AWS CloudTrail Integration for Organizations
This topic describes how to manually create an AWS CloudTrail integration for a Lacework organization.
If your Lacework accounts are enrolled in a Lacework organization, you can configure a consolidated AWS CloudTrail integration that maps CloudTrail activity from your AWS accounts to selected Lacework accounts within your organization.
Overview
When you create a CloudTrail integration for an organization, you define the following:
- Role ARN for Lacework to use
- A temporary external ID. You will replace this external ID with one generated by Lacework later in the onboarding process.
- The SQS queue URL for the integration to use
- The data flow from one or more AWS accounts to one or more Lacework accounts
Upon completion, the results from analyzing the specified AWS account CloudTrail activity appear in the mapped Lacework account.
- Each account integration is expected to be mapped to one Lacework account.
- The mapping that you configure for an organization integration is in addition to what is already configured for the CloudTrail account integration. It doesn't override the existing account integration.
- If you consolidate CloudTrails from multiple AWS accounts into one bucket, Lacework maps the account ID to the account alias for the root account only. Other account IDs are not mapped to account aliases.
Create an Integration in the Lacework Console
Follow these steps to configure a CloudTrail integration for a Lacework organization.
Ensure you have completed the preparatory steps described in AWS Integration Prerequisites.
- Log in to the Lacework Console as an organization administrator.
- Switch to the organization.
- Go to Settings > Integrations > Cloud Accounts and create a new integration.
- Select AWS and Manual configuration, and then click Next.
- Select CloudTrail+Configuration for the integration type.
- For Name, enter a unique name that displays in the Lacework Console.
- For Account ID, enter your AWS account identifier or alias.
- For External ID, copy the Lacework-generated external ID. You must use this external ID to replace the temporary one that you provided during cross-account role creation.
Refer to Update Cross-Account IAM Role External ID for how to update the cross-account role's external ID. - For Role ARN, enter the ARN of the cross-account role that Lacework uses to access your AWS resources.
- For SQSQueueURL, enter the Amazon Simple Queue Service (SQS) URL value.
- For Account Mapping File, click Choose File and select the mapping file to use. Refer to Account Mapping File for details.
- Click Save.
The CloudTrail integrations configured at the organization level appear within their respective Lacework accounts’ Cloud Accounts Summary as read-only integrations. It may take up to a couple minutes for new data to reach Lacework.
Account Mapping File
The account mapping file is a JSON file that maps AWS accounts to Lacework accounts within a Lacework organization.
{
"defaultLaceworkAccountAws": "lw_account_1",
"integration_mappings": {
"lw_account_2": {
"aws_accounts": [
"234556677",
"774564564"
]
},
"lw_account_3": {
"aws_accounts": [
"553453453",
"934534535"
]
}
}
}
"defaultLaceworkAccountAws"- Required. The value is a Lacework account name, for example,"lw_account_1". Any CloudTrails that are not explicitly mapped to a Lacework account go to this default account."integration_mappings"- Required. Fields within"integration_mappings"must be a Lacework account name, for example:"lw_account_2","lw_account_3". Account names are not case-sensitive."aws_accounts"- Required. An array of AWS account IDs (string), for example"234556677","774564564".