Skip to main content

AWS Config Integration Prerequisites

This topic explains how to prepare for Lacework Configuration integration using manual configuration.

If you plan to use Terraform, see AWS Terraform.

If you plan to use CloudFormation, see AWS Integration Using CloudFormation.

Prerequisites

  • Cross-account IAM role - The cross-account role provides Lacework the access to assess cloud resource configurations. Create the cross-account role for Lacework to use.
  • Custom IAM policy - The custom policy defines additional services that Lacework needs. Create the policy and grant it to the cross-account role.
  • SecurityAudit IAM policy - Lacework requires the AWS managed SecurityAudit IAM policy. Grant it to the cross-account role.

Additional Requirements

  • AWS account admin - The account must have administrative privileges for every AWS account that you want to integrate with Lacework.
  • Lacework administrator - You must have a Lacework account with administrator privileges.
  • Ensure that you are deploying the integration to a supported AWS region.

Create an IAM Policy and Role

To allow Lacework access to the required resources on your AWS environment, you must create the following:

  • A custom IAM policy
  • A cross-account IAM role

Create a Custom IAM Policy

Create a custom policy that enables read-only access to configuration resources:

  1. Log in to your AWS account.

  2. Go to the Identity and Access Management (IAM) dashboard.

  3. Click Policies in the left sidebar. A list of existing IAM policies appears.

  4. Click Create Policy.

  5. Select the JSON tab and paste the following JSON file into the text box to define your new IAM policy.

    Expand to view the JSON file
    {
    "Statement": [
    {
    "Action": "ec2:GetEbsEncryptionByDefault",
    "Effect": "Allow",
    "Resource": "*",
    "Sid": "GetEc2DefaultEncryption"
    },
    {
    "Action": "eks:ListTagsForResource",
    "Effect": "Allow",
    "Resource": "*",
    "Sid": "EksListTagsForResource"
    },
    {
    "Action": [
    "elasticfilesystem:DescribeReplicationConfigurations",
    "elasticfilesystem:DescribeLifecycleConfiguration",
    "elasticfilesystem:DescribeFileSystemPolicy",
    "elasticfilesystem:DescribeBackupPolicy",
    "elasticfilesystem:DescribeAccountPreferences",
    "elasticfilesystem:DescribeAccessPoints"
    ],
    "Effect": "Allow",
    "Resource": "*",
    "Sid": "EfsPolicies"
    },
    {
    "Action": [
    "sagemaker:GetModelPackageGroupPolicy",
    "sagemaker:GetLineageGroupPolicy"
    ],
    "Effect": "Allow",
    "Resource": "*",
    "Sid": "SagemakerPolicies"
    },
    {
    "Action": [
    "identitystore:ListUsers",
    "identitystore:ListGroups",
    "identitystore:ListGroupMembershipsForMember",
    "identitystore:ListGroupMemberships",
    "identitystore:DescribeUser",
    "identitystore:DescribeGroupMembership",
    "identitystore:DescribeGroup"
    ],
    "Effect": "Allow",
    "Resource": "*",
    "Sid": "IdentityStoreReadOnly"
    },
    {
    "Action": [
    "sso:GetInlinePolicyForPermissionSet",
    "sso:DescribeInstanceAccessControlAttributeConfiguration",
    "sso:DescribeAccountAssignmentDeletionStatus"
    ],
    "Effect": "Allow",
    "Resource": "*",
    "Sid": "SSOReadOnly"
    },
    {
    "Action": "apigateway:GET",
    "Effect": "Allow",
    "Resource": [
    "arn:aws:apigateway:*::/apikeys",
    "arn:aws:apigateway:*::/apikeys/*"
    ],
    "Sid": "APIGATEWAY"
    },
    {
    "Action": [
    "glue:ListWorkflows",
    "glue:BatchGetWorkflows",
    "glue:GetTags"
    ],
    "Effect": "Allow",
    "Resource": "*",
    "Sid": "GLUE"
    },
    {
    "Action": [
    "waf-regional:ListRules",
    "waf-regional:GetRule",
    "waf-regional:ListRuleGroups",
    "waf-regional:GetRuleGroup",
    "waf-regional:ListActivatedRulesInRuleGroup"
    ],
    "Effect": "Allow",
    "Resource": "*",
    "Sid": "WAFREGIONAL"
    },
    {
    "Action": [
    "codebuild:ListBuilds",
    "codebuild:BatchGetBuilds"
    ],
    "Effect": "Allow",
    "Resource": "*",
    "Sid": "CODEBUILD"
    }
    ],
    "Version": "2012-10-17"
    }
  6. Click Next.

  7. Specify a policy name in Name and provide a brief description of your policy.

  8. Optionally add tags as key-value pairs to AWS resources to identify them.

  9. Click Create policy. Your new IAM policy appears in the list of policies for your AWS environment.

Create a Cross-Account IAM Role

Lacework requires a cross-account role to analyze events.

  1. Log in to your AWS account.
  2. Go to the Identity and Access Management (IAM) dashboard.
  3. Click Roles in the left sidebar. A list of existing IAM roles appears.
  4. Click Create role.
  5. For Trusted entity type, select Custom trust policy.
  6. Add the following policy statement:
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "Statement",
    "Effect": "Allow",
    "Principal": {
    "AWS": "arn:aws:iam::434813966438:role/lacework-platform"
    },
    "Action": "sts:AssumeRole",
    "Condition": {
    "StringEquals": {
    "sts:ExternalId": [
    "lweid:aws:v2:<tenant_name>:<aws_account_id>:<unique_id>"
    ]
    }
    }
    }
    ]
    }
    • 434813966438:role/lacework-platform is the Lacework account ID and Lacework role name.
    • For sts:ExternalId, provide an external ID, which must consist of your Lacework tenant name (from your Lacework URL <tenant_name>.lacework.net), AWS account being integrated, and a random 10 character string. See the complete external ID format details to verify it is Lacework-compliant. Copy the external ID so you can use it later in the onboarding process when you configure the integration from the Lacework Console.
  7. Click Next. The Add permissions page appears.
  8. Add the AWS managed SecurityAudit policy and the custom IAM policy you created earlier.
  9. Click Next.
  10. Name the new role.
  11. Click Create role.
  12. Record the ARN for this cross-account role. You will need this information when you configure integration from the Lacework Console.
  13. Proceed to AWS Integration - Manual Configuration and follow the steps to complete the integration from the Lacework Console.