Follow wizard-based prompts to install agentless Cloud Security Posture Management (CSPM), Cloud Detection and Response (CDR), Cloud Infrastructure Entitlement Management (CIEM), and Vulnerability Management (VM) host scanning on AWS.


You can provision each option for a single or organizational AWS account, using Terraform or CloudFormation Templates.

Ensure that your setup has the following:

  • Terraform installed or access to CloudFormation
  • For the Threat Detection option, there must be at least one CloudTrail trail in the accounts on which threat detection will be performed.

For Organizational Accounts:

  • Management AWS Region: This is the region where resources are created by default. All the resources created by this module are global and any region can be used.
  • Instrumented AWS Regions: These are the regions that are scanned by vulnerability scanning and from which events will be sent to Sysdig to secure them. To use CIEM features, you must include the us-east-1 region along with any other AWS regions you currently use for the account.
  • Organizational Units to Onboard: Use either the root or individual OUIDs in a comma-separated list.
  • Management Account ID of your organization. This is the account into which singleton resources will be deployed.

For Single Accounts:

  • AWS Account ID of the account to be connected.
  • Instrumented AWS Regions: The regions from which events will be sent to Sysdig to secure them. AWS logs global service events to us-east-1 region. Without this region in your AWS setup, you might miss key events, including IAM events. Ensure you select us-east-1 plus any other AWS regions you currently use for the account.

Additional permissions or prerequisites are listed on the appropriate Wizard screens.

Review AWS Roles and Permissions

Review these roles and permissions created by the installation before running the onboarding wizard.

Permissions Granted to Sysdig

The installation creates an IAM role with these associated IAM policies and permissions for Sysdig access:

Agentless Cloud Security Posture Management (CSPM)

  • sts:AssumeRole
  • policy/SecurityAudit
  • elasticfilesystem:DescribeAccessPoints
  • waf-regional:ListRules
  • waf-regional:ListRuleGroups
  • macie2:ListClassificationJobs
  • lambda:GetRuntimeManagementConfig in order to capture if Lambda Functions are executed in auto, function-update or manual mode

Agentless Cloud Threat Detection (CDR)

  • events:PutEvents
  • events:DescribeRule
  • events:ListTargetsByRule

Vulnerability Management Agentless Host Scanning

  • kms:ListKeys
  • kms:ListAliases
  • kms:ListResourceTags
  • kms:DescribeKey
  • kms:Encrypt
  • kms:Decrypt
  • kms:ReEncrypt*
  • kms:GenerateDataKey*
  • kms:CreateGrant
  • kms:ListGrants
  • ec2:Describe*
  • ec2:CreateSnapshot
  • ec2:CopySnapshot
  • ec2:CreateTags with the additional constraint of ec2:CreateAction being equal to either CreateSnapshot or CopySnapshot
  • ec2:ModifySnapshotAttribute with the additional constraint of ec2:Add/userId being equal to Sysdig’s Worker Account ID
  • ec2:DeleteSnapshot with the additional constraint of aws:ResourceTag/CreatedBy being equal to Sysdig (which we add when creating the Snapshot)


No additional resources are created for CIEM.

Access the Onboarding Wizard

  1. Log into Sysdig Secure, select Integrations > Cloud Accounts | AWS, and select +Add AWS Account.

  2. It is possible to install agentless CDR only. This option can use Terraform or Cloud Formation Templates.

  3. In all other cases, all agentless AWS installations include CSPM.
    All features are included by default. Deselect individual features if desired:

    • Identity and Access (CIEM)

    • Cloud Detection and Response (CDR)

    • Vulnerability Host Scanning

    and click Next.

  4. Choose whether to install for an Organizational or Single account and click Next.

  5. If you are installing CSPM only, CSPM + CDR, or CDR only, choose whether to use Terraform or CloudFormation Templates and click Next.

    In all other cases, only Terraform installation is supported.

  6. Proceed as directed in the Wizard screen.

For Terraform

  1. Enter information such as the account ID and units in the Wizard screen.

When installing CIEM, the region us-east-1 is required. For organizational accounts, it must be the Management Region.

  1. Create a file called

  2. Copy the code snippet from the Wizard into the file.

  3. Run terraform init && terraform apply.

    There is no need to click Complete on the Wizard.

  4. Validate that the connection was successful.

For CloudFormation Templates

This option is available when onboarding CSPM only, CSPM + CDR, or CDR only,

  1. Log in to the AWS account where you want to deploy.

  2. Enter information such as the requested account ID, regions and units in the Wizard screen and click Launch Stack.

When installing CIEM, the region us-east-1 is required. For organizational accounts, it must be the Management Region.

  1. When complete, return to the Sysdig Wizard and click Complete.

  2. Validate that the connection was successful.


To validate the successful connection of each of the chosen features:

  1. In Sysdig Secure, select Integrations > Cloud Accounts > AWS.

    The Status column shows the overall connection status (Connected/Partial Error/Error/Unknown)

  2. Select the desired account to review the individual services in the detail drawer.

See also: Cloud Accounts - AWS

(Optional) CDR Monitoring of S3 buckets via Notifications

Agentless AWS Cloud Threat Detection (CDR) can monitor operations performed on objects stored in AWS Simple Storage Service (S3) buckets through S3 notifications. To enable this function, follow AWS’s documentation on Enabling Amazon EventBridge. Once enabled, the events from those buckets will be forwarded to Sysdig and processed using the configured policies and rules.

This alternative method to enabling Data Events in AWS CloudTrail involves setting configurations granularly for every bucket.

To learn about supported event types, see AWS’s documentation on Using EventBridge.

Features and Resources on AWS

See also the feature overview for context.

Agentless Cloud Security Posture Management (CSPM)

Resources Created

  • aws_cloudformation_stack_set
  • aws_cloudformation_stack_set_instance
  • aws_iam_role
  • aws_iam_role_policy_attachment

Agentless Cloud Threat Detection (CDR)

The Agentless Cloud Detection and Response (CDR) feature provides threat detection for your assets on AWS by leveraging CloudTrail logs, GuardDuty findings and S3 notifications. It analyzes threats through Falco-based policies, rules, and Machine Learning policies.

As a prerequisite for CloudTrail logs to be available, you need to have (at least) one CloudTrail Trail in the accounts to be monitored. GuardDuty findings are ingested if the service is enabled in the AWS Accounts.

The agentless feature relies on AWS EventBridge to access AWS service events.

Resources Created


  • aws_cloudformation_stack_set (in management account)

  • aws_cloudwatch_event_rule (in every account)

  • aws_cloudwatch_event_target (in every account)

  • aws_iam_role (in every account)

  • aws_cloudformation_stack_set_instance (in management account)

  • aws_iam_role (in management account)


  • aws_cloudwatch_event_rule
  • aws_cloudwatch_event_target
  • aws_iam_role

Tuning the Event Pattern of Event Bridge Rule

Cloud Detection and Response (CDR) module creates an EventBridge rule that sends events matching the conditions defined in an event pattern. Sysdig provides an event pattern that matches the events covered by its out-of-the-box rules. Depending on the circumstances, you can write your own rules for events not included by default, or exclude unnecessarily noisy events. To customize this, specify the event_pattern variable for the -threat-detection module, single-account-threat-detection or organization-threat-detection, depending on the setup. Here’s an example that includes only Management CloudTrail events:

module "single-account-threat-detection" {
  event_pattern = <<EOF
  "detail-type": [
    "AWS API Call via CloudTrail"
  "detail": {
    "eventCategory": [

Tuning the pattern will change the logs that will be sent to Sysdig. This will affect Sysdig runtime visibility and threat detection capabilities.

Vulnerability Management Agentless Host Scanning

Resources Created

Global resources

  • aws_iam_role
  • aws_iam_policy
  • aws_iam_policy_attachment

Regional Resources

  • aws_kms_key
  • aws_kms_alias

How to Exclude/Include Resources from Vulnerability Scanning

When you connect your AWS account with Vulnerability Host Scanning, by default all VPCs, EC2 Instances with root volumes in the account are included in the scan.

You can use tags to exclude specific VPCs or EC2 Instances from being scanned.

How to exclude VPCs or Hosts: To exclude certain VPCs or EC2 instances from being scanned, you must assign specific tags to them in the AWS Console or using AWS APIs.

It is recommended to set these tags before initiating the scanning process. You can add tags after onboarding, but note that the exclusion will only take effect in subsequent scans.

How to include Data Volumes in Scans: By default, only root volumes of EC2 Instances are scanned.

To also include data volumes in scans, you need to use the specific tags declared below.

Tagging Semantics

You can use the following tags at volume, EC2, or VPC level. Tagging can be added at any time, for example, if you want to exclude/include something that was or was not scanned.

Keys: sysdig:secure:scan, sysdig:secure:data-volumes:scan.

Values: true, false

Usage Examples

  • “sysdig:secure:scan” : “false” on a VPC excludes all resources in the VPC from scanning.
  • “sysdig:secure:scan” : “false” on an EC2 Instance excludes the instance and all its volumes from scanning;
  • “sysdig:secure:scan” : “true” on a data-volume of an EC2 Instance includes such volume for scanning;
  • “sysdig:secure:data-volumes:scan” : “true” on a VPC has the same effect as applying the “sysdig:secure:scan” : “true” tag to all the data-volumes of all the EC2 instances in it;
  • “sysdig:secure:data-volumes:scan” : “true” on an EC2 Instance has the same effect as applying the “sysdig:secure:scan” : “true” tag to all its data-volumes;
  • “sysdig:secure:data-volumes:scan” : “true” on a VPC, while “sysdig:secure:data-volumes:scan” : “false” on an EC2 Instance of the same VPC, has the same effect as applying the “sysdig:secure:scan” : “true” tag to all data-volumes of all the EC2 instances within the VPC but the one explicitly excluded via the tag.

The following tags are redundant; using them will have the same effect as not having them. This is either because Sysdig scans them by default or because the values have been overridden by a tag at a higher level (such as a VPC or an EC2 Instance).

  • “sysdig:secure:scan” : “true” on a VPC;
  • “sysdig:secure:scan” : “true” on an EC2 Instance;
  • “sysdig:secure:scan” : “true” on the root volume of an EC2 Instance;
  • “sysdig:secure:scan” : “false” on any data-volumes of an EC2 Instance;
  • “sysdig:secure:scan” : “false” on the root volume of an EC2 Instance has no effect. The root volume is always scanned as part of the EC2 instance scan;
  • “sysdig:secure:data-volumes:scan” : “false” on a VPC;
  • “sysdig:secure:data-volumes:scan” : “false” on an EC2 Instance;
  • “sysdig:secure:data-volumes:scan” : “false” on any data-volumes of an EC2 Instance.