AWS

Connect an AWS cloud account to Sysdig Secure using Terraform or CloudFormation templates via a wizard. You can connect single or organizational managed accounts. It is also possible to connect agentless CSPM alone. The available features are listed on the install wizard and at the bottom of this page.

Install Options

Full Install using Wizard

  1. Log in to Sysdig Secure as admin and select Integrations > Data Sources|Cloud Accounts.

  2. Click +Add Account and select AWS. Select the installation method that matches your enterprise standards:

    • CloudFormation Template Single Account
    • Terraform Single Account
    • Terraform Organizational Account
  3. As prompted by the Wizard screen, enter:

    For CloudFormation

    • The AWS account ID you want to secure

    • An IAM role name to be used for provisioning

    • Whether you are deploying on ECS or AppRunner compute workloads on AWS.

    • Copy the autodetected Sysdig Secure API token and click Launch Stack.

    For Terraform

    • AWS Region for example, us-east-1 The region where resources will be created in your AWS account by default. All resources created by this module are global, so this region can be set to any value.

    • Member Account ID(s) (for AWS Organizational accounts)

      The Wizard will autopopulate a code snippet, along with autodetected Sysdig Secure endpoint and Sysdig Secure API token information.

    • Apply the Terraform by running

      $ terraform init
      

      When complete, run:

      $ terraform apply
      
  4. After deploying, perform any necessary configuration steps and confirm the services are working.

Install Agentless CSPM Only

This method of installation will only support CSPM Compliance.

The following features will not work: Threat Detection, Identity and Access, Image Scanning

This installation is manual and can be performed for a single account or organizational account in Terraform.

Single Account

  1. In a terminal window, ensure you are authenticated to the AWS account you would like to connect. If you have the AWS CLI installed, you can confirm which account you are targeting by running aws sts get-caller-identity

  2. Save the following to a file named main.tf on your local machine:

    terraform {
      required_providers {
        sysdig = {
          source = "sysdiglabs/sysdig"
        }
      }
    }
    
    provider "sysdig" {
      sysdig_secure_url       = "<SYSDIG_URL>"
      sysdig_secure_api_token = "<SYSDIG_API_TOKEN>"
    }
    
    provider "aws" {
      region = "<AWS_REGION>"
    }
    
    module "sysdig-sfc-agentless" {
      source = "sysdiglabs/secure-for-cloud/aws//modules/services/cloud-bench"
    }
    
  3. Replace the following placeholders in main.tf:

    • SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
      • US East: https://secure.sysdig.com.
      • US West: https://us2.app.sysdig.com
      • European Union: https://eu1.app.sysdig.com
    • SYSDIG_API_TOKEN: See Retrieve the Sysdig API Token to find yours.
    • AWS_REGION: e.g. us-east-1 The region where resources will be created in your AWS account by default. All resources created by this module are global, so this region can be set to any value.
  4. Apply the Terraform by running

    $ terraform init
    

    When complete, run:

    $ terraform apply
    
  5. After deploying, confirm that Compliance is working.

Organization

  1. In a terminal window, ensure you are authenticated to the AWS management account of the organization you would like to connect. If you have the AWS CLI installed, you can confirm which account you are targeting by running aws sts get-caller-identity

  2. Save the following to a file named main.tf on your local machine:

    terraform {
      required_providers {
        sysdig = {
          source = "sysdiglabs/sysdig"
        }
      }
    }
    
    provider "sysdig" {
      sysdig_secure_url       = "<SYSDIG_URL>"
      sysdig_secure_api_token = "<SYSDIG_API_TOKEN>"
    }
    
    provider "aws" {
      region = "<AWS_REGION>"
    }
    
    module "sysdig-sfc-agentless" {
      source            = "sysdiglabs/secure-for-cloud/aws//modules/services/cloud-bench"
      is_organizational = true
    }
    
  3. Replace the following placeholders in main.tf:

    • SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
      • US East: https://secure.sysdig.com.
      • US West: https://us2.app.sysdig.com
      • European Union: https://eu1.app.sysdig.com
    • SYSDIG_API_TOKEN: See Retrieve the Sysdig API Token to find yours.
    • AWS_REGION: e.g. us-east-1 The region where resources will be created in your AWS account by default. All resources created by this module are global, so this region can be set to any value.
  4. Apply the Terraform by running

    $ terraform init
    

    When complete, run:

    $ terraform apply
    
  5. After deploying, confirm that Compliance is working.

Validate

Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.

Check Overall Connection Status

  • Data Sources: Select Select Integrations > Data Sources | Cloud Accounts to see all connected cloud accounts.

  • Subscription: Select Settings > Subscription to see an overview of your account activity, including cloud accounts.

  • Insights: Check that Insights have been added to your navigation bar. View activity on the Cloud Account, Cloud User, or Composite insight views.

Check CSPM

Check Inventory and filter for account =. Check for your AWS cloud account in the drop-down.

Check Threat Detection

  • Policies and Rules: Check Policies > Runtime Policies and confirm that the Sysdig AWS Threat Detection and Sysdig AWS Threat Intelligence managed policies are enabled.

    • These consist of the most-frequently-recommended rules for AWS and CloudTrail. You can customize them by creating a new policy of the AWS CloudTrail type.
  • Events: In the Events feed, filter for aws.accountid = and check for your cloud account.

  • Force an event: To manually create an event, choose one of the rules contained an AWS policy and execute it in your AWS account.
    ex.: Create a S3 Bucket with Public Access Blocked. Make it public to prompt the event.
    Remember that new rules added to policies require time to propagate the changes.

Check Identity and Access (AWS)

Go to Home and check the status bar at the top right to see your cloud accounts.

Features and Resources on AWS

Agentless CSPM

Available as a stand-alone manual install or as part of the full install.

Resources Created

  • aws_cloudformation_stack_set
  • aws_cloudformation_stack_set_instance
  • aws_iam_role
  • aws_iam_role_policy_attachment

Threat Detection

Resources Created

  • aws_apprunner_service
  • aws_cloudtrail
  • aws_cloudwatch_log_group
  • aws_cloudwatch_log_stream
  • aws_ecs_cluster
  • aws_ecs_service
  • aws_ecs_task_definition
  • aws_iam_access_key
  • aws_iam_role
  • aws_iam_role_policy
  • aws_iam_user
  • aws_iam_user_policy
  • aws_kms_alias
  • aws_kms_key
  • aws_resourcegroups_group
  • aws_s3_bucket
  • aws_s3_bucket_acl
  • aws_s3_bucket_lifecycle_configuration
  • aws_s3_bucket_policy
  • aws_s3_bucket_public_access_block
  • aws_security_group
  • aws_sns_topic
  • aws_sns_topic_policy
  • aws_sns_topic_subscription
  • aws_sqs_queue
  • aws_sqs_queue_policy
  • aws_ssm_parameter

Identity and Access Management (CIEM)

No additional resources added.