Terraform module for configuring an integration with Lacework and AWS for cloud resource configuration assessment.
| Name | Version |
|---|---|
| terraform | >= 0.14 |
| aws | >= 3.35.0 |
| lacework | ~> 2.0 |
| random | >= 2.1 |
| time | ~> 0.7 |
| Name | Version |
|---|---|
| aws | >= 3.35.0 |
| lacework | ~> 2.0 |
| random | >= 2.1 |
| time | ~> 0.7 |
| Name | Source | Version |
|---|---|---|
| lacework_cfg_iam_role | lacework/iam-role/aws | ~> 0.4 |
| Name | Type |
|---|---|
| aws_iam_policy.lacework_audit_policy | resource |
| aws_iam_role_policy_attachment.lacework_audit_policy_attachment | resource |
| aws_iam_role_policy_attachment.security_audit_policy_attachment | resource |
| lacework_integration_aws_cfg.default | resource |
| random_id.uniq | resource |
| time_sleep.wait_time | resource |
| aws_iam_policy_document.lacework_audit_policy | data source |
| lacework_metric_module.lwmetrics | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| external_id_length | Deprecated - Will be removed on our next major release v1.0.0 | number |
16 |
no |
| iam_role_arn | The IAM role ARN is required when setting use_existing_iam_role to true |
string |
"" |
no |
| iam_role_external_id | The external ID configured inside the IAM role is required when setting use_existing_iam_role to true |
string |
"" |
no |
| iam_role_name | The IAM role name. Required to match with iam_role_arn if use_existing_iam_role is set to true |
string |
"" |
no |
| lacework_audit_policy_name | The name of the custom audit policy (which extends SecurityAudit) to allow Lacework to read configs. Defaults to lwaudit-policy-${random_id.uniq.hex} when empty | string |
"" |
no |
| lacework_aws_account_id | The Lacework AWS account that the IAM role will grant access | string |
"434813966438" |
no |
| lacework_integration_name | The name of the integration in Lacework | string |
"TF config" |
no |
| permission_boundary_arn | Optional - ARN of the policy that is used to set the permissions boundary for the role. | string |
null |
no |
| tags | A map/dictionary of Tags to be assigned to created resources | map(string) |
{} |
no |
| use_existing_iam_role | Set this to true to use an existing IAM role | bool |
false |
no |
| use_existing_iam_role_policy | Set this to true to use an existing policy on the IAM role, rather than attaching a new one |
bool |
false |
no |
| wait_time | Amount of time to wait before the next resource is provisioned | string |
"10s" |
no |
| Name | Description |
|---|---|
| external_id | The External ID configured into the IAM role |
| iam_role_arn | The IAM Role ARN |
| iam_role_name | The IAM Role name |
| lacework_integration_guid | The GUID for the created Lacework integration |
The Lacework audit policy extends the SecurityAudit policy to facilitate the reading of additional configuration resources. The audit policy is comprised of the following permissions:
| sid | actions | resources |
|---|---|---|
| GetEbsEncryptionByDefault | ec2:GetEbsEncryptionByDefault | * |
| GetBucketPublicAccessBlock | s3:GetBucketPublicAccessBlock | * |
| EFS | elasticfilesystem:DescribeFileSystemPolicy | * |
| elasticfilesystem:DescribeLifecycleConfiguration | ||
| elasticfilesystem:DescribeAccessPoints | ||
| elasticfilesystem:DescribeAccountPreferences | ||
| elasticfilesystem:DescribeBackupPolicy | ||
| elasticfilesystem:DescribeReplicationConfigurations | ||
| elasticfilesystem:ListTagsForResource | ||
| EMR | elasticmapreduce:ListBootstrapActions | * |
| elasticmapreduce:ListInstanceFleets | ||
| elasticmapreduce:ListInstanceGroups | ||
| SAGEMAKER | sagemaker:GetModelPackageGroupPolicy | * |
| sagemaker:GetLineageGroupPolicy | ||
| IDENTITYSTORE | identitystore:DescribeGroup | * |
| identitystore:DescribeGroupMembership | ||
| identitystore:DescribeUser | ||
| identitystore:ListGroupMemberships | ||
| identitystore:ListGroupMembershipsForMember | ||
| identitystore:ListGroups | ||
| identitystore:ListUsers | ||
| SSO | sso:DescribeAccountAssignmentDeletionStatus | * |
| sso:DescribeInstanceAccessControlAttributeConfiguration | ||
| sso:GetInlinePolicyForPermissionSet | ||
| GLACIER | glacier:ListTagsForVault | * |
| APIGATEWAY | apigateway:GET | arn:aws:apigateway:::/apikeys, arn:aws:apigateway:::/apikeys/* |
| WAFREGIONAL | waf-regional:ListRules | * |
| waf-regional:GetRule | ||
| waf-regional:ListRuleGroups | ||
| waf-regional:GetRuleGroup | ||
| waf-regional:ListActivatedRulesInRuleGroup | ||
| GLUE | glue:ListWorkflows | * |
| glue:BatchGetWorkflows | ||
| glue:GetTags | ||
| CODEBUILD | codebuild:ListBuilds | * |
| codebuild:BatchGetBuilds | ||
| SNS | sns:GetDataProtectionPolicy | * |
| sns:ListPlatformApplications | ||
| sns:GetSubscriptionAttributes |