data to reach Lacework.

Account Mapping File

The account mapping file is a JSON file that maps AWS accounts to Lacework accounts within a Lacework organization.

Example mapping file
{
"defaultLaceworkAccountAws": "lw_account_1",
"integration_mappings": {
"lw_account_2": {
"aws_accounts": [
"234556677",
"774564564"
]
},
"lw_account_3": {
"aws_accounts": [
"553453453",
"934534535"
]
}
}
}
  • "defaultLaceworkAccountAws" - Required. The value is a Lacework account name, for example, "lw_account_1". Any CloudTrails that are not explicitly mapped to a Lacework account go to this default account.
  • "integration_mappings" - Required. Fields within "integration_mappings" must be a Lacework account name, for example: "lw_account_2", "lw_account_3". Account names are not case-sensitive.
  • "aws_accounts" - Required. An array of AWS account IDs (string), for example "234556677", "774564564".