AWS

Follow wizard-based prompts to install agentless CSPM, CDR/Threat Detection, CIEM, and/or Vulnerability Management host scanning on AWS.

Prerequisites

You can provision each option for a single or organizational AWS account, using Terraform or CloudFormation Templates.

Ensure that your setup has the following:

  • Terraform installed or access to CloudFormation
  • For the Threat Detection option, there must be at least one CloudTrail trail in the accounts on which threat detection will be performed.

For Organizational Accounts:

  • Management AWS Region: This is the region where resources are created by default. All the resources created by this module are global and any region can be used.
  • Instrumented AWS Regions: These are the regions that are scanned by vulnerability scanning and from which events will be sent to Sysdig to secure them. To use CIEM features, you must include the us-east-1 region along with any other AWS regions you currently use for the account.
  • Organizational Units to Onboard: Use either the root or individual OUIDs in a comma-separated list.
  • Management Account ID from AWS

For Single Accounts:

  • AWS Account ID of the account in which compute resources will be deployed.
  • Instrumented AWS Regions: The regions from which events will be sent to Sysdig to secure them. AWS logs global service events to us-east-1 region. Without this region in your AWS setup, you might miss key events, including IAM events. Ensure you select us-east-1 plus any other AWS regions you currently use for the account.

Additional permissions or prerequisites are listed on the appropriate Wizard screens.

Review AWS Roles and Permissions

Review these roles and permissions created by the installation before running the onboarding wizard.

Permissions Granted to Sysdig

The installation creates an IAM role with these associated IAM policies and permissions for Sysdig access:

Agentless Cloud Security Posture Management (CSPM)

  • sts:AssumeRole
  • policy/SecurityAudit
  • elasticfilesystem:DescribeAccessPoints
  • waf-regional:ListRules
  • waf-regional:ListRuleGroups
  • macie2:ListClassificationJobs

Agentless Cloud Threat Detection (CDR)

  • events:PutEvents
  • events:DescribeRule
  • events:ListTargetsByRule

Vulnerability Management Agentless Host Scanning

  • kms:ListKeys
  • kms:ListAliases
  • kms:ListResourceTags
  • kms:DescribeKey
  • kms:Encrypt
  • kms:Decrypt
  • kms:ReEncrypt*
  • kms:GenerateDataKey*
  • kms:CreateGrant
  • kms:ListGrants
  • ec2:Describe*
  • ec2:CreateSnapshot
  • ec2:CopySnapshot
  • ec2:CreateTags with the additional constraint of ec2:CreateAction being equal to either CreateSnapshot or CopySnapshot
  • ec2:ModifySnapshotAttribute with the additional constraint of ec2:Add/userId being equal to Sysdig’s Worker Account ID
  • ec2:DeleteSnapshot with the additional constraint of aws:ResourceTag/CreatedBy being equal to Sysdig (which we add when creating the Snapshot)

Access the Onboarding Wizard

  1. Log into Sysdig Secure, select Integrations > Cloud Accounts | AWS, and select +Add AWS Account.

  2. It is possible to install agentless CDR only. This option can use Terraform or Cloud Formation Templates.

  3. In all other cases, all agentless AWS installations include CSPM.
    All features are included by default. Deselect individual features if desired:

    • Identity and Access (CIEM)

    • Cloud Detection and Response (CDR)

    • Vulnerability Host Scanning

    and click Next.

  4. Choose whether to install for an Organizational or Single account and click Next.

  5. If you are installing CSPM only, CSPM + CDR, or CDR only, choose whether to use Terraform or CloudFormation Templates and click Next.

    In all other cases, only Terraform installation is supported.

  6. Proceed as directed in the Wizard screen.

For Terraform

  1. Enter information such as the account ID and units in the Wizard screen.

When installing CIEM, the region us-east-1 is required. For organizational accounts, it must be the Management Region.

  1. Create a file called main.tf.

  2. Copy the code snippet from the Wizard into the file.

  3. Run terraform init && terraform apply.

    There is no need to click Complete on the Wizard.

  4. Validate that the connection was successful.

For CloudFormation Templates

This option is available when onboarding CSPM only, CSPM + CDR, or CDR only,

  1. Log in to the AWS account where you want to deploy.

  2. Enter information such as the requested account ID, regions and units in the Wizard screen and click Launch Stack.

When installing CIEM, the region us-east-1 is required. For organizational accounts, it must be the Management Region.

  1. When complete, return to the Sysdig Wizard and click Complete.

  2. Validate that the connection was successful.

Validate

To validate the successful connection of each of the chosen features:

  1. In Sysdig Secure, select Integrations > Cloud Accounts > AWS.

    The Status column shows the overall connection status (Connected/Partial Error/Error/Unknown)

  2. Select the desired account to review the individual services in the detail drawer.

See also: Cloud Accounts - AWS

(Optional) CDR Monitoring of S3 buckets via Notifications

Agentless AWS Cloud Threat Detection (CDR) can monitor operations performed on objects stored in AWS Simple Storage Service (S3) buckets through S3 notifications. To enable this function, follow AWS’s documentation on Enabling Amazon EventBridge. Once enabled, the events from those buckets will be forwarded to Sysdig and processed using the configured policies and rules.

This alternative method to enabling Data Events in AWS CloudTrail involves setting configurations granularly for every bucket.

To learn about supported event types, see AWS’s documentation on Using EventBridge.

Features and Resources on AWS

See also the feature overview for context.

Agentless Cloud Security Posture Management (CSPM)

Resources Created

  • aws_cloudformation_stack_set
  • aws_cloudformation_stack_set_instance
  • aws_iam_role
  • aws_iam_role_policy_attachment

Agentless Cloud Threat Detection (CDR)

This feature performs threat detection using Falco rules and policies on CloudTrail events. This requires creating a CloudTrail trail in the account(s) to be monitored; otherwise, no log is generated. The agentless feature relies on AWS EventBridge to access AWS service events.

Resources Created

ORGANIZATION

  • aws_cloudformation_stack_set (in management account)

  • aws_cloudwatch_event_rule (in every account)

  • aws_cloudwatch_event_target (in every account)

  • aws_iam_role (in every account)

  • aws_cloudformation_stack_set_instance (in management account)

  • aws_iam_role (in management account)

SINGLE

  • aws_cloudwatch_event_rule
  • aws_cloudwatch_event_target
  • aws_iam_role

Vulnerability Management Agentless Host Scanning

Resources Created

Global resources

  • aws_iam_role
  • aws_iam_policy
  • aws_iam_policy_attachment

Regional Resources

  • aws_kms_key
  • aws_kms_alias

Optional: Tagging to Include/Exclude VPCs or Hosts from Scanning

To include: By default, when you connect an AWS account with the agentless host scanning option, only the account’s EC2 instances’ root volumes are scanned. Use the specific tags below to include data volumes in the scanning process.

To exclude particular VPCs or EC2 instances in an account from being scanned, you must specify tags for them in the AWS Console or using AWS APIs. You should do this tagging before running the onboarding wizard.

Tagging Semantics

You can use the following tags at volume, EC2, or VPC level. Tagging can be added at any time, for example, if you want to exclude/include something that was or wasn’t scanned.

Keys: sysdig:secure:scan, sysdig:secure:data-volumes:scan.

Values: true, false, all, none

True/all and false/none have the same meaning. Using true instead of all or false instead of none has the same effect.

Usage

  • “sysdig:secure:scan” : “false” on a VPC excludes any resource in it from scanning.
  • “sysdig:secure:scan” : “false” on an EC2 instance excludes it and all its volumes from scanning.
  • “sysdig:secure:scan” : “true” on a data-volumes of an EC2 instance includes such volume for scanning.
  • “sysdig:secure:scan” : “true” on a VPC, while “sysdig:secure:scan” : “false” on an EC2 instance of the same VPC: The instance is not scanned; other instances in the VPC with no tags are scanned.
  • “sysdig:secure:data-volumes:scan” : “true” on a VPC has the same effect as applying the “sysdig:secure:scan” : “true” tag to all the data-volumes of all the EC2 instances in it.
  • “sysdig:secure:data-volumes:scan” : “true” on an EC2 instance has the same effect as applying the “sysdig:secure:scan” : “true” tag to all its data-volumes.
  • “sysdig:secure:data-volumes:scan” : “true” on a VPC, while “sysdig:secure:data-volumes:scan” : “false” on an EC2 instance of the same VPC: The data-volumes of the given instance are not scanned, while data-volumes of all the other instances in the VPC are scanned.

The following tags are redundant; using them will have the same effect as not having them. This is either because Sysdig scans them by default or because the values have been overridden by a tag at a higher level (such as VPC or EC2 instance).

  • “sysdig:secure:scan” : “true” on a VPC
  • “sysdig:secure:scan” : “true” on an EC2 instance
  • “sysdig:secure:scan” : “true” on the root volume of an EC2 instance
  • “sysdig:secure:scan” : “false” on the root volume of an EC2 instance has no effect. The root volume is always scanned as part of the EC2 instance scan
  • “sysdig:secure:scan” : “false” on any data-volumes of an EC2 instance
  • “sysdig:secure:data-volumes:scan” : “false” on a VPC
  • “sysdig:secure:data-volumes:scan” : “false” on an EC2 instance
  • “sysdig:secure:data-volumes:scan” : “false” on any data-volumes of an EC2 instance