Deploy Sysdig Secure for cloud on AWS

Review the offering description on Sysdig Secure for cloud, if needed.

Prerequisites:

A Sysdig Secure SaaS account
An AWS account and AWS services you would like to connect to Sysdig, with appropriate permissions to deploy

Deploy Using a Cloud Formation Template

Each of the features can be enabled from a single CloudFormation Template (CFT) from the AWS Console.

Note

Deploying the CFT will add the default cloud policies and rules to any existing Sysdig Secure installations.

Log in to your AWS Console and confirm that you are in the account and AWS region that you want to secure using Sysdig Secure for cloud.
Log in to Sysdig Secure as Admin and select Get Started > Connect your Cloud account.
Click Launch Stack.
The AWS Console opens, at the CloudFormation > Stacks > Quick Create page. The Sysdig CloudFormation template is pre-loaded.
Confirm that you are logged in the AWS account and region where you want to deploy the Sysdig Template.
Provide a Stack name or accept the default.
Fill in the Parameters:
Sysdig Settings
- Sysdig Secure Endpoint:
  Default (US-East): https://secure.sysdig.com. If your Sysdig Secure platform is installed in another region, use that endpoint.
  US West: https://us2.app.sysdig.com/secure
  European Union: https://eu1.app.sysdig.com/secure
- Sysdig Secure API Token: These are user-based. See Retrieve the Sysdig API Token to find yours.
Modules to Deploy: Choose any or all.
- CSPM/Compliance: Deploys the CIS AWS Benchmarks in Sysdig's Compliance module.
- Threat detection using CloudTrail: Deploys everything needed to detect threats based on CloudTrail events.
- ECR Image Registry Scanning: Integrates container registry scanning for AWS ECR.
- Fargate Image Scanning: Integrates image scanning on any any container image deployed on a serverless Fargate task (in ECS).
Existing Infrastructure: Leave all three entries blank to have a cluster, VPC, and subnet created automatically. Otherwise, you can provide existing:
- ECS Cluster Name
- VPC ID
- Private subnet ID(s)
Confirm the Capabilities required to deploy:
- Check "I acknowledge that AWS CloudFormation might create IAM resources with custom names."
- Check "I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND"
Click Create Stack.
In the AWS Console, the main stack and associated substacks will show “CREATE_IN_PROGRESS”. Refresh the status to see “CREATE_COMPLETE” for all. There is a delay of 5-10 minutes for events to be sent from CloudTrail, but no event is lost.
A success message also appears in the Sysdig Secure Get Started page.

Confirm the Services are Working

Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.

Check Overall Connection Status

Data Sources: Select Data Sources from the User menu to see all connected cloud accounts.
Subscription: Select Settings > Subscription to see an overview of your account activity, including cloud accounts.
Insights: Check that Insights have been added to your navigation bar. View activity on the Cloud Account, Cloud User, or Composite insight views.

Check Threat Detection

Policies: Check Policies > Runtime Policies and confirm that the AWS Best Practices policy is enabled. This consists of the most-frequently-recommended rules for AWS and CloudTrail. You can customize it by creating a new policy of the AWS CloudTrail type.
Events: In the Events feed, search 'cloud' to show events from AWS CloudTrail.

Check CSPM/AWS Benchmarks

Compliance: Select Compliance and see that AWS Foundations Benchmark is installed.
Review the benchmark results and confirm the account, region and date added.

Check Scanning for ECR and Fargate

Scan Results: Check Image Scanning > Scan Results and choose the Origins drop-down.
Confirm that AWS Registry and/or AWS Fargate are listed.
Filter by the desired origin and review scan results.