Skip to main content

EKS Audit Log Integration Using Terraform

tip

To integrate with Amazon EKS, Lacework recommends using guided configuration. The guided interface takes your input and generates a script that downloads and sets up all necessary Lacework CLI and Terraform components to create the integration non-interactively.

To use guided configuration:

  1. In the Lacework Console go to Settings > Integrations > Cloud accounts.
  2. Click + Add New.
  3. Click Amazon Web Services and select Guided configuration.

Alternatively, follow the steps in this topic to use the Lacework CLI to generate Terraform code. Or you can create the main.tf file manually and run Terraform from any supported host.

Overview

Lacework integrates with AWS to analyze EKS Audit Logs for monitoring EKS cluster security and configuration compliance. This topic describes how to integrate with AWS by running Lacework Terraform modules from any host supported by Terraform.

If you are new to the Lacework Terraform provider, or Lacework Terraform modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider and more.

Resources Provisioned by Lacework Terraform Modules

To integrate AWS with Lacework, Lacework Terraform modules provision the following resources in the designated AWS account:

  • IAM Cross-Account Role - A cross-account role is required to give access to Lacework access for assessments of cloud resource configurations and for analysis of CloudTrail events. The cross-account role will be given the following policy:
    • Lacework Custom IAM Policy - A custom policy that provides Lacework read-only access to ingest EKS Audit Logs.
  • SNS Topic - An SNS topic is required for all EKS Audit Log integrations. Terraform will create a new topic in the designated account.
  • S3 Bucket - An S3 bucket is required for all EKS Audit Log integrations. Lacework will create a new bucket in the designated account.
  • S3 Bucket Notification - A S3 Bucket notification is required for all EKS Audit Log integrations. This notifies the SNS topic when a new object has been created in the bucket.
  • S3 Bucket Lifecycle rule - An S3 Bucket Lifecycle rule to specify the log number of days the logs are retained. Defaults to 180 days.
  • S3 Bucket versioning - A resource for controlling versioning on an S3 bucket.
  • Kinesis Firehose - A Kinesis Firehose is required for all EKS Audit Log integrations. Lacework will create a new Firehose in the designated account.
  • IAM Lacework Firehose Role - A firehose role is required to assume the AWS firehose service role.
    • Lacework Firehose IAM Policy - A firehose policy is required to allow the firehose to manage the contents of the S3 bucket.
  • IAM Lacework CloudWatch Role - A CloudWatch role is required to assume the logs role for each region integrated.
    • Lacework CloudWatch IAM Policy - A CloudWatch policy is required to allow the firehose to access the CloudWatch logs.
  • CloudWatch Subscription Filter(s) - CloudWatch subscription filter(s) are required for each EKS cluster in order to notify when logs have been added to the CloudWatch Log group.

Requirements

  • AWS Account Admin - The account used to run Terraform must have administrative privileges on every AWS account you intend to integrate with Lacework.
  • AWS CLI - The Terraform provider for AWS leverages the configuration from the AWS CLI and it is recommended the AWS CLI is installed and configured with API keys for the account being integrated.
  • Lacework Administrator - A Lacework account with administrator privileges.
  • Lacework CLI - Lacework leverages the configuration from the Lacework CLI. Installing and configuring the Lacework CLI is recommended.
  • Terraform - ~> 0.15, ~> 1.0, ~> 1.1.

Module Inputs Reference

For an up-to-date guide on all available configuration inputs, refer to the Terraform Registry documentation:

Module Dependencies

Lacework Terraform modules for AWS have the following dependencies that are installed when running terraform init:

For detailed information on these dependencies, visit Lacework on the Terraform Registry.

Install and Configure the Lacework CLI

To configure accounts, the Terraform provider for Lacework leverages the Lacework CLI configuration to authenticate with the Lacework API server. Lacework provides a shell script to install the Lacework CLI in your system.

Install and configure the Lacework CLI before continuing.

Deployment Scenarios

Prerequisite

Audit logging must be enabled on the clusters that you want to integrate. You can do this via the AWS CLI using the following command:

aws eks --region <region> update-cluster-config --name <cluster_name> \
--logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'

Scenario 1 - Integrate EKS Clusters Audit Logs in a Single Region

This scenario creates a new Lacework EKS Audit Log integration with a cross-account IAM role to provide Lacework access. This example targets clusters in a single AWS region.

Run the Lacework CLI

  1. Run the following Lacework CLI command:

    lacework generate k8s eks                      \
      --region_clusters YourRegion="cluster,list"  \
      --noninteractive

    The Terraform files are created in the ~/lacework/aws_eks_audit directory.

  2. Navigate to the ~/lacework/aws_eks_audit directory.

  3. Run terraform plan and review the changes that will be applied.

  4. Once satisfied with the changes that will be applied, run terraform apply to execute Terraform.

note

If creating the main.tf file manually, you can use Terraform inputs to customize Lacework Terraform modules. See the documentation on the Terraform Registry for the complete list of inputs for each module.

Validate the Configuration

To confirm that the Cloud Account integration is working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. EKS cloud account integrations are listed as AwsEksAudit.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud accounts.

Scenario 2 - Integrate EKS Clusters Audit Logs Across Multiple Regions

This scenario creates a new Lacework EKS Audit Log integration with a cross-account IAM role to provide Lacework access. This example targets clusters across multiple AWS regions.

Run the Lacework CLI

  1. Run the following Lacework CLI command:

    lacework generate k8s eks                                           \
      --region_clusters YourRegion="cluster,list"                       \
      --region_clusters YourRegion2="cluster,list"                      \
      --existing_ca_iam_role_arn CrossAccountIAMRoleARN                 \
      --existing_ca_iam_role_external_id CrossAccountIAMRoleExternalID  \
      --noninteractive

    The Terraform files are created in the ~/lacework/aws_eks_audit directory.

  2. Navigate to the ~/lacework/aws_eks_audit directory.

  3. Run terraform plan and review the changes that will be applied.

  4. Once satisfied with the changes that will be applied, run terraform apply to execute Terraform.

note

If creating the main.tf file manually, you can use Terraform inputs to customize Lacework Terraform modules. See the documentation on the Terraform Registry for the complete list of inputs for each module.

Validate the Configuration

To confirm that the Cloud Account integration is working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. EKS cloud account integrations are listed as AwsEksAudit.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud accounts.

AWS Security Token Service Limitations

The Lacework AWS module will fail due to limitations of STS. See AWS STS documentation for more information. Customers using aws-vault, for example, must pass the --no-session flag. For more information, see aws-vault documentation.