Google Cloud Pub/Sub Alert Channel
Configure Lacework to forward events to the Google Cloud Pub/Sub asynchronous messaging service using the Lacework Google Cloud Pub/Sub alert channel.
For more information about Google Cloud's asynchronous messaging service, see Google Cloud Pub/Sub.
Prerequisites
Complete the following prerequisites:
- Enable the Resource Manager API for the Google Cloud Project you want to send Lacework events to. This is available in the API Library on Google Cloud.
- Create a topic and a subscription in the Google Cloud Pub/Sub to receive the Lacework events. For instructions, see Create a topic and Add a subscription.
- Create a Custom IAM Role with the following permissions:
pubsub.topics.publish
resourcemanager.projects.get - Create a new service account, using the custom IAM role created in Step 2, and download the Service Account credentials as a JSON file as described in Setting up authentication.
Lacework recommends downloading a JSON file that contains credential information including your service account key rather than entering the credential information manually in the Lacework Console. You can then upload this JSON file when creating the Lacework Google Cloud Pub/Sub alert channel in the Lacework Console to populate the credential information as described in the process below.
Create a Google Cloud Pub/Sub Alert Channel
Do the following:
Log in to the Lacework Console as a Lacework user with administrative privileges.
Go to Settings > Notifications > Alert channels.
Click + Add new.
Select GCP Pub/Sub.
Click Next.
Ensure you have configured the perquisites as described in Prerequisites.
In the Name field, enter a name for the channel that is visible in the Lacework Console.
Click Choose File to select the JSON file that contains credential information including your service account key as described in the previous section.
From the Group Issues by drop-down, select one of the options:
- Events - Select this option if you want a single Google Cloud message to be created when compliance events of the same type but from different resources are detected by Lacework. For example, if three different S3 resources are generating the same compliance event, only one Google Cloud message is created.
- Resources - Select this option if you want multiple Google Cloud messages to be created when multiple resources are generating the same compliance event. For example, if three different S3 resources are generating the same compliance event, three Google Cloud messages are created.
If you did not upload the JSON file, enter values for following credential fields:
- Client ID
- Private Key ID
- Client Email
- Private Key
- Project ID
In the Topic ID field, enter the Google Cloud topic ID that you are using in your Google Cloud Pub/Sub (eg:
lacework-alerts).noteDo not use the fully qualified path, only use the ID provided when you created the topic.
Click Save.
Click Alert rules and configure your required alert routing details/options by leveraging the alert channel you created.
Create a Lacework Google Cloud Pub/Sub Alert Channel Using Terraform
For organizations using Terraform to manage their environments, Lacework maintains the Terraform provider for Lacework, which enables configuration of Lacework alert channels using automation.
Google Cloud Credentials
# Configure Google Cloud credentials
locals {
gcp_credentials = jsondecode(file("/path/to/creds.json"))
}
# Configure Google Cloud Pub/Sub Alert Channel in Lacework
resource "lacework_alert_channel_gcp_pub_sub" "example" {
name = "gcp-pub_sub"
project_id = "lacework-191923"
topic_id = "lacework-alerts"
credentials {
client_id = local.gcp_credentials["client_id"]
client_email = local.gcp_credentials["client_email"]
private_key_id = local.gcp_credentials["private_key_id"]
private_key = local.gcp_credentials["private_key"]
}
}
Additional information on the lacework_alert_channel_gcp_pub_sub resource can be found on the Terraform Registry.