IaC - Lacework CLI
To run Lacework's Infrastructure as Code (IaC) offerings with the Lacework CLI, you must install the Lacework CLI according to your operating system, use API keys to authenticate, and configure the CLI for Lacework and for IaC security.
Install the Lacework CLI
Bash (macOS/Linux)
curl https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.sh | bash
Powershell (Windows)
Open a PowerShell terminal and run the following command:
Set-ExecutionPolicy Bypass -Scope Process -Force
iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.ps1'))The Lacework CLI is installed at
C:\ProgramData\Lacework\lacework.exeand the system PATH environment variable is updated to include the Lacework CLI.Open a new PowerShell terminal to read the updated system PATH and use the Lacework CLI.
Homebrew (macOS/Linux)
brew install lacework/tap/lacework-cli
For more details, see the Lacework Homebrew Tap.
Chocolatey (Windows):
choco install lacework-cli
For more details, see the Lacework CLI Chocolatey package.
Create API Key
The Lacework CLI requires an API key and secret to authenticate with Lacework. Lacework API Keys can be created by Lacework account administrators via the Lacework Console. For more information, go to API Access Keys and Tokens.
- Log in to the Lacework Console.
- Click Settings > API keys.
- Click Add New.
- Enter a name for the key and an optional description.
- Click Save.
- Click the ... icon and then Download to save the API key file locally.
The contents of your API key contain a keyId secret, subAccount, and account:
{
"keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
"secret": "_abc1234e243a645bcf173ef55b837c19",
"subAccount": "myaccount",
"account": "myaccount.lacework.net"
}
Configure the CLI
Use the lacework configure command to configure the Lacework CLI with the API Key downloaded from the previous step.
lacework configure -j /path/to/key.json
Example output:
Account: example
Access Key ID: EXAMPLE_1234567890ABCDE1EXAMPLE1EXAMPLE123456789EXAMPLE
Secret Access Key: **********************************
You are all set!
The lacework configure command generates a file named .lacework.toml inside your home directory
($HOME/.lacework.toml) with a single profile named default.
Configure the CLI for IaC
Once you have installed the Lacework CLI and set up authentication with lacework configure, you must configure the CLI for use with Lacework's Infrastructure as Code (IaC) Security.
To configure the Lacework CLI for IaC Security:
- Run
lacework component install iacin the Lacework CLI. - The Lacework CLI is now configured for IaC. You can now run
lacework iac ....
If you encounter an error installing the IaC component, run lacework iac config reconfig --reset.
Environment Variables
Within the Lacework CLI:
LW_ACCOUNTsets the Lacework account.LW_API_KEYsets the Lacework API key.LW_API_SECRETsets the Lacework API secret.
IaC CLI Commands
| Command | Alias | Description |
|---|---|---|
auth | - | Manage authentication |
cloudformation-scan | cfn-scan | Scan CloudFormation templates |
completion | - | Generate the autocompletion script for the specified shell |
configure | config | Manage IaC component configuration |
download | - | Manage downloaded components |
helm-scan | - | Scan helm charts |
help | - | Help about any command |
inventory | - | Inventory a directory for infrastructure-as-code |
kubernetes-scan | k8s-scan | Scan Kubernetes manifests |
kustomize-scan | - | Scan Kustomize templates |
model | - | Manage API models |
org | - | Organization commands |
post | - | Send data to lacework IAC |
print | - | Print a JSON document |
repo-inventory | - | Inventory a git repository and extract infrastructure-as-code metadata |
secrets-scan | - | Scan for secrets in code |
terraform-scan | tf-scan | Scan terraform |
version | - | Display the version of the lacework IAC CLI |
Usage
lacework iac [command]
Troubleshoot config for Lacework CLI
- To start over, try deleting (or backing up) your
~/.config/lacework/iac-config.jsonfile. - You should NOT have
APITokenin your config when working with Lacework CLI. - Run
envand check for unintended Lacework-related values being set.