Integrate with AWS Role Delegation

This section describes how to:

  • configure Sysdig Monitor to utilize the Amazon Web Service (AWS) AssumeRole functionality

  • authorize Sysdig Monitor to:

    • discover cloud assets
    • grab CloudWatch metrics from your AWS account
    • utilize custom Simple Storage Service (S3) buckets for storing captures

Upon integrating with an AWS role, you can delegate access to AWS resources that are not associated with your Sysdig AWS account.

Setting up cross-account access through roles eliminates the need to create individual Identity Access Management (IAM) users in each account. In addition, users don’t have to sign out of one account and sign in to another in order to access resources in different AWS accounts.

Role delegation is an alternative to the existing integration method of using the access keys. This method is considered more secure as sharing developer access keys with third-parties is not recommended by Amazon.

Prerequisites and Guidelines

This topic assumes that you you arefamiliar with AWS and have the following ready:

  • Sysdig Monitor API Token

  • External ID

  • API endpoint. In this topic, it is referred to as {{host}}

  • Administrator privileges to configure AWS integration

  • API client. Examples in this topic use curl

  • AWS account ID

    • SaaS: The default AWS account ID is 273107874544 (US East region). For other regions, check AWS account IDs .

    • On-Prem: Customer-specific.

Enable AWS Role Delegation with API

This section describes how to enable AWS role delegation using an API with an Amazon Resource Name (ARN).

Instructions for SaaS

  1. Get Your External ID.

  2. Configure Role Delegation.

  3. Get Role ARN.

  4. Add the AWS Account.

Instructions for On-Prem

  1. Get Your External ID.

  2. Configure Role Delegation.

  3. Get Role ARN.

  4. Add the AWS Account.

  5. Follow Additional Configuration for On-Prem.

Get Your External ID

Retrieve your external ID as follows:

curl -k --request GET \

--url host/api/users/me \

--header 'authorization: Bearer e71d7c0f-501e-47d4-a159-39da8b716f44' | jq '.[] | .customer | .externalId'

An example External ID from the response will be 04acdd59-4c98-4d11-8ee5-424326248161.

Configure Role Delegation

Integrating the Sysdig Platform with Amazon Web Services requires configuring role delegation using AWS IAM.

  1. Create a new role in the AWS IAM Console:

    1. For the role type, select Another AWS account.

    2. (SaaS) Enter the Sysdig account ID for Account ID.

      This means that you are granting read-only access to your AWS data.

    3. Select Require external ID and enter the one you retrieved in the previous step. Leave Multi-Factor Authorisation (MFA) disabled.

  2. Click Next: Permissions.

  3. Create the following policies:

    • sysdig_cloudwatch: Gives access to the list and describe supported AWS resources and get CloudWatch metrics for them.

    • sysdig_s3: Defines the bucket name where you wish to store the captures.

      For more information on policies, see IAM Policy Code to Use.

    For detailed instructions on how to create a policy, see Integrate AWS Account Manually.

    1. If a policy has already been created, search for it on this page and select it, then skip to the next step. Otherwise, click Create Policy, which opens in a new window.

    2. Click Review policy.

    3. Name the policy and provide an apt description, for example, “sysdig_cloudwatch”.

    4. Click Create Policy.

      You can now close this window.

  4. In the Create role window, refresh the list of policies and select the policies you just created.

  5. Click Next: Review.

  6. Give the role a name and an apt description, for example, “sysdig_role”.

  7. Click Create Role.

Get Role ARN

  1. Select Roles > sysdig-role.

  2. Copy Role ARN.

Add the AWS Account

Using the role that you have created, add an AWS account on the Sysdig Monitor side. Use the following API call:

curl --request POST \
  --url {{host}}/api/providers \
  --header 'authorization: Bearer e71d7c0f-501e-47d4-a159-39da8b716f44' \
  --header 'content-type: application/json' \
  --data '{"name": "aws","credentials": {"role": "<Role_ARN>"},"alias": "role_delegation"}'

Replace <Role_ARN> with the one that you have copied in the previous section.

The response lists all the providers. An example response is given below:

{

  "provider": {

    "id": 7,
    "name": "aws",
    "credentials": {

      "id": "role_delegation",
      "role": "arn:aws:iam::485365068658:role/sysdig-access3"
    },
    "tags": [],
    "status": {

      "status": "configured",
      "lastUpdate": null,
      "percentage": 0,
      "lastProviderMessages": []
    },
    "alias": "role_delegation"
  }
}

Verify the role delegation has been created.

  1. Log in to Sysdig Monitor as an administrator.

  2. Do one of the following:

    • Select Integrations > AWS CloudWatch.

    • From the user menu, select Settings > AWS.

    The role that you have been created will be added to the list of AWS Accounts.

  3. Proceed to enable CloudWatch and AWS S3 bucket.

    See AWS: Integrate AWS Account and CloudWatch Metrics (Legacy) for more information.

Additional Configuration for On-Prem

  1. Create an AWS user that will be used to fetch temporary credentials.

  2. Assign a policy to the user to allow AssumeRole. For example:

    {
      "Version": "2012-10-17",
      "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::{ACCOUNT-ID}:role/{ROLE_NAME}*"
      }
    }
    
  3. Make the access keys available to users from one of the sources:

    • Environment variables

    • Java system properties

    • Instance profile credentials delivered through the Amazon EC2 metadata service.

      EC2 metadata service is recommended if the installation is on AWS.

Example: Set Environment Variables on a Kubernetes Installation

  1. Create Secret:

    apiVersion: v1
    kind: Secret
    metadata:
      name: aws-credentials
    type: Opaque
    data:
      aws.accessKey: {{BASE64_ENCODED_ACCESS_KEY_ID}}
      aws.secretKey: {{BASE64_ENCODED_ACCESS_KEY_SECRET}}
    
  2. Expose variables in deployment descriptors (sysdigcloud-collector, sysdigcloud-worker, sysdigcloud-api) and reference values in the newly created Secret:

    - name: AWS_ACCESS_KEY_ID
        valueFrom:
        secretKeyRef:
            key: aws.accessKey
            name: aws-credentials
    - name: AWS_SECRET_ACCESS_KEY
        valueFrom:
        secretKeyRef:
            key: aws.secretKey
            name: aws-credentials
    

    Add variables to descriptors on each platform update until new variables are part of the installer.

Set Up Resource Discovery

The supported AWS are EC2, RDS, Elastic Load Balancer (ELB), ElastiCache, Simple Queue Service (SQS), DynamoDB, and Application Load Balancer (ALB).

By default, all the resources are fetched for all regions supported by AWS. You can avoid this by whitelisting regions when creating a provider key via the API. Example body of the provider key request when whitelisting regions:

{
    "name": "aws",
    "credentials": {
        "role": "arn:aws:iam::676966947806:role/test-assume-role"
    },
    "additionalOptions": "{\"regions\":[\"US_EAST_1\",\"US_EAST_2\"]}"
}

Enable AWS Role Delegation with UI

Use the AWS option in the Settings menu to configure AWS role delegation.

  1. Log in to Sysdig Monitor as an administrator.

  2. Do one of the following:

    • Select Integrations > AWS CloudWatch.

    • From the user menu, select Settings > AWS.

      The AWS Account page is displayed.

  3. Click Add Accounts.

    The Identity Authentication page opens to the Role Delegation tab.

  4. Specify the following:

    • Role ARN: The Role ARN associated with the role you have created for role delegation. The ID is available on the summary page of the role on the AWS console. For more information, see Integrate with AWS Role Delegation.

    • AWS External ID: Ensure that AWS External ID is displayed on the page.

  5. Click Save.