Securing your AWS Control Tower multi-account environment with Lacework
For enterprise organizations, managing security and governance across hundreds or thousands of accounts can be challenging. AWS Control Tower and Lacework make this task much easier and enable seamless multi-account cloud security. By using Lacework in your AWS Control Tower environment, you can automatically and consistently apply security best practices and monitoring to new accounts across your organization. Account administrators can automatically add Lacework’s security auditing and monitoring to new AWS accounts. Lacework’s AWS Control Tower integration manages the required Lacework and AWS account configurations that enable access to AWS configuration and AWS CloudTrail (CloudTrail) logs.
Solution overview: Securing your AWS Control Tower multi-account environment with Lacework
Lacework provides the Lacework AWS Control Tower integration, which is available as AWS CloudFormation templates and AWS Lambda functions. This open-source solution is available for you to review in GitHub.
On initial setup, the Lacework AWS Control Tower integration runs an AWS CloudFormation stack to create a new AWS Identity and Access Management (IAM) cross-account role in the Log Archive account. It also creates a new Amazon Simple Queue Service (Amazon SQS) queue in the Audit account. The SQS queue enables Lacework to receive notifications of new audit logs in Amazon S3 from the centralized CloudTrail, which collects activity from all accounts. Lacework processes these logs for behavior analysis for all AWS accounts.
The following architecture setup diagram shows an Administrator running the AWS CloudFormation template that triggers two AWS CloudFormation StackSets. The Log Archive StackSet creates a cross-account role in the Log Archive account, which enables Lacework to read centralized CloudTrail logs from a central S3 bucket. The Audit StackSet instance creates an SQS queue, enabling Lacework to receive notifications of new audit logs in S3 in the centralized CloudTrail bucket. Refer to the following diagram.
For new AWS accounts in your organization, AWS Control Tower triggers the Lacework integration through AWS Control Tower lifecycle events via Amazon CloudWatch (CloudWatch) events. A Lambda function launches a stack instance that creates a new cross-account role in the new account and enables Lacework to monitor the account via AWS APIs. The combination of CloudTrail log analysis and AWS API access enables Lacework to check your cloud activity and AWS configuration to detect security misconfigurations and anomalous behavior.
The following diagram shows an Administrator creating an account using AWS Control Tower, triggering a Lifecyle event rule in Amazon EventBridge. That invokes a Lambda function that creates a cross-account role that enables Lacework to read the configuration of the account. This cross-account role is passed to Lacework through an Amazon Simple Notification Service (Amazon SNS) custom resource.
The complete architecture is available in this Implementation Guide: Lacework Cloud Security Platform with AWS Control Tower.
You need the following prerequisites to implement this Lacework AWS Control Tower integration.
- A fully deployed AWS Control Tower environment. For information about setting up an AWS Control Tower landing zone, see Getting Started with AWS Control Tower.
- Administrator privileges in the AWS Control Tower management account
- A Lacework Cloud Security Platform SaaS account. The Lacework Cloud Security Platform is available in AWS Marketplace.
The following steps set up Lacework’s AWS Control Tower integration to monitor existing active AWS accounts if specified as well as newly enrolled AWS accounts.
Step 1: Generate a Lacework API access key
- Get the link for your Lacework console from your Security Administrator, who will have received the link from their Lacework contact through email. In your Lacework console left panel, go to Settings and the choose API Keys. To create a new API key, in the upper right, choose Create New. Enter a Name and Description and select Save.
- To download a keys file, next to your API key, chose the download icon. Copy the keyId and secret from this file.
Step 2: Deploy the AWS CloudFormation template
- Navigate to your CloudFormation console. Make sure you are in your AWS Control Tower home Region.
- On the Specify Stack Details screen, provide the following values.
- Enter a Stack name for the stack.
- Enter your Lacework Account Name from your Lacework URL <account name.lacework.net>.
- Enter your Lacework Access Key ID and Secret Key from step 1.1.
- For Capability Type, the recommendation is to use CloudTrail+Config for the best capabilities.
- Select whether you want to Monitor Existing Accounts.
- If your CloudTrail S3 logs are encrypted, specify the AWS Key Management Service (AWS KMS) Key Identifier Amazon Resource Number (ARN).
- Update the AWS Control Tower Log Account Name and Audit Account Name if necessary.
- On the Configure stack options screen, keep the default values. Select Next.
- On the review screen, check the checkbox stating I acknowledge that AWS CloudFormation might create IAM resources. Select Create stack. Wait for the stack to complete.
Step 3: Validate Lacework AWS Control Tower integration
- In your Lacework console, on left panel, go to Settings and then Cloud Accounts.
- You should see a list of AWS accounts that are now being monitored by Lacework.
Monitoring your multi-account AWS environment with Lacework
After completing the Lacework AWS Control Tower integration setup, your security engineer can begin monitoring a visual summary of the CloudTrail, network, user, and process events ingested by Lacework. This includes the modeled entity behaviors and the security events. To do this, do the following:
- Sign into your Lacework Account. On the left panel, select Dashboard.
- On right panel, under Security Posture, you should see your current security posture depicting incoming data, critical alerts, events detected and entity behaviors.
The following screenshot shows the security posture dashboard depicting security data and results. It shows 1.05M in incoming data, 67.9K entity behaviors, 4 critical/high events, and 100 events detected.
In this blog post, I showed you how to install and use Lacework’s AWS Control Tower integration to increase security of your multi-account environment. Get started now with the Lacework Cloud Security Platform in AWS Marketplace.
Contents of this post were validated to work on the publishing date. The code and templates in this post are those of the third-party author, and AWS is not responsible for the content or accuracy of this post.
About the authors