Agentless Install

Follow wizard-based prompts to install agentless CSPM and/or agentless Threat Detection on AWS.

Prerequisites

Each option can be provisioned for a single or organizational AWS account, and using Terraform or CloudFormation Templates.

Have the following:

Terraform installed or access to CloudFormation
At least one CloudTrail Trail in the accounts to perform threat detection on

For Organizational Accounts:

(Primary) AWS Region for example, us-east-1 The region where resources will be created in your AWS account by default. All resources created by this module are global, so this region can be set to any value.
Instrumented AWS Regions Regions from which events will be sent to Sysdig in order to secure them
Organizational Units to Onboard Use either the root or individual OUIDs in a comma-separated list
Management Account ID from AWS

For Single Accounts:

AWS Account ID of the account in which compute resources will be deployed.
Instrumented AWS Regions Regions from which events will be sent to Sysdig in order to secure them

Additional permissions prerequisites are listed on the appropriate Wizard screens.

Access the Onboarding Wizard

Log in to Sysdig Secure and select Integrations > Data Sources | Cloud Accounts and select Connect AWS.
Choose which Agentless option you want:
- Both together
- CSPM only
- Threat Detection only
  and click Next.

If you want Identity and Access (CIEM) functionality, you must follow the script-based installation that includes CIEM.

Choose whether to install for an Organizational or Single account and click Next.
Choose whether to use Terraform or CloudFormation Templates and click Next.
Proceed as directed in the Wizard screen.

For Terraform

Enter the requested region, units, etc. on the Wizard screen.
Create a file called main.tf
Copy the code snippet from the Wizard into it.
Run terraform init && terraform apply.
Click Next.
Enter the Account ID (single) or Management Account ID (org) and click Complete.

For CloudFormation Templates

Log in to the AWS account where you want to deploy.
Enter the requested regions, units, etc. on the Wizard screen and click Launch Stack.

If you are deploying Threat Detection on a single account using CloudFormation templates, only a single AWS region is supported.

You are redirected to the AWS Console. Follow the prompts to create the CloudFormation Stack.
Be sure to check Acknowledgements in the AWS Capabilities section in AWS Console.

When complete, return to the Sysdig Wizard and click Next.
Enter the Account ID (single) or Management Account ID (org) and click Complete.

Features and Resources on AWS

Agentless CSPM

See also the feature overview for context.

Resources Created

aws_cloudformation_stack_set
aws_cloudformation_stack_set_instance
aws_iam_role
aws_iam_role_policy_attachment

Agentless Threat Detection

This feature performs threat detection using Falco rules and policies on CloudTrail events. This requires creating a CloudTrail trail in the account(s) to be monitored; otherwise no log is generated. The agentless feature relies on AWS EventBridge to access AWS service events.

Technical Preview notice

As stated in the AWS documentation, “Currently, events from API actions that start with the keywords List, Get, or Describe aren’t processed by EventBridge”. Therefore they won’t be available in Sysdig through Agentless Threat Detection.

See also the feature overview for context.

Resources Created

ORGANIZATION

aws_cloudformation_stack_set (in management account)
aws_cloudwatch_event_rule (in every account)
aws_cloudwatch_event_target (in every account)
aws_iam_role (in every account)
aws_cloudformation_stack_set_instance (in management account)
aws_iam_role (in management account)

SINGLE

aws_cloudwatch_event_rule
aws_cloudwatch_event_target
aws_iam_role

Next Steps

Validate the services are working.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.