Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.2.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiCNAPP CLI Reference

    lacework preflight aws

    lacework preflight aws

    Run preflight checks against an AWS account

    Synopsis

    Run preflight checks against an AWS account to verify the caller has the permissions required by the selected Lacework integrations. Credentials are resolved using the standard AWS SDK chain (environment variables, shared config files, EC2 instance profile) unless explicit --profile or --access-key-id/--secret-access-key flags are provided.

    At least one integration flag must be set: --agentless, --config, --cloudtrail, or --eks-audit-log.

    By default, the caller's identity-based policies are inspected locally. Pass --simulate to evaluate each required action through the IAM policy simulator instead — this also accounts for permissions boundaries and unconditional Organizations service control policies, which a local policy walk cannot see. Note: the simulator skips SCPs that have any conditions, and does not evaluate resource control policies (RCPs). Condition keys (e.g. aws:SourceIp, aws:MultiFactorAuthPresent, aws:PrincipalTag/*) are not supplied, so policies that grant access only when such conditions are met may be reported as denied even though the call would succeed in production.

    lacework preflight aws [flags]

    Options

          --access-key-id string       AWS access key ID (paired with --secret-access-key)
      --agentless                  check permissions for the Agentless integration
      --cloudtrail                 check permissions for the CloudTrail integration
      --config                     check permissions for the Config integration
      --eks-audit-log              check permissions for the EKS Audit Log integration
  -h, --help                       help for aws
      --is-org                     treat the account as an AWS Organizations management account
      --profile string             AWS shared config profile to load credentials from
      --region string              AWS region to use for API calls
      --secret-access-key string   AWS secret access key (paired with --access-key-id)
      --session-token string       AWS session token for temporary credentials
      --simulate                   use IAM SimulatePrincipalPolicy (covers permissions boundaries and unconditional SCPs)

    Options inherited from parent commands

      -a, --account string      account subdomain of URL (i.e. <ACCOUNT>.lacework.net)
  -k, --api_key string      access key id
  -s, --api_secret string   secret access key
      --api_token string    access token (replaces the use of api_key and api_secret)
      --debug               turn on debug logging
      --json                switch commands output from human-readable to json format
      --nocache             turn off caching
      --nocolor             turn off colors
      --noninteractive      turn off interactive mode (disable spinners, prompts, etc.)
      --organization        access organization level data sets (org admins only)
      --subaccount string   sub-account name inside your organization (org admins only)

    See also

    Previous
    Next

    lacework preflight aws

    lacework preflight aws

    Run preflight checks against an AWS account

    Synopsis

    Run preflight checks against an AWS account to verify the caller has the permissions required by the selected Lacework integrations. Credentials are resolved using the standard AWS SDK chain (environment variables, shared config files, EC2 instance profile) unless explicit --profile or --access-key-id/--secret-access-key flags are provided.

    At least one integration flag must be set: --agentless, --config, --cloudtrail, or --eks-audit-log.

    By default, the caller's identity-based policies are inspected locally. Pass --simulate to evaluate each required action through the IAM policy simulator instead — this also accounts for permissions boundaries and unconditional Organizations service control policies, which a local policy walk cannot see. Note: the simulator skips SCPs that have any conditions, and does not evaluate resource control policies (RCPs). Condition keys (e.g. aws:SourceIp, aws:MultiFactorAuthPresent, aws:PrincipalTag/*) are not supplied, so policies that grant access only when such conditions are met may be reported as denied even though the call would succeed in production.

    lacework preflight aws [flags]

    Options

          --access-key-id string       AWS access key ID (paired with --secret-access-key)
      --agentless                  check permissions for the Agentless integration
      --cloudtrail                 check permissions for the CloudTrail integration
      --config                     check permissions for the Config integration
      --eks-audit-log              check permissions for the EKS Audit Log integration
  -h, --help                       help for aws
      --is-org                     treat the account as an AWS Organizations management account
      --profile string             AWS shared config profile to load credentials from
      --region string              AWS region to use for API calls
      --secret-access-key string   AWS secret access key (paired with --access-key-id)
      --session-token string       AWS session token for temporary credentials
      --simulate                   use IAM SimulatePrincipalPolicy (covers permissions boundaries and unconditional SCPs)

    Options inherited from parent commands

      -a, --account string      account subdomain of URL (i.e. <ACCOUNT>.lacework.net)
  -k, --api_key string      access key id
  -s, --api_secret string   secret access key
      --api_token string    access token (replaces the use of api_key and api_secret)
      --debug               turn on debug logging
      --json                switch commands output from human-readable to json format
      --nocache             turn off caching
      --nocolor             turn off colors
      --noninteractive      turn off interactive mode (disable spinners, prompts, etc.)
      --organization        access organization level data sets (org admins only)
      --subaccount string   sub-account name inside your organization (org admins only)

    See also

    Previous
    Next