Skip to main content

AWS Security Hub Alert Channel

Integrate Lacework with AWS Security Hub to manage your AWS posture and compliance events from a single, consolidated view. Lacework forwards cloud security events from the Lacework Polygraph Data Platform (PDP) to AWS Security Hub via the EventBridge alert channel.

How It Works

The Lacework AWS Security Hub integration uses multiple self-hosted AWS components that transform a Lacework EventBridge alert into a Security Hub finding. This is achieved by using the following AWS services: EventBridge, SQS, and Lambda.

  1. Lacework sends an event to AWS EventBridge through the CloudWatch alert channel.
  2. Amazon EventBridge forwards the event to an SQS queue.
  3. The SQS queue triggers the Lambda function.
  4. The Lambda function transforms the finding(s) and sends them to Security Hub.


Verify the following prerequisites:

  • AWS Security Hub service
  • An AWS subscription to the Lacework AWS Security Hub product
  • A Lacework Polygraph Data Platform SaaS account

Required Roles and Policies

The following roles and policies are required to successfully configure the Amazon Security Hub alert channel:

Expand to view roles

AWS Roles


"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal": {
"Service": ""
"Action": "sts:AssumeRole"
Expand to view policies


Version = "2012-10-17"
Statement = [
Action = [
Effect = "Allow"
Resource = arn:aws:securityhub:<REGION>::product/lacework/lacework"

Deploy the Lacework AWS Security Hub Integration with Terraform

Do the following:

  1. Download and extract the Terraform Deployment Package.

  2. Change directory to lacework_security_hub/deploy/terraform

  3. Determine your Lacework instance authentication method (lacework-cli or API key).

    1. Choose the proper profile from the ~/.lacework.toml file, in this case the [default] profile.
    Expand to view example
    account = "example"
    api_key = "EXAMPLE_2222D32AE4750727928E7C84055AAD67C96D8EEED25E3A1"
    api_secret = "_b33ec45d56756tghy46def2321"
    version = 2
    1. Open the file.
    2. Modify the Lacework Terraform provider configuration with the above profile.
    provider "lacework" {
    profile = "default"
    1. In the Lacework Console, go to Settings > API Keys.
    2. Select Add New to add a new API key.
    3. Provide a name and description and click Save.
    4. Select Download from ... to download the API key file.
    5. Copy the keyId and secret from this file.
    Expand to view keyID and secret
    provider "lacework" {
    account = local.lw_instance
    api_key = "EXAMPLE_2222D32AE4750727928E7C84055AAD67C96D8EEED25E3A1"
    api_secret = "_b33ec45d56756tghy46def2321"
  4. Modify the required local variables.

    Expand to view local variables
     # Lacework instance:
    lw_instance = "example"
    # aws_region sets the region for integration deployment (should be the same as your Security Hub instance)
    aws_region = "us-west-2"
    # default_account is the main AWS account id that unknown data sources will be mapped to in Security Hub
    default_account = "1234567890"
    # customer_accounts is the array of customer's AWS accounts that are configured in Lacework,
    customer_accounts = [local.default_account, "2345678901", "3456789012"]
  5. Run terraform init -> terraform plan -> terraform apply

Deploy the Lacework AWS Security Hub Integration with CloudFormation

Do the following:

  1. Log into the AWS master account with Administrator permissions. Select the Launch Stack button to go to your CloudFormation console and launch the AWS Control Integration template.

    Launch Stack

    For most deployments, you need Basic Configuration parameters only. Use the Advanced Configuration for customization.

  2. Specify the following Basic Configuration parameters:

    • Enter a Stack name for the stack.
    • Enter Your Lacework URL.
    • Enter your Lacework Sub-Account Name if you are using Lacework Organizations.
    • Enter your Lacework Access Key ID and Secret Key that you copied from your previous API key file.
    • Enter a Resource Prefix Name for the AWS resources that will be created.
    • For Customer Accounts, enter a comma-separated list of AWS Account IDs that are monitored by Lacework.
    • Choose whether you want to Create Lacework Alert Channel. This will create the Lacework alert channel and rule.
    • Enter the Alert Channel Name.
  3. Click Next through to your stack Review.

  4. Accept the AWS CloudFormation terms and click Create stack.

Validate the Lacework AWS Security Hub Integration

Do the following:

  1. Log in to your Lacework Cloud Security Platform console.
  2. Go to Settings > Alert Channels.
  3. You should see an alert channel with the name lw-sechub-integration and a status of Success.
  4. If the status shows Pending, click Test.

Remove the Lacework AWS Security Hub Integration

You can use your chosen deployment method to remove the integration (Terraform, CloudFormation).


This will remove all AWS components and the Lacework alert channel and rule.


The following sections provide guidance for resolving issues with deploying the Lacework AWS Security Hub integration.

Troubleshooting and FAQ

Lambda Function CloudWatch Logs

The Lambda function that gets deployed will have a CloudWatch log associated with it in the same region it was deployed. You can use this log stream to check the status of your integration. It has the following naming format: /aws/lambda/lw-sechub-integration.

Lacework API Access Keys

The AWS Security Hub integration requires Lacework API credentials in order to automate the creation of the alert channels and alert rules during deployment.


By default, the Lacework AWS Security Hub integration sends error messages to an instance of in order to track issues with findings and use this telemetry to continuously update the event to finding algorithms.

Follow these steps to DISABLE the telemetry:

  1. In your AWS Console, navigate to the lw-sechub-integration Lambda function.
  2. Navigate to the Configuration > Environment variables section.
  3. Select Edit > Add Environment Variable.
  4. Enter the following key: LW_DISABLE_TELEMETRY and value: true.