AWS Deployment
This section covers installation methods.
Review the offering description on Sysdig Secure for cloud - AWS
Deployment Options
All following options provide all four cloud features: threat detection, CSPM benchmarks, and image and container registry scanning
- Terraform-based for two main types of AWS
account
- Single/member setup: Targets a single account. Only a single workload is spawned in the specified account, that will target the resources of the account. A member account that is part of an organization is supported too.
- Organizational/management setup: Targets the whole organization. Only a single workload is spawned in the specified account, that will target the whole organization.
- CloudFormation Template (CFT)-based: This option covers only a single/member account installation, and requires explicit creation of an AWS role, which is prompted by the onboarding wizard.
Onboarding Using Terraform
Terraform-based install instructions differ depending on what type of AWS account you are using.
At this time, the options include:
- Install for a single AWS account
- Install for an organizational/management account
- Check other use-case specific Secure for Cloud - AWS - Use-case scenarios in order to have some guideliness on the different deployment types, supported workload types, and optional resources that can be re-used.
For Single/Member Account
The default code provided in the Get Started page of Sysdig Secure, or the Data Sources | Cloud Accounts page, is pre-populated with your Secure API token and will automatically install threat detection with CloudTrail, AWS benchmarks, and container registry and image scanning.
Prerequisites and Permissions
- Terraform version 1.3.1+
If you use Terraform version 1.3.1+, then a simple terraform init/apply
will automatically deploy the latest Secure for cloud module (0.10). If you cannot upgrade to TF 1.3.1+, then you must first specify the 0.9.10 version of the Secure for cloud:
module "secure-for-cloud" {
source = "sysdiglabs/secure-for-cloud/aws"
version = "0.9.10"
...
}
A Sysdig Secure SaaS account, with administrator permissions
An AWS account, for Secure for Cloud compute workload deployment
- You must have Administrator permissions, or permissions to create each of the resources specified in the resources list.
- Enable AWS STS in each region you would like to secure.
Have Terraform installed on the machine from which you will deploy the installation code.
- Terraform AWS Platform Provider properly configured
For ECS deployment, 2 internet facing IPv4 addresses for NAT availability. You can re-use an existing ECS/VPC/Subnet v
Available Options
- Workload Types: ECS, K8S, or AppRunner
- Optionals so that Sysdig Secure for Cloud AWS module can re-use available resources on customer’s infrastructure: Cloudtrail and ECS/VPC/SUbnet
Check each example input parameters for these, and more configuration options.
Steps
Log in to Sysdig Secure as Admin and select
Integrations > Data Sources | Cloud Account
and chooseConnect Account|AWS
Copy the code snippet under Single Account and paste it into a Terraform Manifest (.tf file). It should be pre-configured with your Sysdig API token.
Then run:
$ terraform init
When complete, run:
$ terraform apply
which will present the changes to be made, ask you to confirm them, then make the changes.
Confirm the Services are Working
Check Troubleshooting in case of permissions or account conflict errors.
For Organizational/Management Account
For organizational accounts, the default code provided in the Get Started page of Sysdig Secure is pre-populated with your Secure API token and will automatically install threat detection with CloudTrail (only).
Prerequisites and Permissions
- Terraform version 1.3.1+
If you use Terraform version 1.3.1+, then a simple terraform init/apply
will automatically deploy the latest Secure for cloud module (0.10). If you cannot upgrade to TF 1.3.1+, then you must first specify the 0.9.10 version of the Secure for cloud:
module "secure-for-cloud" {
source = "sysdiglabs/secure-for-cloud/aws"
version = "0.9.10"
...
}
- A Sysdig Secure SaaS account, with administrator permissions
- An AWS account on your organization, for Secure for Cloud compute workload deployment (we recommend creating an isolated member account)
- Permission/Service enablement
- You must have Administrator permissions, or permissions to create each of the resources specified in the resources list. Sysdig provides an IAM policy containing the required permissions.
- Enable AWS STS in each region you would like to secure.
- An existing AWS account as the organization master account with the Organizational CloudTrail service and Organizational CloudFormation StackSets enabled
- AWS profile credentials configuration of the master account of the organization; You must also have sufficient permissions for the IAM user or role in the management account to successfully create an organization trail.
- Have Terraform installed on the machine from which you will deploy the installation code.
- Terraform AWS Platform Provider properly configured
Notes
- Suspended or terminated aws accounts within the organization will not be processed/shown within Sysdig
- For ECS deployment, 2 internet facing IPv4 addresses for NAT availability. You can re-use an existing ECS/VPC/Subnet
Steps
Log in to Sysdig Secure as Admin and select
Integrations > Data Sources | Cloud Account
and chooseConnect Account
Copy the code snippet under Organizational Account and paste it in the terminal of your local machine. It should be pre-configured with your Sysdig API token.
Then run:
$ terraform init
When complete, run:
$ terraform apply
which will present the changes to be made, ask you to confirm them, then make the changes.
Confirm the Services are Working
Check Troubleshooting in case of permissions or account conflict errors.
Soon, this option will be expanded to include all the features currently in the single account option, as well as the ability to easily add multiple member accounts.
Customizing the Install
Both the Single Account and Organizational Account code examples are configured with sensible defaults for the underlying inputs. But if desired, you can edit the region, module enablement, and other Inputs. See details for:
Enabling Image Scanner
Image Scanner feature is disabled by default. If you want to enable it, just use the deploy_scanning
input variable on your snippet such as:
module "secure-for-cloud_example"{
...
deploy_image_scanning_ecs = true
deploy_image_scanning_ecr = true
}
Scaling the Cloud Connector
Note: the default ECS setup is meant to manage a low-to-medium load of AWS CloudTrail events. For use cases where the event load is high, consider scaling up the footprint according to the usage metrics.
To scale the Cloud Connector properly, look at the usage metrics such as CPU and RAM memory in the SQS service:
This example shows that the CPU does not have too much work to do, while memory is mostly under 25%, so no need to scale it, but if needed, you would update the Task Definition in ECS:
This is the current task under execution. Check the current task size:
This case is using half a GB of RAM and a quarter of CPU, but you can configure it and create a new revision that will be deployed by the service if we want to scale it vertically.
For horizontal scaling, update the number of replicas of the ECS Service:
Or update the service to increase the Number of Tasks:
All this scaling can be checked with both Cloud Connector metrics and the SQS ingestion metrics. Those values (CPU, RAM and Replicas) can be tweaked until the CPU and RAM usage and the Message Age and Messages Delay are at acceptable levels.
Resources Created by Each Module
Check full list of created resources
Benchmark
aws_iam_role
aws_iam_role_policy_attachment
sysdig_secure_benchmark_task
sysdig_secure_cloud_account
General; Threat detection / CSPM / CIEM
aws_cloudwatch_log_stream
aws_ecs_service
aws_ecs_task_definition
aws_iam_role
aws_iam_role_policy
aws_s3_bucket
aws_s3_bucket_objectdocs.se
aws_s3_bucket_public_access_block
aws_security_group
aws_sns_topic_subscription
aws_sqs_queue
aws_sqs_queue_policy
Image Scanning
aws_cloudwatch_log_group
aws_cloudwatch_log_stream
aws_ecs_service
aws_ecs_task_definition
aws_iam_role
aws_iam_role_policy
aws_security_group
aws_sns_topic_subscription
aws_sqs_queue
aws_sqs_queue_policy
If cloud-connector or cloud-scanning is installed, these additional modules will be installed:
resource-group
- aws_resourcegroups_group
cloudtrail
aws_cloudtrail
aws_kms_alias
aws_kms_key
aws_s3_bucket
aws_s3_bucket_policy
aws_s3_bucket_public_access_block
aws_sns_topic
aws_sns_topic_policy
ssm
- aws_ssm_parameter
ecs-fargate-cluster
- aws_ecs_cluster
If cloud-scanning is installed, these additional modules will be installed:
codebuild
aws_cloudwatch_log_group
aws_codebuild_project
aws_iam_role
aws_iam_role_policy
Troubleshooting
Find more troubleshooting options on the Terraform - AWS module source repository
1. Resolve 409 Conflict Error
This error may occur if the specified cloud account has already been onboarded to Sysdig.
Solution:
The cloud account can be imported into Terraform by running:
terraform import module.cloud_bench.sysdig_secure_cloud_account.cloud_account CLOUD_ACCOUNT_ID
2. Resolve Permissions Error/Access Denied
This error may occur if your current AWS authentication session does not have the required permissions to create certain resources.
Solution:
Ensure you are authenticated to AWS using a user or role with the required permissions.
Onboarding a Single Account using a CFT
Each of the features can be enabled from a single CloudFormation Template (CFT) from the AWS Console. Two options are available:
Secure For Cloud stack, deployed on ECS compute workload. Available in all regions
Secure For Cloud stack, deployed on AppRunner compute workload. A less resource-demanding deployment but not available in all regions; accepting ‘us-east-1’, ‘us-east-2’, ‘us-west-2’, ‘ap-northeast-1’ and ’eu-west-1’
Prerequisites
- A Sysdig Secure SaaS account
- An AWS account and AWS services you would like to connect to Sysdig, with appropriate permissions to deploy a CFT.
Steps
Log in to your AWS Console and confirm that you are in the account and AWS region that you want to secure using Sysdig Secure for cloud.
Log in to Sysdig Secure as Admin and select
Get Started > Connect your Cloud account
and choose theAWS
tabOR
select
Integrations > Data Sources | Cloud Account
and chooseConnect Account
Select between
Install Secure For Cloud stack, deployed on ECS compute workload
orInstall Secure For Cloud stack, deployed on AppRunner compute workload
link.The Connect Account dialog is displayed.
Enter:
The AWS account number with which you want to connect
An IAM Role name to be created for Sysdig Secure for cloud in AWS. This role name must not yet exist in your account.
The role provides read-only access to your resources to allow Sysdig to monitor and secure your cloud account. Access is scoped to the managed SecurityAudit policy.
Click
Launch Stack
.The AWS Console opens, at the
CloudFormation > Stacks > Quick Create
page. The Sysdig CloudFormation template is pre-loaded.Confirm that you are logged in the AWS account and region where you want to deploy the Sysdig Template.
Provide a
Stack name
or accept the default.Fill in the Parameters:
Sysdig Settings
Sysdig Secure Endpoint
: Default (US-East):https://secure.sysdig.com
.
If your Sysdig Secure platform is installed in another region, use that endpoint.- US West:
https://us2.app.sysdig.com
- European Union:
https://eu1.app.sysdig.com
- US West:
Sysdig Secure API Token
: See Retrieve the Sysdig API Token to find yours.Sysdig Role Name
: As specified in Step 3; IAM role name to be created for Sysdig to access your AWS accountSysdig External ID
: Not to be modified. It’s the ExternalID to identify Sysdig on AWS, for the Trusted IdentitySysdig Trusted Identity
: Not to be modified. It’s the ARN of the Trusted Identity of Sysdig on AWS, to be able to run CSPM benchmarks.
Modules to Deploy: Choose any or all.
CSPM/Compliance
andThreat detection using CloudTrail
capabilities will be always deployed.ECR Image Registry Scanning:
Integrates container registry scanning for AWS ECR.Fargate Image Scanning:
Integrates image scanning on any container image deployed on a serverless Fargate task (in ECS).
Existing Infrastructure: Leave all this fields blank for resources to be created.
If you want to use existing components of your infrastructure, you can provide:Network: Only available if stack is deployed on ECS. If provided, MUST specify ALL field values:
- ECS Cluster Name where the Sysdig workload is to be deployed
- VPC ID for the ECS Cluster
- Private subnet ID(s) for the VPC. At least two subnets are required
Cloudstrail SNS Topic: Specify the URL of the SNS Topic
Confirm the Capabilities required to deploy:
Check “I acknowledge that AWS CloudFormation might create IAM resources with custom names.”
Check “I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND”
Click Create Stack.
In the AWS Console, the main stack and associated substacks will show “CREATE_IN_PROGRESS”. Refresh the status to see “CREATE_COMPLETE” for all. There is a delay of 5-10 minutes for events to be sent from CloudTrail, but no event is lost.
A success message also appears in the Sysdig Secure Get Started page.
Uninstalling
- Delete the installed stackset, but beware that it will fail first time, since this services does not delete s3 buckets with content (from the cloudtrail). When fails, empty and delete the cloudtrail s3 created bucket and repeat the stackset deletion process.
Confirm the Services are Working
Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.
Check Overall Connection Status
Data Sources: Select Select
Integrations > Data Sources | Cloud Accounts
to see all connected cloud accounts.Subscription: Select
Settings > Subscription
to see an overview of your account activity, including cloud accounts.Insights: Check that Insights have been added to your navigation bar. View activity on the Cloud Account, Cloud User, or Composite insight views.
Ensure Events are Properly Processed
To ensure events are properly processed with acceptable delay, check the SQS queue for the metrics Cloud Connector uses:
This is a healthy Cloud Connector installation, because the Age of the Oldest Message
is quite low, less than 97 seconds on average:
Also, the number of messages received is constant, while the number of messages delayed is 0:
Check Threat Detection
Policies and Rules: Check
Policies > Runtime Policies
and confirm that theSysdig AWS Threat Detection
andSysdig AWS Threat Intelligence
managed policies are enabled.- These consist of the most-frequently-recommended rules for AWS and CloudTrail. You can customize them by creating a new policy of the AWS CloudTrail type.
Events: In the
Events
feed, searchcloud
to show events from AWS CloudTrail.Force an event: In case you want to manually create an event, choose one of the rules contained an AWS policy and execute it in your AWS account.
ex.: Create a S3 Bucket with Public Access Blocked. Make it public to prompt the event.
Remember that in case you add new rules to the policy you need to give it time to propagate the changes.If you need a more technical check insight, visit Secure for Cloud - Terraform AWS module source repository
Check Identity and Access (AWS)
Select Posture > Identity and Access|Users
and check if the following are showing up in the Unused Permissions lists:
- Unused permissions
- Inactive users
- Policies with the greatest number of granted vs used permissions
Follow the instructions to remediate overly permissive entitlements and reduce security risks.
Check Image Scanning
- Check details in Secure for Cloud - Terraform AWS module source repository
See Also
- Secure for Cloud - Terraform AWS - Terraform registry module
- Secure for Cloud - Terraform AWS - Source Github repo
- Insights
- Threat Detection with AWS CloudTrail
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.