AWS Marketplace

Securing your AWS Control Tower multi-account environment with Lacework

For enterprise organizations, managing security and governance across hundreds or thousands of accounts can be challenging. AWS Control Tower and Lacework make this task much easier and enable seamless multi-account cloud security. By using Lacework in your AWS Control Tower environment, you can automatically and consistently apply security best practices and monitoring to new accounts across your organization. Account administrators can automatically add Lacework’s security auditing and monitoring to new AWS accounts. Lacework’s AWS Control Tower integration manages the required Lacework and AWS account configurations that enable access to AWS configuration and AWS CloudTrail (CloudTrail) logs.

Solution overview: Securing your AWS Control Tower multi-account environment with Lacework

Lacework provides the Lacework AWS Control Tower integration, which is available as AWS CloudFormation templates and AWS Lambda functions. This open-source solution is available for you to review in GitHub.

On initial setup, the Lacework AWS Control Tower integration runs an AWS CloudFormation stack to create a new AWS Identity and Access Management (IAM) cross-account role in the Log Archive account. It also creates a new Amazon Simple Queue Service (Amazon SQS) queue in the Audit account. The SQS queue enables Lacework to receive notifications of new audit logs in Amazon S3 from the centralized CloudTrail, which collects activity from all accounts. Lacework processes these logs for behavior analysis for all AWS accounts.

The following architecture setup diagram shows an Administrator running the AWS CloudFormation template that triggers two AWS CloudFormation StackSets. The Log Archive StackSet creates a cross-account role in the Log Archive account, which enables Lacework to read centralized CloudTrail logs from a central S3 bucket. The Audit StackSet instance creates an SQS queue, enabling Lacework to receive notifications of new audit logs in S3 in the centralized CloudTrail bucket. Refer to the following diagram.

diagram illustrating architectural flow once an Admin triggers the Lacework solution using AWS CloudFormation

For new AWS accounts in your organization, AWS Control Tower triggers the Lacework integration through AWS Control Tower lifecycle events via Amazon CloudWatch (CloudWatch) events. A Lambda function launches a stack instance that creates a new cross-account role in the new account and enables Lacework to monitor the account via AWS APIs. The combination of CloudTrail log analysis and AWS API access enables Lacework to check your cloud activity and AWS configuration to detect security misconfigurations and anomalous behavior.

The following diagram shows an Administrator creating an account using AWS Control Tower, triggering a Lifecyle event rule in Amazon EventBridge. That invokes a Lambda function that creates a cross-account role that enables Lacework to read the configuration of the account. This cross-account role is passed to Lacework through an Amazon Simple Notification Service (Amazon SNS) custom resource.

Diagram illustrating architectural flow that automatically subscribes a newly enrolled AWS account to Lacework security solution

The complete architecture is available in this Implementation Guide: Lacework Cloud Security Platform with AWS Control Tower.


You need the following prerequisites to implement this Lacework AWS Control Tower integration.

Solution walkthrough

The following steps set up Lacework’s AWS Control Tower integration to monitor existing active AWS accounts if specified as well as newly enrolled AWS accounts.

Step 1: Generate a Lacework API access key

  1. Get the link for your Lacework console from your Security Administrator, who will have received the link from their Lacework contact through email. In your Lacework console left panel, go to Settings and the choose API Keys. To create a new API key, in the upper right, choose Create New. Enter a Name and Description and select Save.
  2. To download a keys file, next to your API key, chose the download icon. Copy the keyId and secret from this file.

Step 2: Deploy the AWS CloudFormation template

  1. Navigate to your CloudFormation console. Make sure you are in your AWS Control Tower home Region.
  2. On the Specify Stack Details screen, provide the following values.
    • Enter a Stack name for the stack.
    • Enter your Lacework Account Name from your Lacework URL <account>.
    • Enter your Lacework Access Key ID and Secret Key from step 1.1.
    • For Capability Type, the recommendation is to use CloudTrail+Config for the best capabilities.
    • Select whether you want to Monitor Existing Accounts.
    • If your CloudTrail S3 logs are encrypted, specify the AWS Key Management Service (AWS KMS) Key Identifier Amazon Resource Number (ARN).
    • Update the AWS Control Tower Log Account Name and Audit Account Name if necessary.
  1. On the Configure stack options screen, keep the default values. Select Next.
  2. On the review screen, check the checkbox stating I acknowledge that AWS CloudFormation might create IAM resources. Select Create stack. Wait for the stack to complete.

Step 3: Validate Lacework AWS Control Tower integration

  1. In your Lacework console, on left panel, go to Settings and then Cloud Accounts.
  2. You should see a list of AWS accounts that are now being monitored by Lacework.

Monitoring your multi-account AWS environment with Lacework

After completing the Lacework AWS Control Tower integration setup, your security engineer can begin monitoring a visual summary of the CloudTrail, network, user, and process events ingested by Lacework. This includes the modeled entity behaviors and the security events. To do this, do the following:

  1. Sign into your Lacework Account. On the left panel, select Dashboard.
  2. On right panel, under Security Posture, you should see your current security posture depicting incoming data, critical alerts, events detected and entity behaviors.

The following screenshot shows the security posture dashboard depicting security data and results. It shows 1.05M in incoming data, 67.9K entity behaviors, 4 critical/high events, and 100 events detected.

Screenshot showing the Lacework security posture dashboard


In this blog post, I showed you how to install and use Lacework’s AWS Control Tower integration to increase security of your multi-account environment. Get started now with the Lacework Cloud Security Platform in AWS Marketplace.

Contents of this post were validated to work on the publishing date. The code and templates in this post are those of the third-party author, and AWS is not responsible for the content or accuracy of this post.

About the authors

About the author Jeff Fry

Jeff Fry is a Senior Alliances Solution Architect at Lacework and is passionate about helping technology partners build amazing solutions with Lacework. Jeff has spent several years working in technology partnerships at ExtraHop, CloudBees and JFrog. He held various roles from engineer to alliances manager.



Author photograph - Michael Musselman

Michael Musselman leads global technology and cloud service strategic alliances at Lacework for the past two years. Previous roles include leading business development, sales engineering, consulting, training, and technical support functions over the last 20 years.



Author photograph - Pranjal Gururani

Pranjal Gururani is a Solutions Architect at AWS based out of Seattle. Pranjal works with various customers to architect cloud solutions that address their business challenges. He enjoys hiking, kayaking, skydiving, and spending time with family during his spare time.