AWS Security Hub Alert Channel
Integrate Lacework with AWS Security Hub to manage your AWS posture and compliance events from a single, consolidated view. Lacework forwards cloud security events from the Lacework Polygraph Data Platform (PDP) to AWS Security Hub via the EventBridge alert channel.
How It Works
The Lacework AWS Security Hub integration uses multiple self-hosted AWS components that transform a Lacework EventBridge alert into a Security Hub finding. This is achieved by using the following AWS services: EventBridge, SQS, and Lambda.
- Lacework sends an event to AWS EventBridge through the CloudWatch alert channel.
- Amazon EventBridge forwards the event to an SQS queue.
- The SQS queue triggers the Lambda function.
- The Lambda function transforms the finding(s) and sends them to Security Hub.
Prerequisites
Verify the following prerequisites:
- AWS Security Hub service
- An AWS subscription to the Lacework AWS Security Hub product
- A Lacework Polygraph Data Platform SaaS account
Required Roles and Policies
The following roles and policies are required to successfully configure the Amazon Security Hub alert channel:
Expand to view roles
AWS Roles
lw-sechub-role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Expand to view policies
lw-sechub-batchimport
{
Version = "2012-10-17"
Statement = [
{
Action = [
"securityhub:BatchImportFindings",
]
Effect = "Allow"
Resource = arn:aws:securityhub:<REGION>::product/lacework/lacework"
},
]
}
Deploy the Lacework AWS Security Hub Integration with Terraform
Do the following:
Download and extract the Terraform Deployment Package.
Change directory to lacework_security_hub/deploy/terraform
Determine your Lacework instance authentication method (lacework-cli or API key).
lacework-cli- Choose the proper profile from the ~/.lacework.toml file, in this case the [default] profile.
Expand to view example
[default]
account = "example"
api_key = "EXAMPLE_2222D32AE4750727928E7C84055AAD67C96D8EEED25E3A1"
api_secret = "_b33ec45d56756tghy46def2321"
version = 2- Open the main.tf file.
- Modify the Lacework Terraform provider configuration with the above profile.
provider "lacework" {
profile = "default"
}- In the Lacework Console, go to Settings > API Keys.
- Select Add New to add a new API key.
- Provide a name and description and click Save.
- Select Download from ... to download the API key file.
- Copy the keyId and secret from this file.
Expand to view keyID and secret
provider "lacework" {
account = local.lw_instance
api_key = "EXAMPLE_2222D32AE4750727928E7C84055AAD67C96D8EEED25E3A1"
api_secret = "_b33ec45d56756tghy46def2321"
}Modify the required local variables.
Expand to view local variables
# Lacework instance: example.lacework.net
lw_instance = "example"
# aws_region sets the region for integration deployment (should be the same as your Security Hub instance)
aws_region = "us-west-2"
# default_account is the main AWS account id that unknown data sources will be mapped to in Security Hub
default_account = "1234567890"
# customer_accounts is the array of customer's AWS accounts that are configured in Lacework,
customer_accounts = [local.default_account, "2345678901", "3456789012"]Run terraform init -> terraform plan -> terraform apply
Deploy the Lacework AWS Security Hub Integration with CloudFormation
Do the following:
Log into the AWS master account with Administrator permissions. Select the Launch Stack button to go to your CloudFormation console and launch the AWS Control Integration template.
For most deployments, you need Basic Configuration parameters only. Use the Advanced Configuration for customization.
Specify the following Basic Configuration parameters:
- Enter a Stack name for the stack.
- Enter Your Lacework URL.
- Enter your Lacework Sub-Account Name if you are using Lacework Organizations.
- Enter your Lacework Access Key ID and Secret Key that you copied from your previous API key file.
- Enter a Resource Prefix Name for the AWS resources that will be created.
- For Customer Accounts, enter a comma-separated list of AWS Account IDs that are monitored by Lacework.
- Choose whether you want to Create Lacework Alert Channel. This will create the Lacework alert channel and rule.
- Enter the Alert Channel Name.
Click Next through to your stack Review.
Accept the AWS CloudFormation terms and click Create stack.
Validate the Lacework AWS Security Hub Integration
Do the following:
- Log in to your Lacework Cloud Security Platform console.
- Go to Settings > Alert Channels.
- You should see an alert channel with the name
lw-sechub-integrationand a status of Success. - If the status shows Pending, click Test.
Remove the Lacework AWS Security Hub Integration
You can use your chosen deployment method to remove the integration (Terraform, CloudFormation).
This will remove all AWS components and the Lacework alert channel and rule.
Troubleshooting
The following sections provide guidance for resolving issues with deploying the Lacework AWS Security Hub integration.
Troubleshooting and FAQ
Lambda Function CloudWatch Logs
The Lambda function that gets deployed will have a CloudWatch log associated with it in the same region it was deployed. You can use this log stream
to check the status of your integration. It has the following naming format: /aws/lambda/lw-sechub-integration.
Lacework API Access Keys
The AWS Security Hub integration requires Lacework API credentials in order to automate the creation of the alert channels and alert rules during deployment.
Telemetry
By default, the Lacework AWS Security Hub integration sends error messages to an instance of honeycomb.io in order to track issues with findings and use this telemetry to continuously update the event to finding algorithms.
Follow these steps to DISABLE the telemetry:
- In your AWS Console, navigate to the lw-sechub-integration Lambda function.
- Navigate to the Configuration > Environment variables section.
- Select Edit > Add Environment Variable.
- Enter the following key: LW_DISABLE_TELEMETRY and value: true.