Configure CDR and CIEM for AWS
Sysdig released a new onboarding experience for AWS in September 2024. If you onboarded your AWS Organization or Account before September 30, 2024, and would like to add more features, contact your Sysdig representative.
Log ingestion relies on AWS EventBridge to access AWS service events, and analyzes threats through Falco-based policies, rules, and machine learning policies.
Prerequisites
- You must have an AWS Account or Organization already connected to Sysdig.
- Access to a User with the permissions required to install.
- You must have (at least) one CloudTrail Trail in the accounts to be monitored. GuardDuty findings are ingested if the service is enabled in the AWS Accounts.
Set Up Log Ingestion
Log in to Sysdig Secure, and select Integrations > Cloud Accounts | AWS.
Select an account that is part of the Organization you would like to add features to, or the individual Account you onboarded.
The detail panel appears on the right. Here, you can see a list of features.
To set up log ingestion, select Select Identity and Access Management (CIEM) or Setup Cloud Detection and Response (CDR). Both features require log ingestion.
The Organization Overview page appears. You can see which features are enabled and which are not enabled.
Beside Log Ingestion, select Go to Setup.
Follow the steps in the onboarding wizard.
Verify the details of your Organization or Account where the features will be added.
Select the regions from which events will be sent to Sysdig.
AWS logs global service events to
us-east-1region. Without this region in your AWS setup, you might miss key events, including IAM events. Ensure you selectus-east-1plus any other AWS regions you currently use for the account.Create a
log_ingestion.tffile in the folder that contains yourmain.tf.Copy the snippet provided into the
log_ingestion.tffile.
By default, the snippet enables both CIEM and CDR. To disable one of these features, see Disable Features.
- Run the command:
terraform init && terraform apply.
(Optional) CDR Monitoring of S3 buckets via Notifications
Optionally, you can enable Data Events in AWS CloudTrail through granular configuration of S3 buckets. Agentless AWS Cloud Threat Detection (CDR) can monitor operations performed on objects stored in AWS Simple Storage Service (S3) buckets through S3 notifications. To learn about supported event types, see AWS’s documentation on EventBridge. To enable this function, see Enabling Amazon EventBridge. Once enabled, the events from those buckets will be forwarded to Sysdig and processed using the configured policies and rules.
Disable Features
When you configure a Log Ingestion component, both CIEM and CDR are enabled by default.
To disable either of these features, comment out the relevant stanza in the Terraform snippet:
Retrieve the
log_ingestion.tfTerraform snippet from the onboarding wizard as described in Set Up Log Ingestion.To disable CIEM comment out:
resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" enabled = true components = [module.event-bridge.event_bridge_component_id] depends_on = [module.event-bridge, sysdig_secure_cloud_auth_account_feature.config_posture] }To disable CDR, comment out:
resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_THREAT_DETECTION" enabled = true components = [module.event-bridge.event_bridge_component_id] depends_on = [module.event-bridge] }Run
terraform init && terraform apply.
We recommend commenting out the stanza instead of removing it entirely. If you want to enable a disabled feature, un-comment the stanza.
Advanced Customization
The Log Ingestion component creates an EventBridge rule that sends events matching the conditions defined in an event pattern. You can customize this behavior either through the UI or directly using Terraform/CFT.
Customizing this behavior may cause installation and/or feature operation to fail. Contact your Sysdig representative for more information or assistance with this process.
Customize Log Ingestion Using the UI
- Login to Sysdig Secure.
- Go to Integrations > AWS.
- Select the account you want to configure the Log Ingestion component for.
- Configure either Identity and Access Management or Cloud Detection and Response.
The Account Overview page opens. - Click Go to Setup next to Log Ingestion.
The wizard opens. - Under Select Sources (optional), choose Guided customization and select the sources you want to use.
Customize Log Ingestion Using Terraform
To customize Log Ingestion directly in Terraform, modify the event_pattern parameter in the event-bridge module.
module "event_bridge" {
...
event_pattern = <<EOF
{
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventCategory": [
"Management"
]
}
}
EOF
}
To customize this in the CFT stack creation, edit the EventBridge Rule Event Pattern parameter and provide the JSON pattern. Use the heredoc content from the example above (the text between the two EOF markers).
Tuning the pattern will change the logs that will be sent to Sysdig. This will affect Sysdig runtime visibility and threat detection capabilities.
Check Connection Status
To check the connection status:
Log in to Sysdig Secure and select Integrations > Cloud Accounts | AWS.
Select your account.
The detail panel appears on the right.
If the connection is successful, you will see the feature as Connected. This may take up to 5 minutes after deploying the Terraform.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
