terraform-aws-alerts-to-s3

A Terraform Module to pipe alerts from Lacework via AWS Eventbridge to an AWS S3 bucket with Lacework.

What does this do?

Creates resources in AWS and Lacework to pipe alerts from Lacework via AWS Eventbridge to an AWS S3 bucket.

The flows goes as so:

Lacework -> AWS Eventbridge -> AWS SQS -> AWS Lambda function -> AWS S3 bucket

The terraform module will create the following in your AWS account

1. AWS EventBridge Event Bus
2. AWS EventBridge Event Rule
3. AWS SQS Queue
4. AWS IAM role for Lambda function
5. AWS Lambda function to move JSON from SQS to S3
6. AWS S3 bucket to store the Alert JSON
7. Lacework event bridge alert channel

NOTE: You still need to attach a Lacework alert rule to the alert channel to route alerts to the channel.

Prequisites

Install the Lacework CLI, create an API Key and configure the CLI with the API key. Install the AWS CLI and configure a profile.

Requirements

Name	Version
aws	>= 3.0
lacework	~> 2.0

Providers

Name	Version
aws	>= 3.0
lacework	~> 2.0

Modules

No modules.

Resources

Name	Type
aws_cloudwatch_event_bus.lacework_alerts_eventbridge_event_bus	resource
aws_cloudwatch_event_bus_policy.lacework_event_bus_policy	resource
aws_cloudwatch_event_rule.lacework_alerts_eventbridge_event_rule	resource
aws_cloudwatch_event_target.sqs	resource
aws_iam_policy.lacework_alerts_lambda_execution_policy	resource
aws_iam_role.lacework_alerts_lambda_execution_role	resource
aws_iam_role_policy_attachment.lambda-role-policy-attach	resource
aws_lambda_event_source_mapping.lacework-alerts-sqs-to-lambda	resource
aws_lambda_function.lacework_sqs_to_s3	resource
aws_s3_bucket.lacework_alerts_bucket	resource
aws_s3_bucket_acl.example	resource
aws_s3_bucket_ownership_controls.alerts_bucket_ownership_controls	resource
aws_s3_bucket_public_access_block.alerts_bucket_access	resource
aws_sqs_queue.lacework_alerts_queue	resource
aws_sqs_queue_policy.lacework_alerts_queue_policy	resource
lacework_alert_channel_aws_cloudwatch.all_events	resource
aws_iam_policy_document.lacework_event_bus_policy_document	data source

Inputs

Name	Description	Type	Default	Required
aws_eventbridge_event_bus_name	The name of the AWS EventBridge to be created	string	"Lacework_Alerts_Event_Bus"	no
aws_eventbridge_event_rule_name	The name of the AWS EventBridge rule to be created	string	"Lacework_Alerts_Event_Rule"	no
aws_s3_bucket_name	The name of the S3 bucket to be created	string	n/a	yes
aws_sqs_queue_name	The name of the SQS queue to be created	string	"Lacework_Alerts_SQS_Queue_Name"	no
lacework_eventbridge_alert_channel_name	The name of the Lacework alert channel to be created	string	"Alerts to AWS S3 via EventBridge"	no
lacework_profile	The Lacework CLI profile to be used to authenticate with Lacework	string	"default"	no

Outputs

No outputs.

Manual install

1. Create an event bridge integration
2. Create a new Lambda function based on the hello-world blueprint. Copy the code from index.js into the new function
3. Edit the SQS Access Policy to enable the Lambda execution role to access it

{
    "Sid": "__receiver_statement",
    "Effect": "Allow",
    "Principal": {
    "AWS": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/service-role/<LAMBDA_EXECUTION_ROLE_NAME>"
    },
    "Action": [
    "SQS:ChangeMessageVisibility",
    "SQS:DeleteMessage",
    "SQS:ReceiveMessage",
    "SQS:GetQueueAttributes"
    ],
    "Resource": "arn:aws:sqs:<YOUR_AWS_REGION>:<AWS_ACCOUNT_ID>:<SQS_QUEUE_NAME>"
}

4. Create a new S3 bucket where alerts will be sent.
5. In IAM add an inline policy to the Lambda execution role allowing it to write to S3 bucket

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExampleStmt",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>/*"
            ]
        }
    ]
}