Skip to main content

Create an Integration Manually

beta feature

This topic describes functionality that is currently in beta.

To complete the integration, you must:

  1. Create an integration in the Lacework Console.
  2. Instrument each EKS cluster for the EKS integration created in Step 1.
  • Enable EKS logs
  • Integrate EKS clusters
  1. Log in to the Lacework Console.
  2. Go to Settings > Integrations > Cloud accounts > Add New.
  3. Click + Add New.
  4. Click Amazon Web Services and select EKS Audit Log.
  5. Click Next.
  6. Click Manual Configuration.
  7. Follow the steps in the next section.

Create an Integration in the Lacework Console

Ensure you have completed the preparatory steps described in AWS Integration Prerequisites.

  1. In the Name field, specify a unique name for the Lacework Console.
  2. In the External ID field, enter the AWS external ID that is associated with the cross-account role that Lacework uses to access your AWS resource.
    This is the External ID specified for the Cross-Account IAM role in your preparatory integration of AWS described in AWS Integration Prerequisites.
  3. In the Role ARN field, enter the ARN of the cross-account role that Lacework uses to access your AWS resources. This is the ARN specified for the Cross-Account IAM role in your preparatory integration of AWS described in AWS Integration Prerequisites.
  4. In the SNS ARN field, enter the ARN of the topic that Lacework uses to communicate with your AWS resources. This is the ARN specified for the SNS topic in your preparatory integration of AWS described in AWS Integration Prerequisites.
  5. Click Save to finish the AWS integration and save your onboarding progress.

Instrument EKS Clusters

Instrument each EKS cluster for the EKS integration you just created.

Enable EKS Logs

You must enable audit logging for the EKS cluster in the AWS account.

Enable audit logging through the AWS Console (for more information, go to Amazon EKS control plane logging). Or run the following command in the AWS CLI:

aws eks --region <region-code> update-cluster-config --name <prod> \
--logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'

Integrate EKS Clusters

After enabling audit logging, follow these steps:

  1. In the Lacework Console, go to Settings > Integrations > Cloud accounts.
  2. Click the EKS Audit Log integration.
  3. Click Run CloudFormation script. If you are already logged in to your AWS account, this redirects you to the Specify template page.
  4. Review the Specify template page and click Next. The Lacework script populates the Amazon S3 URL for you.
  5. On the Specify stack details page, provide the EKSClusterName. The script populates the FirehoseARN. If desired, update the ResourceNamePrefix if desired. When finished, click Next.
  6. On the Configure stack options page, click Next.
  7. Verify the information on the Review page and click Create stack.
note

If you have multiple AWS accounts with distributed ownership, you may want to use the Download CloudFormation script option instead.

  1. In the Lacework Console, go to Settings > Integrations > Cloud accounts.
  2. Click the EKS Audit Log integration.
  3. Click Download CloudFormation script.
  4. Log in to your AWS account if you are not already logged in.
  5. Select the CloudFormation service and click Create stack.
  6. For Template source, click Upload a template file.
  7. Upload the Lacework CloudFormation script and click Next.
  8. On the Specify stack details page, provide the EKSClusterName. The script populates the FirehoseARN. If desired, update the ResourceNamePrefix. When finished, click Next.
  9. On the Configure stack options page, click Next.
  10. Verify the information on the Review page and click Create stack.

Verify the Integration is Set Up

To verify logs are flowing from the CloudWatch log group to the S3 bucket, look for objects created in the S3 bucket under the prefix eks_audit_logs/<aws-account-id>/.

To verify SNS notifications for the creation of S3 objects:

  • Create an email subscription on the SNS topic and ensure you confirm the subscription by clicking the link sent to your inbox. Every time a log is written, you should receive an email with the key details.
  • Logs are created every 5 minutes.