Legacy Agent-Based with CIEM

This script-based legacy installation option deploys agentless CSPM, plus agent-based Threat Detection and CIEM, for either a single account or an organizational account. If you want to add host scanning for Vulnerability Management, it is done in a seaparate step.

Install CSPM and Threat Detection with CIEM

Prerequisites

Terraform installed

Gather the following:

Sysdig Secure endpoint (by region)
Sysdig API token
AWS Region for example, us-east-1 The region where resources will be created in your AWS account by default. All resources created by this module are global, so this region can be set to any value.
AWS Account ID of the account in which compute resources will be deployed.

Single Account

Create a file called sysdig.tf with the following contents:

terraform {
   required_providers {
      sysdig = {
         source  = "sysdiglabs/sysdig"
      }
   }
}

provider "sysdig" {
   sysdig_secure_url       = "<SYSDIG_SECURE_URL>"
   sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
}

provider "aws" {
   region = "<AWS-REGION>; ex. us-east-1"
}

module "secure_for_cloud_aws_single_account_ecs" {
   source           = "sysdiglabs/secure-for-cloud/aws//examples/single-account-ecs"
}

Run terraform init.
Run terraform apply

After deploying, perform any necessary configuration steps and confirm the services are working.

Organizational Account

Create a file called sysdig.tf with the following contents:

terraform {
  required_providers {
    sysdig = {
      source  = "sysdiglabs/sysdig"
    }
  }
}

provider "sysdig" {
  sysdig_secure_url       = "<SYSDIG_SECURE_URL>"
  sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
}

provider "aws" {
  region = "<AWS_REGION>   # same region in both providers. ex. us-east-1"
}

provider "aws" {
  alias  = "member"
  region = "<AWS_REGION>  # same region in both providers. ex. us-east-1"
  assume_role {
    role_arn = "arn:aws:iam::${ORG_MEMBER_SFC_ACCOUNT_ID}:role/OrganizationAccountAccessRole"
  }
}

module "secure_for_cloud_organizational" {
  providers = {
    aws.member = aws.member
  }

  source                                    = "sysdiglabs/secure-for-cloud/aws//examples/organizational"
  sysdig_secure_for_cloud_member_account_id = "<ORG_MEMBER_SFC_ACCOUNT_ID>"
}

Run terraform init.
Run terraform apply

Features and Resources on AWS

Agentless CSPM

Available as a stand-alone manual install or as part of the full install.

Resources Created

aws_cloudformation_stack_set
aws_cloudformation_stack_set_instance
aws_iam_role
aws_iam_role_policy_attachment

Threat Detection and CIEM

Resources Created

aws_apprunner_service
aws_cloudtrail
aws_cloudwatch_log_group
aws_cloudwatch_log_stream
aws_ecs_cluster
aws_ecs_service
aws_ecs_task_definition
aws_iam_access_key
aws_iam_role
aws_iam_role_policy
aws_iam_user
aws_iam_user_policy
aws_kms_alias
aws_kms_key
aws_resourcegroups_group
aws_s3_bucket
aws_s3_bucket_acl
aws_s3_bucket_lifecycle_configuration
aws_s3_bucket_policy
aws_s3_bucket_public_access_block
aws_security_group
aws_sns_topic
aws_sns_topic_policy
aws_sns_topic_subscription
aws_sqs_queue
aws_sqs_queue_policy
aws_ssm_parameter

Next Steps

Perform any necessary configuration steps.
Validate the services are working: go to Integrations > Data Sources |Cloud Accounts > AWS and review the status and details.
If desired, add vulnerability management agentless host scanning.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.