Agent-Based with CIEM

To obtain the Identity and Access feature (CIEM) feature, use this script-based installation method instead of the wizard-based installation of the agentless components. You can deploy agentless CSPM, plus agent-based Threat Detection and CIEM, for either a single account or an organizational account.

Install CSPM and Threat Detection with CIEM

Prerequisites

  • Terraform installed

Gather the following:

  • Sysdig Secure endpoint (by region)
  • Sysdig API token
  • AWS Region for example, us-east-1 The region where resources will be created in your AWS account by default. All resources created by this module are global, so this region can be set to any value.
  • AWS Account ID of the account in which compute resources will be deployed.

Single Account

  1. Create a file called sysdig.tf with the following contents:

    terraform {
   required_providers {
      sysdig = {
         source  = "sysdiglabs/sysdig"
      }
   }
}

provider "sysdig" {
   sysdig_secure_url       = "<SYSDIG_SECURE_URL>"
   sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
}

provider "aws" {
   region = "<AWS-REGION>; ex. us-east-1"
}

module "secure_for_cloud_aws_single_account_ecs" {
   source           = "sysdiglabs/secure-for-cloud/aws//examples/single-account-ecs"
}

  2. Run terraform init.

  3. Run terraform apply

After deploying, perform any necessary configuration steps and confirm the services are working.

Organizational Account

  1. Create a file called sysdig.tf with the following contents:

    terraform {
  required_providers {
    sysdig = {
      source  = "sysdiglabs/sysdig"
    }
  }
}

provider "sysdig" {
  sysdig_secure_url       = "<SYSDIG_SECURE_URL>"
  sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
}

provider "aws" {
  region = "<AWS_REGION>   # same region in both providers. ex. us-east-1"
}

provider "aws" {
  alias  = "member"
  region = "<AWS_REGION>  # same region in both providers. ex. us-east-1"
  assume_role {
    role_arn = "arn:aws:iam::${ORG_MEMBER_SFC_ACCOUNT_ID}:role/OrganizationAccountAccessRole"
  }
}

module "secure_for_cloud_organizational" {
  providers = {
    aws.member = aws.member
  }

  source                                    = "sysdiglabs/secure-for-cloud/aws//examples/organizational"
  sysdig_secure_for_cloud_member_account_id = "<ORG_MEMBER_SFC_ACCOUNT_ID>"
}

  2. Run terraform init.

  3. Run terraform apply

Features and Resources on AWS

Agentless CSPM

Available as a stand-alone manual install or as part of the full install.

Resources Created

  • aws_cloudformation_stack_set
  • aws_cloudformation_stack_set_instance
  • aws_iam_role
  • aws_iam_role_policy_attachment

Threat Detection and CIEM

Resources Created

  • aws_apprunner_service
  • aws_cloudtrail
  • aws_cloudwatch_log_group
  • aws_cloudwatch_log_stream
  • aws_ecs_cluster
  • aws_ecs_service
  • aws_ecs_task_definition
  • aws_iam_access_key
  • aws_iam_role
  • aws_iam_role_policy
  • aws_iam_user
  • aws_iam_user_policy
  • aws_kms_alias
  • aws_kms_key
  • aws_resourcegroups_group
  • aws_s3_bucket
  • aws_s3_bucket_acl
  • aws_s3_bucket_lifecycle_configuration
  • aws_s3_bucket_policy
  • aws_s3_bucket_public_access_block
  • aws_security_group
  • aws_sns_topic
  • aws_sns_topic_policy
  • aws_sns_topic_subscription
  • aws_sqs_queue
  • aws_sqs_queue_policy
  • aws_ssm_parameter

Next Steps