AWS Cloud Auditing with Sysdig Cloud Connector

Sysdig Cloud Connector, available through Sysdig Labs, leverages audit logs from AWS CloudTrail to detect security events in an AWS cloud environment. (In the future, Cloud Connector will extend into other cloud environments such as Google and Azure.) This functionality amplifies the threat detection capabilities provided by the Sysdig agent .

Out of the box, Cloud Connector with the included Falco rules is designed to detect the following threat activities:

  • Add an AWS user to a group

  • Allocate a new elastic IP address to AWS account

  • Associate an elastic IP Address to an AWS network interface

  • Attach an Administrator Policy

  • CloudTrail logging disabled

  • Create an HTTP target group without SSL

  • Create an AWS user

  • Create an internet-facing AWS public-facing load balancer

  • Deactivate MFA for user access

  • Delete bucket encryption

  • Put inline policy in a group to allow access to all resources

Contact your Sysdig account manager for access to this feature in Sysdig Labs.

The documentation describes how to install and configure Cloud Connector and provides a listing of the CloudTrail and Kubernetes rules that are bundled.

The blog describes the technical details, architecture, and philosophy behind Cloud Connector and AWS threat detection.