Deploy Sysdig Secure for cloud on AWS

If needed, review the offering description on Sysdig Secure for cloud - AWS

Deployment Options

All following options provide all four cloud features: threat detection, CSPM benchmarks, and image and container registry scanning

  • Terraform-based for two types of AWS account
    • Organizational/management account: This is the account that you use to create the organization in AWS. Organizational accounts create and contain member accounts.
    • Single/member account: Each of these is a stand-alone account. A member account that is part of an organization is supported too.
  • CloudFormation Template (CFT)-based: This option requires explicit creation of an AWS role, which is prompted by the onboarding wizard.

Onboarding Using Terraform

Terraform-based install instructions differ depending on what type of AWS account you are using.

At this time, the options include:

  • Install for a single AWS account
  • Install for an organizational/management account

For Single/Member Account

The default code provided in the Get Started page of Sysdig Secure is pre-populated with your Secure API token and will automatically install threat detection with CloudTrail, AWS benchmarks, and container registry and image scanning.

Prerequisites and Permissions

  • A Sysdig Secure SaaS account, with administrator permissions
  • An AWS account, for Secure for Cloud compute workload deployment
    • You must have Administrator permissions, or permissions to create each of the resources specified in the resources list.
    • Enable AWS STS in each region you would like to secure.
  • Have Terraform installed on the machine from which you will deploy the installation code.

Steps

  1. Log in to Sysdig Secure as Admin and select Get Started > Connect your Cloud account. Choose the AWS tab.

  2. Copy the code snippet under Single Account and paste it in the terminal of your local machine. It should be pre-configured with your Sysdig API token.

  3. Then run:

    $ terraform init
    

    When complete, run:

    $ terraform apply
    

    which will present the changes to be made, ask you to confirm them, then make the changes.

  4. Confirm the Services are Working

    Check Troubleshooting in case of permissions or account conflict errors.

For Organizational/Management Account

For organizational accounts, the default code provided in the Get Started page of Sysdig Secure is pre-populated with your Secure API token and will automatically install threat detection with CloudTrail (only).

Prerequisites and Permissions

  • A Sysdig Secure SaaS account, with administrator permissions
  • An AWS account on your organization, for Secure for Cloud compute workload deployment (we recommend creating an isolated member account)
    • You must have Administrator permissions, or permissions to create each of the resources specified in the resources list. Sysdig provides an IAM policy containing the required permissions.
    • Enable AWS STS in each region you would like to secure.
    • An existing AWS account as the organization master account with the Organizational CloudTrail service enabled.
    • AWS profile credentials configuration of the master account of the organization; You must also have sufficient permissions for the IAM user or role in the management account to successfully create an organization trail.
  • Have Terraform installed on the machine from which you will deploy the installation code.

Steps

  1. Log in to Sysdig Secure as Admin and select Get Started > Connect your Cloud account. Choose the AWS tab.

  2. Copy the code snippet under Organizational Account and paste it in the terminal of your local machine. It should be pre-configured with your Sysdig API token.

  3. Then run:

    $ terraform init
    

    When complete, run:

    $ terraform apply
    

    which will present the changes to be made, ask you to confirm them, then make the changes.

  4. Confirm the Services are Working

    Check Troubleshooting in case of permissions or account conflict errors.

Soon, this option will be expanded to include all the features currently in the single account option, as well as the ability to easily add multiple member accounts.

Customizing the Install

Both the Single Account and Organizational Account code examples are configured with sensible defaults for the underlying inputs. But if desired, you can edit the region, module enablement, and other Inputs. See details for:

Enabling Image Scanner

Image Scanner feature is disabled by default. If you want to enable it, just use the deploy_scanning input variable on your snippet such as:

module "secure-for-cloud_example"{
 ...
 deploy_image_scanning_ecs = true
 deploy_image_scanning_ecr = true
}

Resources Created by Each Module

Check full list of created resources

  • Benchmark

    • aws_iam_role

    • aws_iam_role_policy_attachment

    • sysdig_secure_benchmark_task

    • sysdig_secure_cloud_account

  • General; Threat detection / CSPM / CIEM

    • aws_cloudwatch_log_stream

    • aws_ecs_service

    • aws_ecs_task_definition

    • aws_iam_role

    • aws_iam_role_policy

    • aws_s3_bucket

    • aws_s3_bucket_object

    • aws_s3_bucket_public_access_block

    • aws_security_group

    • aws_sns_topic_subscription

    • aws_sqs_queue

    • aws_sqs_queue_policy

  • Image Scanning

    • aws_cloudwatch_log_group

    • aws_cloudwatch_log_stream

    • aws_ecs_service

    • aws_ecs_task_definition

    • aws_iam_role

    • aws_iam_role_policy

    • aws_security_group

    • aws_sns_topic_subscription

    • aws_sqs_queue

    • aws_sqs_queue_policy

If cloud-connector or cloud-scanning is installed, these additional modules will be installed:

  • resource-group

    • aws_resourcegroups_group
  • cloudtrail

    • aws_cloudtrail

    • aws_kms_alias

    • aws_kms_key

    • aws_s3_bucket

    • aws_s3_bucket_policy

    • aws_s3_bucket_public_access_block

    • aws_sns_topic

    • aws_sns_topic_policy

  • ssm

    • aws_ssm_parameter
  • ecs-fargate-cluster

    • aws_ecs_cluster

If cloud-scanning is installed, these additional modules will be installed:

  • codebuild

    • aws_cloudwatch_log_group

    • aws_codebuild_project

    • aws_iam_role

    • aws_iam_role_policy

Troubleshooting

Find more troubleshooting options on the module source repository

1. Resolve 409 Conflict Error

This error may occur if the specified cloud account has already been onboarded to Sysdig.

Solution:

The cloud account can be imported into Terraform by running: 

terraform import module.cloud_bench.sysdig_secure_cloud_account.cloud_account CLOUD_ACCOUNT_ID

2. Resolve Permissions Error/Access Denied

This error may occur if your current AWS authentication session does not have the required permissions to create certain resources.

Solution:

Ensure you are authenticated to AWS using a user or role with the required permissions.Onboarding a Single Account using a CFT

Onboarding a Single Account using a CFT

Each of the features can be enabled from a single CloudFormation Template (CFT) from the AWS Console. Two options are available:

  • Secure For Cloud stack, deployed on ECS compute workload. Available in all regions

  • Secure For Cloud stack, deployed on AppRunner compute workload. A less resource-demanding deployment but not available in all regions; accepting ‘us-east-1’, ‘us-east-2’, ‘us-west-2’, ‘ap-northeast-1’ and ’eu-west-1’

Prerequisites

  • A Sysdig Secure SaaS account

  • An AWS account and AWS services you would like to connect to Sysdig, with appropriate permissions to deploy a CFT.

Steps

  1. Log in to your AWS Console and confirm that you are in the account and AWS region that you want to secure using Sysdig Secure for cloud.

  2. Log in to Sysdig Secure as Admin and select Get Started > Connect your Cloud account. Choose the AWS tab.

  3. Select between Install Secure For Cloud stack, deployed on ECS compute workload or Install Secure For Cloud stack, deployed on AppRunner compute workload link.

    The Connect Account dialog is displayed.

  4. Enter:

    • The AWS account number with which you want to connect

    • An IAM Role name to be created for Sysdig Secure for cloud in AWS. This role name must not yet exist in your account.

      The role provides read-only access to your resources to allow Sysdig to monitor and secure your cloud account. Access is scoped to the managed SecurityAudit policy.

  5. Click Launch Stack.

    The AWS Console opens, at the CloudFormation > Stacks > Quick Create page. The Sysdig CloudFormation template is pre-loaded.

    Confirm that you are logged in the AWS account and region where you want to deploy the Sysdig Template.

  6. Provide a Stack name or accept the default.

  7. Fill in the Parameters:

    Sysdig Settings

    • Sysdig Secure Endpoint: Default (US-East): https://secure.sysdig.com.
      If your Sysdig Secure platform is installed in another region, use that endpoint.

      • US West: https://us2.app.sysdig.com
      • European Union: https://eu1.app.sysdig.com
    • Sysdig Secure API Token: See Retrieve the Sysdig API Token to find yours.

    • Sysdig Role Name: As specified in Step 3; IAM role name to be created for Sysdig to access your AWS account

    • Sysdig External ID: Not to be modified. It’s the ExternalID to identify Sysdig on AWS, for the Trusted Identity

    • Sysdig Trusted Identity: Not to be modified. It’s the ARN of the Trusted Identity of Sysdig on AWS, to be able to run CSPM benchmarks.

    Modules to Deploy: Choose any or all.
    CSPM/Compliance and Threat detection using CloudTrail capabilities will be always deployed.

    • ECR Image Registry Scanning: Integrates container registry scanning for AWS ECR.

    • Fargate Image Scanning: Integrates image scanning on any container image deployed on a serverless Fargate task (in ECS).

    Existing Infrastructure: Leave all this fields blank for resources to be created.
    If you want to use existing components of your infrastructure, you can provide:

    • Network: Only available if stack is deployed on ECS. If provided, MUST specify ALL field values:

      • ECS Cluster Name where the Sysdig workload is to be deployed
      • VPC ID for the ECS Cluster
      • Private subnet ID(s) for the VPC. At least two subnets are required
    • Cloudstrail SNS Topic: Specify the URL of the SNS Topic


  1. Confirm the Capabilities required to deploy:

    • Check “I acknowledge that AWS CloudFormation might create IAM resources with custom names.”

    • Check “I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND”

  2. Click Create Stack.

    In the AWS Console, the main stack and associated substacks will show “CREATE_IN_PROGRESS”. Refresh the status to see “CREATE_COMPLETE” for all. There is a delay of 5-10 minutes for events to be sent from CloudTrail, but no event is lost.

    A success message also appears in the Sysdig Secure Get Started page.

Confirm the Services are Working

Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.

Check Overall Connection Status

  • Data Sources: Select Select Integrations > Inbound | Cloud Accounts to see all connected cloud accounts.

  • Subscription: Select Settings > Subscription to see an overview of your account activity, including cloud accounts.

  • Insights: Check that Insights have been added to your navigation bar. View activity on the Cloud Account, Cloud User, or Composite insight views.

Check Threat Detection

  • Policies and Rules: Check Policies > Runtime Policies and confirm that the AWS Best Practices policy is enabled. This consists of the most-frequently-recommended rules for AWS and CloudTrail. You can customize it by creating a new policy of the AWS CloudTrail type.

  • Events: In the Events feed, search ‘cloud’ to show events from AWS CloudTrail.

  • Force an event: In case you want to manually create an event, choose one of the rules contained in the AWS Best Practices policy and execute it in your AWS account.
    ex.: Create a S3 Bucket with Public Access Blocked. Make it public to prompt the event.
    Remember that in case you add new rules to the policy you need to give it time to propagate the changes.

Check CSPM/AWS Benchmarks

  • Compliance: Select Compliance and see that AWS Foundations Benchmark is installed.

  • Review the benchmark results and confirm the account, region and date added.

Check Scanning for ECR and Fargate

  • Scan Results: CheckImage Scanning > Scan Resultsand choose the Origins drop-down.

    Confirm that AWS Registry and/or AWS Fargate are listed.

  • Filter by the desired origin and review scan results.

  • Force an event: Upload an image to a repository on your Elastic Container Registry (ECR). Follow View push commands button guide provided by AWS.

Check Permissions and Entitlements (AWS)

Select Posture > Permissions and Entitlements and check if the following are showing up in the Unused Permissions graphs:

  • Unused permissions
  • Inactive users
  • Policies with the greatest number of granted vs used permissions

Follow the instructions to remediate overly permissive entitlements and reduce security risks. ) to remediate overly permissive entitlements and reduce security risks.

See Also



Last modified June 23, 2022