terraform-aws-config

Terraform module for configuring an integration with Lacework and AWS for cloud resource configuration assessment.

Requirements

Name	Version
terraform	>= 0.14
aws	>= 3.35.0
lacework	~> 2.0
random	>= 2.1
time	~> 0.7

Providers

Name	Version
aws	>= 3.35.0
lacework	~> 2.0
random	>= 2.1
time	~> 0.7

Modules

Name	Source	Version
lacework_cfg_iam_role	lacework/iam-role/aws	~> 0.4

Resources

Name	Type
aws_iam_policy.lacework_audit_policy	resource
aws_iam_policy.lacework_audit_policy_2025_1	resource
aws_iam_role_policy_attachment.lacework_audit_policy_attachment	resource
aws_iam_role_policy_attachment.lacework_audit_policy_attachment_b	resource
aws_iam_role_policy_attachment.security_audit_policy_attachment	resource
lacework_integration_aws_cfg.default	resource
random_id.uniq	resource
time_sleep.wait_time	resource
aws_iam_policy_document.lacework_audit_policy	data source
aws_iam_policy_document.lacework_audit_policy_2025_1	data source
lacework_metric_module.lwmetrics	data source

Inputs

Name	Description	Type	Default	Required
external_id_length	Deprecated - Will be removed on our next major release v1.0.0	number	16	no
iam_role_arn	The IAM role ARN is required when setting use_existing_iam_role to true	string	""	no
iam_role_external_id	The external ID configured inside the IAM role is required when setting use_existing_iam_role to true	string	""	no
iam_role_name	The IAM role name. Required to match with iam_role_arn if use_existing_iam_role is set to true	string	""	no
lacework_audit_policy_name	The name of the custom audit policy (which extends SecurityAudit) to allow Lacework to read configs. Defaults to lwaudit-policy-${random_id.uniq.hex} when empty	string	""	no
lacework_aws_account_id	The Lacework AWS account that the IAM role will grant access	string	"434813966438"	no
lacework_integration_name	The name of the integration in Lacework	string	"TF config"	no
permission_boundary_arn	Optional - ARN of the policy that is used to set the permissions boundary for the role.	string	null	no
tags	A map/dictionary of Tags to be assigned to created resources	map(string)	{}	no
use_existing_iam_role	Set this to true to use an existing IAM role	bool	false	no
use_existing_iam_role_policy	Set this to true to use an existing policy on the IAM role, rather than attaching a new one	bool	false	no
wait_time	Amount of time to wait before the next resource is provisioned	string	"10s"	no

Outputs

Name	Description
external_id	The External ID configured into the IAM role
iam_role_arn	The IAM Role ARN
iam_role_name	The IAM Role name
lacework_integration_guid	The GUID for the created Lacework integration

Lacework Audit Policy

Release for 0.19.0(Feb 2025): Terraform changes to add a second policy and its attachment under the same role.(This changes is to bypass the 6144 chars limit for one policy) Add permissions for kinesisvideo, amp, appstream, personalize, codeartifact, fis; Add missing permission for services ses, backup Add permissions for future services to come: memoryDB, resource groups, qbusiness, qapps, qconnect, servicecatalogappregistry, oam, clouddirectory, optimizationhub, budgets,billingconsole

The audit policy is comprised of the following permissions:

sid	actions	resources
GetEbsEncryptionByDefault	ec2:GetEbsEncryptionByDefault	*
GetBucketPublicAccessBlock	s3:GetBucketPublicAccessBlock	*
EFS	elasticfilesystem:DescribeFileSystemPolicy	*
	elasticfilesystem:DescribeLifecycleConfiguration
	elasticfilesystem:DescribeAccessPoints
	elasticfilesystem:DescribeAccountPreferences
	elasticfilesystem:DescribeBackupPolicy
	elasticfilesystem:DescribeReplicationConfigurations
	elasticfilesystem:ListTagsForResource
EMR	elasticmapreduce:ListBootstrapActions	*
	elasticmapreduce:ListInstanceFleets
	elasticmapreduce:ListInstanceGroups
SAGEMAKER	sagemaker:GetModelPackageGroupPolicy	*
	sagemaker:GetLineageGroupPolicy
IDENTITYSTORE	identitystore:DescribeGroup	*
	identitystore:DescribeGroupMembership
	identitystore:DescribeUser
	identitystore:ListGroupMemberships
	identitystore:ListGroupMembershipsForMember
	identitystore:ListGroups
	identitystore:ListUsers
SSO	sso:DescribeAccountAssignmentDeletionStatus	*
	sso:DescribeInstanceAccessControlAttributeConfiguration
	sso:GetInlinePolicyForPermissionSet
GLACIER	glacier:ListTagsForVault	*
APIGATEWAY	apigateway:GET	arn:aws:apigateway:::/apikeys, arn:aws:apigateway:::/apikeys/*
WAFREGIONAL	waf-regional:ListRules	*
	waf-regional:GetRule
	waf-regional:ListRuleGroups
	waf-regional:GetRuleGroup
	waf-regional:ListActivatedRulesInRuleGroup
GLUE	glue:ListWorkflows	*
	glue:BatchGetWorkflows
	glue:GetTags
CODEBUILD	codebuild:ListBuilds	*
	codebuild:BatchGetBuilds
SNS	sns:GetDataProtectionPolicy	*
	sns:ListPlatformApplications
	sns:GetSubscriptionAttributes
SES	ses:ListContactLists	*
	ses:GetContactList
	ses:ListContacts
	ses:GetContact
	ses:ListCustomVerificationEmailTemplates
	ses:GetCustomVerificationEmailTemplate
	ses:GetDedicatedIpPool
	ses:GetBlacklistReports
	ses:GetDedicatedIp
	ses:ListDeliverabilityTestReports
	ses:GetDeliverabilityTestReport
	ses:ListEmailIdentities
	ses:GetEmailIdentity
	ses:GetEmailIdentityPolicies
	ses:ListEmailTemplates
	ses:GetEmailTemplate
	ses:ListImportJobs
	ses:GetImportJob
	ses:ListRecommendations
	ses:ListSuppressedDestinations
	ses:GetSuppressedDestination
	ses:ListTagsForResource
BACKUP	backup:ListBackupJobs	*
	backup:DescribeBackupJob
	backup:ListBackupPlanTemplates
	backup:GetBackupPlanFromTemplate
	backup:ListBackupPlans
	backup:GetBackupPlan
	backup:ListBackupPlanVersions
	backup:ListBackupSelections
	backup:GetBackupSelection
	backup:DescribeBackupVault
	backup:ListRecoveryPointsByBackupVault
	backup:DescribeRecoveryPoint
	backup:GetRecoveryPointRestoreMetadata
	backup:ListCopyJobs
	backup:ListFrameworks
	backup:DescribeFramework
	backup:ListLegalHolds
	backup:GetLegalHold
	backup:ListRecoveryPointsByLegalHold
	backup:ListProtectedResources
	backup:DescribeProtectedResource
	backup:ListRecoveryPointsByResource
	backup:ListReportPlans
	backup:ListRestoreJobs
	backup:ListTags
COGNITO-IDP	cognito-idp:GetSigningCertificate
	cognito-idp:GetCSVHeader
	cognito-idp:GetUserPoolMfaConfig
	cognito-idp:GetUICustomization
COMPUTEOPTIMIZER	compute-optimizer:DescribeRecommendationExportJobs	*
	compute-optimizer:GetAutoScalingGroupRecommendations
	compute-optimizer:GetEffectiveRecommendationPreferences
	compute-optimizer:GetEBSVolumeRecommendations
	compute-optimizer:GetEC2InstanceRecommendations
	compute-optimizer:GetEnrollmentStatus
	compute-optimizer:GetLambdaFunctionRecommendations
	compute-optimizer:GetRecommendationPreferences
	compute-optimizer:GetRecommendationSummaries
	compute-optimizer:GetEcsServiceRecommendations
	compute-optimizer:GetLicenseRecommendations
KINESISANALYTICS	kinesisanalytics:ListApplicationSnapshots
	kinesisanalytics:ListApplicationVersions
	kinesisanalytics:DescribeApplicationVersion
	kinesisanalytics:DescribeApplication
KINESISVIDEO	kinesisvideo:GetSignalingChannelEndpoint	*
	kinesisvideo:GetDataEndpoint
	kinesisvideo:DescribeImageGenerationConfiguration
AMP	aps:ListScrapers	*
	aps:DescribeScraper
	aps:ListWorkspaces
	aps:DescribeAlertManagerDefinition
	aps:DescribeLoggingConfiguration
	aps:DescribeWorkspace
	aps:ListRuleGroupsNamespaces
	aps:DescribeRuleGroupsNamespace
	aps:ListTagsForResource
APPSTREAM	appstream:Describe*
	appstream:List*
PERSONALIZE	personalize:Describe*
	personalize:List*
	personalize:GetSolutionMetrics
CODEARTIFACT	codeartifact:ListDomains	*
	codeartifact:DescribeDomain
	codeartifact:DescribeRepository
	codeartifact:ListPackages
	codeartifact:GetRepositoryEndpoint
	codeartifact:DescribePackage
	codeartifact:ListPackageVersions
	codeartifact:DescribePackageVersion
	codeartifact:GetPackageVersionReadme
	codeartifact:ListPackageVersionDependencies
	codeartifact:ListPackageVersionAssets
	codeartifact:GetPackageVersionAsset
	codeartifact:ListTagsForResource
FIS	fis:ListActions	*
	fis:GetAction
	fis:ListExperimentTemplates
	fis:GetExperimentTemplate
	fis:ListTargetAccountConfigurations
	fis:ListExperiments
	fis:GetExperiment
	fis:ListExperimentResolvedTargets
MEMORYDB	memorydb:DescribeMultiRegionClusters	*
	memorydb:DescribeSnapshots
	memorydb:DescribeSubnetGroups
	memorydb:DescribeParameterGroups
	memorydb:DescribeParameters
	memorydb:DescribeUsers
	memorydb:DescribeACLs
	memorydb:DescribeServiceUpdates
	memorydb:DescribeEngineVersions
	memorydb:DescribeReservedNodes
	memorydb:DescribeReservedNodesOfferings
	memorydb:ListTags
	memorydb:ListAllowedNodeTypeUpdates
	memorydb:ListAllowedMultiRegionClusterUpdates
QBUSINESS	qbusiness:GetApplication	*
	qbusiness:GetChatControlsConfiguration
	qbusiness:GetPolicy
	qbusiness:ListAttachments
	qbusiness:ListConversations
	qbusiness:ListMessages
	qbusiness:ListDataAccessors
	qbusiness:GetDataAccessor
	qbusiness:GetIndex
	qbusiness:GetDataSource
	qbusiness:GetPlugin
	qbusiness:ListPluginActions
	qbusiness:GetRetriever
	qbusiness:GetWebExperience
	qbusiness:ListPluginTypeMetadata
	qbusiness:ListPluginTypeActions
QAPPS	qapps:DescribeQAppPermissions	*
	qapps:GetLibraryItem
	qapps:GetQApp
	qapps:GetQAppSession
	qapps:GetQAppSessionMetadata
	qapps:ListCategories
	qapps:ListLibraryItems
	qapps:ListQAppSessionData
	qapps:ListQApps
	qapps:ListTagsForResource
QCONNECT	wisdom:GetAIAgent	*
	wisdom:GetAIGuardrail
	wisdom:GetAIPrompt
	wisdom:GetContent
	wisdom:GetImportJob
	wisdom:GetKnowledgeBase
	wisdom:GetMessageTemplate
	wisdom:GetQuickResponse
	wisdom:ListAIAgentVersions
	wisdom:ListAIAgents
	wisdom:ListAIGuardrailVersions
	wisdom:ListAIGuardrails
	wisdom:ListAIPromptVersions
	wisdom:ListAIPrompts
	wisdom:ListAssistantAssociations
	wisdom:ListAssistants
	wisdom:ListContentAssociations
	wisdom:ListContents
	wisdom:ListImportJobs
	wisdom:ListKnowledgeBases
	wisdom:ListMessageTemplateVersions
	wisdom:ListMessageTemplates
	wisdom:ListQuickResponses
	wisdom:ListTagsForResource
RESOURCEGROUPS	resource-groups:ListGroups	*
	resource-groups:GetGroupQuery
	resource-groups:GetGroupConfiguration
SERVICECATALOGAPPREGISTRY	servicecatalog:GetApplication	*
	servicecatalog:ListApplications
	servicecatalog:GetAssociatedResource
	servicecatalog:ListAssociatedResources
	servicecatalog:ListAssociatedAttributeGroups
	servicecatalog:GetAttributeGroup
	servicecatalog:ListAttributeGroups
	servicecatalog:ListTagsForResource
	servicecatalog:ListAttributeGroupsForApplication
	servicecatalog:GetConfiguration
OAM	oam:GetLink	*
	oam:GetSink
	oam:GetSinkPolicy
	oam:ListAttachedLinks
	oam:ListLinks
	oam:ListSinks
CLOUDDIRECTORY	clouddirectory:GetAppliedSchemaVersion	*
	clouddirectory:GetDirectory
	clouddirectory:GetFacet
	clouddirectory:GetLinkAttributes
	clouddirectory:GetObjectAttributes
	clouddirectory:GetObjectInformation
	clouddirectory:GetSchemaAsJson
	clouddirectory:GetTypedLinkFacetInformation
	clouddirectory:ListAppliedSchemaArns
	clouddirectory:ListAttachedIndices
	clouddirectory:ListDevelopmentSchemaArns
	clouddirectory:ListFacetAttributes
	clouddirectory:ListFacetNames
	clouddirectory:ListIncomingTypedLinks
	clouddirectory:ListIndex
	clouddirectory:ListManagedSchemaArns
	clouddirectory:ListObjectAttributes
	clouddirectory:ListObjectChildren
	clouddirectory:ListObjectParentPaths
	clouddirectory:ListObjectParents
	clouddirectory:ListObjectPolicies
	clouddirectory:ListOutgoingTypedLinks
	clouddirectory:ListPolicyAttachments
	clouddirectory:ListPublishedSchemaArns
	clouddirectory:ListTagsForResource
	clouddirectory:ListTypedLinkFacetAttributes
	clouddirectory:ListTypedLinkFacetNames
COSTOPTIMIZATIONHUB	cost-optimization-hub:GetPreferences	*
	cost-optimization-hub:GetRecommendation
	cost-optimization-hub:ListEnrollmentStatuses
	cost-optimization-hub:ListRecommendationSummaries
	cost-optimization-hub:ListRecommendations
BUDGETS	budgets:DescribeBudgetAction	*
	budgets:DescribeBudgetActionHistories
	budgets:DescribeBudgetActionsForAccount
	budgets:DescribeBudgetActionsForBudget
	budgets:ListTagsForResource
	budgets:ViewBudget
BILLINGCONSOLE	aws-portal:GetConsoleActionSetEnforced	*
	aws-portal :ViewAccount
	aws-portal :ViewBilling
	aws-portal :ViewPaymentMethods
	aws-portal :ViewUsage