Sysdig Secure for cloud

Sysdig Secure for cloud is the software that connects Sysdig Secure features to your cloud environments to provide unified threat detection, compliance, forensics, and analysis.

Because modern cloud applications are no longer just virtualized compute resources, but a superset of cloud services on which businesses depend, controlling the security of your cloud accounts is essential. Errors can expose an organization to risks that could bring resources down, infiltrate workloads, exfiltrate secrets, create unseen assets, or otherwise compromise the business or reputation. As the number of cloud services and configurations available grows exponentially, using a cloud security platform protects against having an unseen misconfiguration turn into a serious security issue.

Multiple Installation Options

At this time, Sysdig Secure for cloud is available on AWS using either:

  • An AWS CloudFormation Template (CFT): This option provides all four cloud features: threat detection, CSPM benchmarks, and image and container registry scanning), or

  • Terraform files: for two types of AWS account

    • Organizational/management account: This is the account that you use to create the organization in AWS. Organizational accounts create and contain member accounts.

      At this time, only threat detection is available for organizational/management accounts

    • Single/member account: Each of these is a stand-alone account which can be a member of only one organization at a time.

      At this time, threat detection, CSPM benchmarks, and image and container registry scanning are all available for single accounts.

About Sysdig Secure for cloud on AWS

On AWS, Sysdig Secure for cloud offers a range of features which can deployed together or separately from a single CloudFormation Template.

  • Threat detection based on auditing CloudTrail events

  • Compliance Security Posture Management (CSPM) in the form of CIS AWS Benchmark compliance evaluations

  • Container registry scanning for ECR

  • Image scanning for Fargate on ECS

Threat Detection Based on CloudTrail

Threat Detection leverages audit logs from AWS CloudTrail plus Falco rules to detect threats as soon as they occur and bring governance, compliance, and risk auditing for your cloud accounts.

A rich set of Falco rules, an AWS Best Practices default policy, and an AWS CloudTrail policy type for creating customized policies are included. These correspond to security standards and benchmarks such as: NIST 800-53, PCI DSS, SOC 2, MITRE ATT&CK®, CIS AWS, and AWS Foundational Security Best Practices

CSPM/Compliance with CIS AWS Benchmarks

A new cloud compliance standard has been added to the Sysdig compliance feature -  CIS AWS Benchmark. This assessment is based on an  open-source engine - Cloud Custodian - and is an initial release of Sysdig Cloud Security Posture Management (CSPM) engine. This first Sysdig cloud compliance standard will be followed by additional security compliance and regulatory standards for GCP, IBM Cloud and Azure.

The CIS AWS Benchmarks assessment evaluates your AWS services  against the benchmark requirements and  returns the results and remediation activities you need to fix misconfigurations in your cloud environment. We’ve also included several UI improvements to provide additional details such as:  control descriptions, affected resources, failing assets, and guided remediation steps, both manual and CLI-based when available.

ECR Registry Scanning

ECR Registry Scanning automatically scans all container images pushed to all your Elastic Container Registries, so you have a vulnerability report available in your Sysdig Secure dashboard at all times, without having to set up any additional pipeline.

An ephemeral CodeBuild pipeline is created each time a new image is pushed, which executes an inline scan based on your defined scan policies. Default policies cover vulnerabilities and dockerfile best practices, and you can define advanced rules yourself.

Fargate Image Scanning on ECS

Fargate Image Scanning automatically scans any container image deployed on a serverless Fargate task that run on Elastic Container Service. This includes public images that live in registries other than ECR, as well as private ones for which you set the credentials.

An ephemeral CodeBuild pipeline is automatically created when a container is deployed on ECS Fargate to execute the inline scan.

Cloud Account Limits

Currently, the Enterprise version of Sysdig Secure for cloud can audit a maximum of 50 cloud accounts.

If this limit needs to be increased, please contact your account team. If you exceed the license purchased, Sysdig will not block cloud connection or stop the service and the account team will reach out to you.

See Also:

Last modified September 11, 2021: Update generated docs (d3abcd9b)