This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

  • 1:

    Sysdig Secure for cloud

    Sysdig Secure for cloud is the software that connects Sysdig Secure features to your cloud environments to provide unified threat detection, compliance, forensics, and analysis.

    Because modern cloud applications are no longer just virtualized compute resources, but a superset of cloud services on which businesses depend, controlling the security of your cloud accounts is essential. Errors can expose an organization to risks that could bring resources down, infiltrate workloads, exfiltrate secrets, create unseen assets, or otherwise compromise the business or reputation. As the number of cloud services and configurations available grows exponentially, using a cloud security platform protects against having an unseen misconfiguration turn into a serious security issue.

    Multiple Installation Options

    At this time, Sysdig Secure for cloud is available on AWS using either:

    • An AWS CloudFormation Template (CFT): This option provides all four cloud features: threat detection, CSPM benchmarks, and image and container registry scanning), or

    • Terraform files: for two types of AWS account

      • Organizational/management account: This is the account that you use to create the organization in AWS. Organizational accounts create and contain member accounts.

        At this time, only threat detection is available for organizational/management accounts

      • Single/member account: Each of these is a stand-alone account which can be a member of only one organization at a time.

        At this time, threat detection, CSPM benchmarks, and image and container registry scanning are all available for single accounts.

    About Sysdig Secure for cloud on AWS

    On AWS, Sysdig Secure for cloud offers a range of features which can deployed together or separately from a single CloudFormation Template.

    • Threat detection based on auditing CloudTrail events

    • Compliance Security Posture Management (CSPM) in the form of CIS AWS Benchmark compliance evaluations

    • Container registry scanning for ECR

    • Image scanning for Fargate on ECS

    Threat Detection Based on CloudTrail

    Threat Detection leverages audit logs from AWS CloudTrail plus Falco rules to detect threats as soon as they occur and bring governance, compliance, and risk auditing for your cloud accounts.

    A rich set of Falco rules, an AWS Best Practices default policy, and an AWS CloudTrail policy type for creating customized policies are included. These correspond to security standards and benchmarks such as: NIST 800-53, PCI DSS, SOC 2, MITRE ATT&CK®, CIS AWS, and AWS Foundational Security Best Practices

    CSPM/Compliance with CIS AWS Benchmarks

    A new cloud compliance standard has been added to the Sysdig compliance feature -  CIS AWS Benchmark. This assessment is based on an  open-source engine - Cloud Custodian - and is an initial release of Sysdig Cloud Security Posture Management (CSPM) engine. This first Sysdig cloud compliance standard will be followed by additional security compliance and regulatory standards for GCP, IBM Cloud and Azure.

    The CIS AWS Benchmarks assessment evaluates your AWS services  against the benchmark requirements and  returns the results and remediation activities you need to fix misconfigurations in your cloud environment. We’ve also included several UI improvements to provide additional details such as:  control descriptions, affected resources, failing assets, and guided remediation steps, both manual and CLI-based when available.

    ECR Registry Scanning

    ECR Registry Scanning automatically scans all container images pushed to all your Elastic Container Registries, so you have a vulnerability report available in your Sysdig Secure dashboard at all times, without having to set up any additional pipeline.

    An ephemeral CodeBuild pipeline is created each time a new image is pushed, which executes an inline scan based on your defined scan policies. Default policies cover vulnerabilities and dockerfile best practices, and you can define advanced rules yourself.

    Fargate Image Scanning on ECS

    Fargate Image Scanning automatically scans any container image deployed on a serverless Fargate task that run on Elastic Container Service. This includes public images that live in registries other than ECR, as well as private ones for which you set the credentials.

    An ephemeral CodeBuild pipeline is automatically created when a container is deployed on ECS Fargate to execute the inline scan.

    Cloud Account Limits

    Currently, the Enterprise version of Sysdig Secure for cloud can audit a maximum of 50 cloud accounts.

    If this limit needs to be increased, please contact your account team. If you exceed the license purchased, Sysdig will not block cloud connection or stop the service and the account team will reach out to you.

    See Also:

    1 -

    Deploy Sysdig Secure for cloud on AWS

    Review the offering description on Sysdig Secure for cloud, if needed.

    Choose whether you will deploy with a CloudFormation Template (CFT) or Terraform file.

    Onboarding a Single Account using a CFT

    Each of the features can be enabled from a single CloudFormation Template (CFT) from the AWS Console.

    Deploying the CFT will add the default cloud policies and rules to any existing Sysdig Secure installations.

    Prerequisites

    • A Sysdig Secure SaaS account

    • An AWS account and AWS services you would like to connect to Sysdig, with appropriate permissions to deploy a CFT.

    Steps

    1. Log in to your AWS Console and confirm that you are in the account and AWS region that you want to secure using Sysdig Secure for cloud.

    2. Log in to Sysdig Secure as Admin and select Get Started > Connect your Cloud account. Choose the AWS(CloudFormation) tab.

    3. Click Launch Stack.

      The AWS Console opens, at the CloudFormation > Stacks > Quick Create page. The Sysdig CloudFormation template is pre-loaded.

      Confirm that you are logged in the AWS account and region where you want to deploy the Sysdig Template.

    4. Provide a Stack name or accept the default.

    5. Fill in the Parameters:

      Sysdig Settings

      • Sysdig Secure Endpoint:

        Default (US-East): https://secure.sysdig.com. If your Sysdig Secure platform is installed in another region, use that endpoint.

        US West: https://us2.app.sysdig.com

        European Union: https://eu1.app.sysdig.com

      • Sysdig Secure API Token: See Retrieve the Sysdig API Token to find yours.

      Modules to Deploy: Choose any or all.

      • CSPM/Compliance: Deploys the CIS AWS Benchmarks in Sysdig’s Compliance module.

      • Threat detection using CloudTrail: Deploys everything needed to detect threats based on CloudTrail events.

      • ECR Image Registry Scanning: Integrates container registry scanning for AWS ECR.

      • Fargate Image Scanning: Integrates image scanning on any any container image deployed on a serverless Fargate task (in ECS).

      Existing Infrastructure: Leave all three entries blank to have a cluster, VPC, and subnet created automatically. Otherwise, you can provide existing:

      • ECS Cluster Name

      • VPC ID

      • Private subnet ID(s)

    6. Confirm the Capabilities required to deploy:

      • Check “I acknowledge that AWS CloudFormation might create IAM resources with custom names."

      • Check “I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND”

    7. Click Create Stack.

      In the AWS Console, the main stack and associated substacks will show “CREATE_IN_PROGRESS”. Refresh the status to see “CREATE_COMPLETE” for all. There is a delay of 5-10 minutes for events to be sent from CloudTrail, but no event is lost.

      A success message also appears in the Sysdig Secure Get Started page.

    Onboarding Using Terraform

    Terraform-based install instructions differ depending on what type of AWS account you are using.

    At this time, the options include:

    • Install for a single AWS account

    • Install for an organizational/management account (includes threat detection with CloudTrail only). More modules will be included in this option over time.

    For Single/Member Account

    The default code provided in the Get Started page of Sysdig Secure is pre-populated with your Secure API token and will automatically install threat detection with CloudTrail, AWS benchmarks, and container registry and image scanning.

    Prerequisites

    Permissions

    • Sysdig Secure administrator permissions

    • AWS profile credentials configuration

      For AWS, you You must have administrator permissions, or permissions to create each of the resources specified in the resources list. Sysdig provides an IAM policy containing the required permissions.

    Steps

    1. Log in to Sysdig Secure as Admin and select Get Started > Connect your Cloud account. Choose the AWS (Terraform) tab.

    2. Copy the code snippet under Single Account and paste it in the terminal of your local machine. It should be pre-configured with your Sysdig API token.

    3. Then run:

      $ terraform init
      

      When complete, run:

      $ terraform apply
      

      which will present the changes to be made, ask you to confirm them, then make the changes.

    4. Confirm the Services are Working

      Check Troubleshooting in case of permissions or account conflict errors.

    For Organizational/Management Account

    For organizational accounts, the default code provided in the Get Started page of Sysdig Secure is pre-populated with your Secure API token and will automatically install threat detection with CloudTrail (only).

    Prerequisites

    • Have Terraform installed on the local machine.

    • A Sysdig Secure SaaS account

    • A Sysdig Secure for Cloud organizational member account ID.

      We recommend creating a unique member account for Sysdig Secure for cloud.

    Permissions

    • Sysdig Secure administrator permissions

    • AWS permissions:

      • An existing AWS account as the organization master account with the Organizational CloudTrail service enabled.

      • AWS profile credentials configuration of the master account of the organization

        You must also have sufficient permissions for the IAM user or role in the management account to successfully create an organization trail.

        Sysdig provides an IAM policy containing the required permissions.

    Steps

    1. Log in to Sysdig Secure as Admin and select Get Started > Connect your Cloud account. Choose the AWS (Terraform) tab.

    2. Copy the code snippet under Organizational Account and paste it in the terminal of your local machine. It should be pre-configured with your Sysdig API token.

    3. Then run:

      $ terraform init
      

      When complete, run:

      $ terraform apply
      

      which will present the changes to be made, ask you to confirm them, then make the changes.

    4. Confirm the Services are Working

      Check Troubleshooting in case of permissions or account conflict errors.

    Soon, this option will be expanded to include all the features currently in the single account option, as well as the ability to easily add multiple member accounts.

    Customizing the Install

    Both the Single Account and Organizational Account code examples are configured with sensible defaults for the underlying inputs. But if desired, you can edit the region, module enablement, and other Inputs. See details for:

    Resources Created by Each Module

    • Cloud-bench

      • aws_iam_role

      • aws_iam_role_policy_attachment

      • sysdig_secure_benchmark_task

      • sysdig_secure_cloud_account

    • Cloud-connector

      • aws_cloudwatch_log_stream

      • aws_ecs_service

      • aws_ecs_task_definition

      • aws_iam_role

      • aws_iam_role_policy

      • aws_s3_bucket

      • aws_s3_bucket_object

      • aws_s3_bucket_public_access_block

      • aws_security_group

      • aws_sns_topic_subscription

      • aws_sqs_queue

      • aws_sqs_queue_policy

    • Cloud-scanning

      • aws_cloudwatch_log_group

      • aws_cloudwatch_log_stream

      • aws_ecs_service

      • aws_ecs_task_definition

      • aws_iam_role

      • aws_iam_role_policy

      • aws_security_group

      • aws_sns_topic_subscription

      • aws_sqs_queue

      • aws_sqs_queue_policy

    If cloud-connector or cloud-scanning is installed, these additional modules will be installed:

    • resource-group

      • aws_resourcegroups_group
    • cloudtrail

      • aws_cloudtrail

      • aws_kms_alias

      • aws_kms_key

      • aws_s3_bucket

      • aws_s3_bucket_policy

      • aws_s3_bucket_public_access_block

      • aws_sns_topic

      • aws_sns_topic_policy

    • ssm

      • aws_ssm_parameter
    • ecs-fargate-cluster

      • aws_ecs_cluster

    If cloud-scanning is installed, these additional modules will be installed:

    • codebuild

      • aws_cloudwatch_log_group

      • aws_codebuild_project

      • aws_iam_role

      • aws_iam_role_policy

    Troubleshooting

    Resolve 409 Conflict Error

    This error may occur if the specified cloud account has already been onboarded to Sysdig.

    Solution:

    The cloud account can be imported into Terraform by running: 

    terraform import module.cloud_bench.sysdig_secure_cloud_account.cloud_account CLOUD_ACCOUNT_ID

    Resolve Permissions Error/Access Denied

    This error may occur if your current AWS authentication session does not have the required permissions to create certain resources.

    Solution:

    Ensure you are authenticated to AWS using a user or role with the required permissions.

    Confirm the Services are Working

    Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.

    Check Overall Connection Status

    • Data Sources: Select Data Sources from the User menu to see all connected cloud accounts.

    • Subscription: Select Settings > Subscription to see an overview of your account activity, including cloud accounts.

    • Insights: Check that Insights have been added to your navigation bar. View activity on the Cloud Account, Cloud User, or Composite insight views.

    Check Threat Detection

    • Policies: Check Policies > Runtime Policies and confirm that the AWS Best Practices policy is enabled. This consists of the most-frequently-recommended rules for AWS and CloudTrail. You can customize it by creating a new policy of the AWS CloudTrail type.

    • Events: In the Events feed, search ‘cloud’ to show events from AWS CloudTrail.

    Check CSPM/AWS Benchmarks

    • Compliance: Select Compliance and see that AWS Foundations Benchmark is installed.

    • Review the benchmark results and confirm the account, region and date added.

    Check Scanning for ECR and Fargate

    • Scan Results: CheckImage Scanning > Scan Resultsand choose the Origins drop-down.

      Confirm that AWS Registry and/or AWS Fargate are listed.

    • Filter by the desired origin and review scan results.

    See Also