Setup Lacework CLI

Now that we understand the cloud account scope and have a grasp on the permission required to deploy, we're ready to start getting things underway. First, will need to setup the Lacework CLI to help us with automating the deployment and setup of the Lacework console.

The Lacework CLI is the swiss-army knife of Lacework. It can help with both the initial setup and once your cloud accounts are integrated query the data in the system via LQL, retrieve data directly via the Lacework APIs and configure various functional components of the Lacework platform, like Policies.

Install and Configure the Lacework CLI

Expand the box below to learn how to setup the Lacework CLI:

Setting up the Lacework CLI 📎

The Lacework CLI is an open source project written in Golang and released as separate binaries for Linux, macOS, and, yes, even Windows! Additionally, all releases of the CLI are published as Docker containers to Docker Hub for various platforms with the intended purpose of integrating with CI/CD automation pipelines.

Lacework as a platform provides a set of robust APIs for configuring accounts within the platform, as well as accessing data from accounts. The Lacework CLI provides an interface to those APIs with the goal of providing fast, accurate, and actionable insights into the platform.

Install the Lacework CLI

Bash (macOS/Linux)

curl https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.sh | bash

Powershell (Windows)

1. Open a PowerShell terminal and run the following command:

   Set-ExecutionPolicy Bypass -Scope Process -Force
   iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.ps1'))
   The Lacework CLI is installed at C:\ProgramData\Lacework\lacework.exe and the system PATH environment variable is updated to include the Lacework CLI.
2. Open a new PowerShell terminal to read the updated system PATH and use the Lacework CLI.

Homebrew (macOS/Linux)

brew install lacework/tap/lacework-cli

For more details, see the Lacework Homebrew Tap.

Chocolatey (Windows):

choco install lacework-cli

For more details, see the Lacework CLI Chocolatey package.

Create API Key

The Lacework CLI requires an API key and secret to authenticate with Lacework. Lacework API Keys can be created by Lacework account administrators via the Lacework Console. For more information, go to API Access Keys and Tokens.

1. Log in to the Lacework Console.
2. Click Settings > API keys.
3. Click Add New.
4. Enter a name for the key and an optional description.
5. Click Save.
6. Click the ... icon and then Download to save the API key file locally.

The contents of your API key contain a keyId secret, subAccount, and account:

{
  "keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
  "secret": "_abc1234e243a645bcf173ef55b837c19",
  "subAccount": "myaccount",
  "account": "myaccount.lacework.net"
}

Configure the CLI

Use the lacework configure command to configure the Lacework CLI with the API Key downloaded from the previous step.

lacework configure -j /path/to/key.json

Example output:

Account: example
Access Key ID: EXAMPLE_1234567890ABCDE1EXAMPLE1EXAMPLE123456789EXAMPLE
Secret Access Key: **********************************

You are all set!

The lacework configure command generates a file named .lacework.toml inside your home directory ($HOME/.lacework.toml) with a single profile named default.

Multiple Profiles

You can add additional profiles that you can refer to with a name by specifying the --profile flag. The following example creates a profile named prod.

lacework configure --profile prod -j /path/to/key.json

Example output:

Account: prod.example
Access Key ID: PROD_1234567890ABCDE1EXAMPLE1EXAMPLE123456789EXAMPLE
Secret Access Key: **********************************

You are all set!

Then, when you run a command, you can specify a --profile prod and use the credentials and settings stored under that name.

lacework agent list --profile prod

If there is no --profile flag, the Lacework CLI defaults to the default profile.

To list all available profiles configured in the workstation use:

lacework configure list

Example output:

    PROFILE   |    ACCOUNT    |                         API KEY                          |            API SECRET
--------------+---------------+----------------------------------------------------------+------------------------------------
    prod      | prod-account  | PRODACCT_0C66EF03A0694E16D3203E553C9B13E36E39239FB0FCEBF | *****************************8520
    qa1       | qa1-account   | QA1ACCOT_038B1395C1B5B9BD1C5DEA849DF62FCB95D7697C58C4942 | *****************************9ad8
    qa2       | qa2-account   | QA2ACCOT_0362BF5146FBE18A9CD0AB0259FBEE912EBB1A429A0A213 | *****************************a3cb
  > default   | dev-account   | DEVACCOT_03C8910D0BDCDBD2AFD4355A1C5284104AAA2AE5253938C | *****************************98f1

Switch Profiles

To switch between profiles configured into the config file $HOME/.lacework.toml, use the command.

lacework configure switch-profile <profile>

info

This is a global configuration for the Lacework CLI, which means that any new terminal continues to use the selected profile.

To switch back to the default profile.

lacework configure use default

The command lacework configure use is an alias to the switch-profile sub-command.

An alternative to temporarily switching to a different profile in your current terminal is to export the environment variable LW_PROFILE=your-profile

Organizational Accounts

An organization can contain multiple accounts so you can manage components such as alerts, resource groups, team members, and audit logs at a more granular level inside an organization. A team member may have access to multiple accounts and can easily switch between them.

note

To enroll your account in an organization, see Organization Enrollment Process.

Use the global flag --subaccount to switch to a different account inside your organizational account.

For example, having a default profile that has access to your primary account named my-company:

[default]
  account = "my-company"
  api_key = "my-api-key"
  api_secret = "my-api-secret"
  version = 2

To access your sub-account named business-unit, pass the flag --subaccount business-unit to any command.

There are two ways to set a sub-account persistently:

• Export the environment variable LW_SUBACCOUNT="<YOUR_SUBACCOUNT>". This only makes the sub-account configuration persist for the active terminal.
• Reconfigure your profile with the command lacework configure. This command prompts you to select any sub-account that you have access to in your organizational account.

To list all accounts in your organization:

lacework account list

Output Formats

The Lacework CLI supports the following output formats:

• Human-readable: Default output that presents the information in a "human-readable" or "human-friendly" format, which is much easier to read, but not as useful for automation purposes.
• JSON: To switch the output of any command to be formatted as a JSON string, add the flag --json.

Some commands that have additional formats available:

• PDF: For compliance reports, it is possible to download a report in PDF format by adding the flag --pdf.
• HTML: For container vulnerability assessments, use the --html flag to render the assessment results in HTML format.
• CSV: For compliance reports and host vulnerability data, you can pass the flag --csv to switch the output to CSV format.

Environment Variables

Default configuration parameters found in the .lacework.toml may also be overridden by setting environment variables prefixed with LW_.

To override the account, api_key, and api_secret configurations:

• Bash (macOS/Linux)

  export LW_ACCOUNT="<YOUR_ACCOUNT>"
  export LW_API_KEY="<YOUR_API_KEY>"
  export LW_API_SECRET="<YOUR_API_SECRET>"

• Powershell (Windows)

  $env:LW_ACCOUNT = '<YOUR_ACCOUNT>'
  $env:LW_API_KEY = '<YOUR_API_KEY>'
  $env:LW_API_SECRET = '<YOUR_API_SECRET>'

For org admins only, to switch to a different sub-account permanently in your current terminal:

• Bash (macOS/Linux)

  export LW_SUBACCOUNT=business-unit

• Powershell (Windows)

  $env:LW_SUBACCOUNT = 'business-unit'

The following lists all environment variables that you can use to modify the operation of the Lacework CLI.

Environment Variable	Description
LW_NOCOLOR=1	turn off colors
LW_NOCACHE=1	turn off caching
LW_DEBUG=1	turn on debug logging
LW_JSON=1	switch commands output from human-readable to JSON format
LW_NONINTERACTIVE=1	disable interactive progress bars (i.e. spinners)
LW_UPDATES_DISABLE=1	disable daily version checks
LW_TELEMETRY_DISABLE=1	disable sending telemetry data
LW_PROFILE="<name>"	switch between profiles configured at ~/.lacework.toml
LW_ACCOUNT="<account>"	account subdomain of URL (i.e. <ACCOUNT>.lacework.net)
LW_API_KEY="<key>"	API access key id
LW_API_SECRET="<secret>"	API secret access key
LW_SUBACCOUNT="<sub-account>"	sub-account name inside your organization (org admins only)

Running Deployment Preflight Checks

The Lacework CLI can be used to identify relevant permissions required for deployment. The preflight check quickly identifies any potential deployment issues prior to installing and can help provide recommendations on the relevant next steps.

Expand the box below to learn more about the Lacework CLI Preflight capability:

Deployment Preflight Check 📎

Installing the Preflight component

The Lacework CLI preflight capability is provided as component and can be easily installed using the following command:

lacework component install preflight

Using the Lacework Preflight component

The Lacework preflight check is a tool that can identify potential problems before deployment and detect resources on your service cloud provider to make recommendations as to the proper method for onboarding.

There are two types of identities Lacework needs for a successful deployment:

1. Deployment Role: The identity Lacework used to deploy resources in the your environment
2. Operations Role: The identity Lacework deploys to access your environment from within the Lacework platform (Least privilege)

When running a preflight check, provide the Deployment Role. This role will be used to understand your environment and validate that the provided identity can deploy Lacework.

Running the Lacework Preflight component

To execute the preflight checks provided by the Lacework Preflight component, run the following:

lacework preflight [cloud provider]

note

The currently available cloud providers, include aws only.

Review the Findings

For an AWS Organization the Preflight Component will discover all managed cloud accounts and identify enabled services when executed against the management account. For example the following command will return a similar output to below:

note

Currently, the Preflight component supports single AWS account deployments. Deploying AWS organizations is a feature that will be released in v0.2.0 of the Preflight component.

lacework preflight aws

Output:

Cloud Setup Preflight
=======================

Caller Identity             assumed-role/AWSReservedSSO_dev-admin-role_xxxxxxxxxx/test.user@domain.com
AWS Account                 XXXXXXXXXXXXX
AWS Organization Access     DETECTED
AWS Org Management Account  DISABLED
AWS Accounts                20
AWS Org Units               0
ControlTower Access         DISABLED
CloudTrail Access           DETECTED
SecurityHub Access          DISABLED
EKS Service Access          DISABLED

========== Preflight Checks

[✓] AWS CloudTrail Checklist
[✓] Agentless Checklist
[✓] AWS Compliance Checklist

========== Preflight Results

Successful Checklists
You have passed all checks for the Lacework integrations: CloudTrail, Agentless and configuration. You can deploy them using the following command:

     lacework generate cloud-account aws --apply --noninteractive  --cloudtrail --agentless --config

Next Steps

Once the preflight is complete and all checks have passed, deploy Lacework using the command included in the preflight output. For example, the following command will install all Lacework features as per the preflight findings above:

lacework generate cloud-account aws --apply --noninteractive  --cloudtrail