Deploy Sysdig Secure for cloud on AWS
Review the offering description on Sysdig Secure for cloud, if needed.
Prerequisites:
A Sysdig Secure SaaS account
An AWS account and AWS services you would like to connect to Sysdig, with appropriate permissions to deploy
Deploy Using a Cloud Formation Template
Each of the features can be enabled from a single CloudFormation Template (CFT) from the AWS Console.
Note
Deploying the CFT will add the default cloud policies and rules to any existing Sysdig Secure installations.
Log in to your AWS Console and confirm that you are in the account and AWS region that you want to secure using Sysdig Secure for cloud.
Log in to Sysdig Secure as Admin and select
Get Started > Connect your Cloud account
.Click
Launch Stack
.The AWS Console opens, at the
CloudFormation > Stacks > Quick Create
page. The Sysdig CloudFormation template is pre-loaded.Confirm that you are logged in the AWS account and region where you want to deploy the Sysdig Template.
Provide a
Stack name
or accept the default.Fill in the Parameters:
Sysdig Settings
Sysdig Secure Endpoint
:Default (US-East):
https://secure.sysdig.com
. If your Sysdig Secure platform is installed in another region, use that endpoint.US West:
https://us2.app.sysdig.com/secure
European Union:
https://eu1.app.sysdig.com/secure
Sysdig Secure API Token
: These are user-based. See Retrieve the Sysdig API Token to find yours.
Modules to Deploy: Choose any or all.
CSPM/Compliance:
Deploys the CIS AWS Benchmarks in Sysdig's Compliance module.Threat detection using CloudTrail:
Deploys everything needed to detect threats based on CloudTrail events.ECR Image Registry Scanning:
Integrates container registry scanning for AWS ECR.Fargate Image Scanning:
Integrates image scanning on any any container image deployed on a serverless Fargate task (in ECS).
Existing Infrastructure: Leave all three entries blank to have a cluster, VPC, and subnet created automatically. Otherwise, you can provide existing:
ECS Cluster Name
VPC ID
Private subnet ID(s)
Confirm the Capabilities required to deploy:
Check "I acknowledge that AWS CloudFormation might create IAM resources with custom names."
Check "I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND"
Click Create Stack.
In the AWS Console, the main stack and associated substacks will show “CREATE_IN_PROGRESS”. Refresh the status to see “CREATE_COMPLETE” for all. There is a delay of 5-10 minutes for events to be sent from CloudTrail, but no event is lost.
A success message also appears in the Sysdig Secure Get Started page.
Confirm the Services are Working
Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.
Check Overall Connection Status
Data Sources: Select
Data Sources
from theUser
menu to see all connected cloud accounts.Subscription: Select
Settings > Subscription
to see an overview of your account activity, including cloud accounts.Insights: Check that Insights have been added to your navigation bar. View activity on the Cloud Account, Cloud User, or Composite insight views.
Check Threat Detection
Policies: Check
Policies > Runtime Policies
and confirm that theAWS Best Practices
policy is enabled. This consists of the most-frequently-recommended rules for AWS and CloudTrail. You can customize it by creating a new policy of the AWS CloudTrail type.Events: In the
Events
feed, search 'cloud' to show events from AWS CloudTrail.
Check CSPM/AWS Benchmarks
Compliance: Select
Compliance
and see thatAWS Foundations Benchmark
is installed.Review the benchmark results and confirm the account, region and date added.
Check Scanning for ECR and Fargate
Scan Results: Check
Image Scanning > Scan Results
and choose theOrigins
drop-down.Confirm that
AWS Registry
and/orAWS Fargate
are listed.Filter by the desired origin and review scan results.