Up and Running with Lacework Terraform Modules for AWS
By submitting this form, you agree to our privacy policy.
In the last edition of Up and Running with Lacework, we showed you how get going with the Terraform Provider for Lacework. Here we build upon the previous post to show you how to use Lacework’s Terraform Modules for AWS to integrate an AWS environments for cloud resource configuration assessments (compliance), and AWS CloudTrail analysis.
Overview of AWS CloudTrail and Compliance Integration
Lacework integrates with AWS to analyze CloudTrail for monitoring cloud account security, and for continous compliance assessments of cloud resource configuration. This integration requires both resources and configuration on the customer side, and configuration in the Lacework platform.
For organizations who have adopted Terraform for automating their AWS environments, Lacework develops a set of ready-to-use Terraform Modules for AWS that make that integration a breeze. These modules are designed to work together, but also have flexibility to customize as needed.
Prerequisites
To follow along with this tutorial you will need the following:
- A Lacework Account
- An AWS Account with administrator privileges
- Terraform –
v0.12.26+,v0.13+,v0.14+
Additionally, this tutorial assumes you are familiar with the Terraform Provider for AWS, and the Terraform Provider for Lacework. If you need a refresher on the Terraform provider for Lacework check out Up and Running with the Terraform Provider for Lacework.
The next sections cover AWS Configuration Compliance and CloudTrail integration with Lacework using Terraform.
AWS Configuration Compliance
For Lacework to run continuous compliance assessments on resources in your AWS account, an IAM Role is required with a cross-policy that grants Lacework read-only access to your account using the AWS managed SecurityAudit role.
There are two Terraform Modules that are requried to get this integration in place:
- terraform-aws-iam-role – A Terraform module that creates an IAM role with a cross-account policy Lacework for Lacework, as well as an external ID Lacework uses when assuming the role.
- terraform-aws-config – A Terraform module that attaches the SecurityAudit policy to an IAM Role
By default, the terraform-aws-config module calls the terraform-aws-iam-role module, but this is configurable using the module inputs.
AWS Configuration Integration with Terraform
In this next section we will use Terraform to integrate an AWS account with Lacework for continuous cloud resource configuration assessments.
The following code snippet does the following:
- Create an IAM Role named “lw-iam-[unique generated string]”
- Generates an 16 character External ID
- Attaches an Assume Role policy to the IAM Role with Lacework as the principal
- Configures a Cloud Account integration in Lacework named “TF config”
Module defaults can be customized using module inputs.
terraform { required_providers { lacework = { source = "lacework/lacework" } } } provider "aws" { # Configuration options region = "YourRegionOfExistingCloudTrail" } provider "lacework" { # Configuration options } module "config" { source = "lacework/config/aws" }Terraform Setup
Before running Terraform, copy and paste the code to your editor of choice:
- Open a code editor of choice, create a file called
main.tf- Copy the code snippet above and paste it into the
main.tf- Save the file
Terraform init
- Open a Terminal and make sure you are in the current directory with your
main.tffile- Run
terraform initinitialize the project, and download the required modulesTerraform apply
- In the Terminal, run
terraform apply- Review the changes
- Type
yesallow Terraform to execute changesValidate Changes
After Terraform finishes executing, you can view the new IAM Role in your AWS account:
- Log in to the AWS console
- Navigate to IAM -> Roles and search for “lw-iam” to see the new role created for Lacework
- Click on the Permissions Taband the Trust Relationship Tab to view the permissions granted to Lacework
To validate the integration in Lacework simply run the
lacework integration list --type AWS_CFGwith the Lacework CLI:$ lacework integration list --type AWS_CFG INTEGRATION GUID NAME TYPE STATUS STATE -----------------------------------------------------------+-----------+---------+---------+-------- LWINTSCO_772DB58EE12801505456C09F3E5094D6F94FFD5C12EDBE1 TF config AWS_CFG Enabled OkThe integration can also be found in the Lacework Console by logging into your account, and navigating to Settings -> Cloud Accounts:
With AWS integrated with Lacework for continuous compliance assessments, we are now ready to dive into CloudTrail integration.
AWS CloudTrail Integration with Terraform
Lacework integrates with AWS CloudTrail to provide continuous, automated API behavior analysis of CloudTrail events. The integration leverages the same IAM Role deployed for Lacework, but will attach a custom policy to provide Lacework read-only access to the trail.
To integrate AWS CloudTrail with Lacework using Terraform we just need one more module, which is designed to work with the two modules we just used for the AWS Config integration:
- terraform-aws-cloudtrail – Terraform module deploying new CloudTrail, or integrating an existing CloudTrail with Lacework.
The terraform-aws-cloudtrail module is designed to handle the following deployment scenarios:
- Deploy and integrate a new CloudTrail
- Integrate an existing CloudTrail
- Deploy and integrate a new consolidated CloudTrail
- Integrate an existing consolidated CloudTrail
The most common deployment scenario is the integration of an existing CloudTrail with Lacework, and that is what we will tackle here in the following sections.
To learn more about any of the other deployment scenarios read AWS Config and CloudTrail Integration with Terraform on our documentation site.
AWS CloudTrail provides an option to create an SNS topic, which is required to integrate AWS environments with Lacework. Lacework’s Terraform Module for CloudTrail by default will create a new SNS topic. The SNS topic must be created in the same region as the existing CloudTrail, and it must be manually attached to the CloudTrail by logging into the AWS console, navigating to CloudTrail, and then selecting the new SNS topic.
For this example, we will be attaching a new SNS topic to an existing CloudTrail. If you have an SNS topic already configured on the existing CloudTrail that you want to use with Lacework, you easily configure the Terraform modlue using the input sns_topic_name = "YourSNSTopicName".
Terraform Setup
Since Terraform is idempotent and will only apply changes that need to be applied, we can use the main.tf from the previous section and just add the new module to that file.
The code snippet below will do the following:
- Using the IAM Role from the config module, it will attach a custom IAM Policy to grant Lacework access to the specified S3 bucket in an existing CloudTrail
- Deploy a new SNS topic to the existing CloudTrail (This must be deployed in the same region as the existing CloudTrail and is controlled by the Terraform Provider for AWS)
- Deploy a new SQS queue for Lacework to read messages about new CloudTrail logs written to the S3 bucket
- Configures a Cloud Account integration in Lacework named “TF cloudtrail”
Module defaults can be customized using module inputs.
module "aws_cloudtrail" { source = "lacework/cloudtrail/aws" use_existing_cloudtrail = true bucket_arn = "YourExistingBucketARN" bucket_name = "YourExistingBucketName" use_existing_iam_role = true iam_role_name = module.config.iam_role_name iam_role_arn = module.config.iam_role_arn iam_role_external_id = module.config.external_id }Terraform Setup
Copy and paste the code snippet above into the existing
main.tf:
- Open the
main.tffile in a code editor- Copy the code snippet above and paste it into the
main.tf- Update the
bucket_arnwith the S# bucket arn from your existing CloudTrail- Update the
bucket_namewith the S3 bucket name of your existing CloudTrail- Save the file
Terraform init
- Open a Terminal and make sure you are in the current directory with your
main.tffile- Run
terraform initagain to download the additional moduleTerraform apply
- In the Terminal, run
terraform apply- Review the changes
- Type
yesallow Terraform to execute changesAttach SNS Topic to CloudTrail
Terraform does not provide the ability to attach a new SNS topic to the existing CloudTrail. You will need to manually attach it in the console.
- Log in to the AWS console
- Navigate to CloudTrail and select the CloudTrail being integrated with Lacework
- Click on the Edit and scroll down to SNS notification delivery
- Check the Enabled checkbox
- Choose Existing and search for an SNS topic named “lacework-ct-sns”
- Save changes
Validate Changes
To view the new changes to the IAM Role:
- Log in to the AWS console
- Navigate to IAM -> Roles and search for “lw-iam” to see the new role created for Lacework
- Click on the Permissions Tab and click on the custom policy created for Lacework to view the details
To validate the integration in Lacework simply run the
lacework integration list --type AWS_CT_SQSwith the Lacework CLI:$ lacework integration list --type AWS_CT_SQS INTEGRATION GUID NAME TYPE STATUS STATE -----------------------------------------------------------+---------------+------------+---------+-------- LWINTSCO_B305468265DF1E136202AB9D4C5E7D1911DD204A9C76199 TF cloudtrail AWS_CT_SQS Enabled OkThe integration can also be found in the Lacework Console by logging into your account, and navigating to Settings -> Cloud Accounts:
With that we have AWS integrated with Lacework for continous compliance assessments, and continuous CloudTrail behavior analysis.
Conclusion
This tutorial is just an example of all that you can do with the Lacework Terraform Modules for AWS. Not covered in this tutorial is the concept of version pinning Terraform modules, or saving Terraform state for collaborating across teams, but both are important topics, and you should not hesitate to discuss them further with Lacework support.
Stay tuned for more Up and Running with Lacework where we will dive into more automation topics. Until then…
Happy automating!
Categories
