Configure CDR and CIEM for AWS

After you connect your AWS environment to Sysdig, you can configure Cloud Detection and Response (CDR) and Cloud Infrastructure Entitlement Management (CIEM). Agentless CDR provides threat detection for your assets on AWS by leveraging CloudTrail logs to analyze threats through Falco-based policies, rules and machine learning policies. Identity and Access Management (IAM), a subset of CIEM, concerns the management of identities, such as users, roles, and groups. To configure CDR and CIEM, set up Log Ingestion.

Sysdig released a new onboarding experience for AWS in September 2024. If you onboarded your AWS Organization or Account before September 30, 2024, and would like to add more features, contact your Sysdig representative.

Prerequisites

  • An AWS Account or Organization connected to Sysdig.
  • Access to a user with the permissions required to install:
  • At least one CloudTrail trail in the accounts to be monitored.

Set Up Log Ingestion

To configure Agentless CDR and CIEM, you must set up log ingestion with either EventBridge or S3.

  • EventBridge provides a real-time solution for Sysdig to receive CloudTrail logs and AWS service events, such as object events and GuardDuty Findings, with minimal latency. EventBridge setups support log volume tuning of which logs you want Sysdig to receive based on Event pattern.
  • S3 provides a cost-effective solution for streaming CloudTrail logs with a latency in the order of minutes. Log volume tuning is not available for S3 setups.
EventBridgeS3
Supported logsCloudTrail events, GuardDuty findings, Object eventsCloudTrail events
LatencySub-secondMinutes
Price (data transfer excluded)By event-type and for transferring data to Sysdig’s Event bus.SNS notifications delivered via HTTP and file transferring
Log volume tuningFine-grained, using Event patternUp to accounts and regions

EventBridge Setup

To set up Log Ingestion for EventBridge:

  1. Log in to Sysdig Secure, and select Integrations > Cloud Accounts | AWS.

  2. Select an onboarded account you would like to add features to.

    The detail panel appears on the right. Here, you can see a list of features.

  3. Select either Setup Identity and Access Management or Setup Cloud Detection and Response.

    The Organization Overview page appears. You can see which features are enabled.

  4. Under Identity and Access Management or Cloud Detection and Response, and beside Log Ingestion, select Go to Setup.

  5. Select EventBridge.

  6. Select whether you wish to set up CDR and CIEM with Terraform or a CloudFormation Template.

    The wizard will guide you to review prerequisites and check your account details.

  7. Select the regions you would like to collect logs from.

    Ensure you select at least us-east-1. Add any other AWS regions you use for your account. AWS logs global service events to us-east-1 region. Without this region in your AWS setup, you might miss key events, including IAM events.

  8. Select which log types and sources you want to monitor. This will affect the terraform of CloudFormation Template generated at the end of the setup:

    • Default Setup: Includes both CIEM and CDR.
    • Guided Customization: Un-tick the boxes beside sources you wish to exclude from collection.
    • Advanced Customization: You can customize the terraform or CloudFormation template generated to define a custom Event pattern to use in the Event Bridge rules. For details, see Customize Log Ingestion.
  9. For terraform, save the generated terraform file log_ingestion.tf, in the folder that contains your main.tf.

    • For CloudFormation, follow the link in the setup to your AWS Console.
  10. Copy the snippet provided into the log_ingestion.tf file.

  11. Run the command: terraform init && terraform apply.

    GuardDuty findings are ingested if the service is enabled in the AWS Accounts.

S3 Setup

To set up Log Ingestion for S3:

  1. Log in to Sysdig Secure, and select Integrations > Cloud Accounts | AWS.

  2. Select an onboarded account you would like to add features to.

    The detail panel appears on the right. Here, you can see a list of features.

  3. Select either Setup Identity and Access Management or Setup Cloud Detection and Response.

    The Organization Overview or Account Overview page appears. You can see which features are enabled.

  4. Under Identity and Access Management or Cloud Detection and Response, and beside Log Ingestion, select Go to Setup.

  5. Select S3.

  6. Select whether you wish to set up CDR and CIEM with Terraform or a CloudFormation Template.

    The wizard will guide you to review prerequisites and check your account details.

  7. Verify or select your CloudTrail trail:

    • If you have only one trail, reviews its details.
    • If you have multiple trails, select which trail you want to access.
    • If your trail data hasn’t been fetched, enter the trail data manually.
  8. Based on the selected trail, Sysdig will either:

    • Subscribe to the SNS topic configured on the trail.
      • In this case you should review the details.
    • Define the name and the region for the SNS topic to be created and attached to the trail afterwards.
      • In case of manual setup, you must specify the right option based on the configuration of your trail.
  9. Select the regions you would like to collect logs from. By default, you must have at least us-east-1. Add any other AWS regions you use for your account.

    AWS logs global service events to us-east-1 region. Without this region in your AWS setup, you might miss key events, including IAM events.

  10. For Terraform, save the generated terraform file log_ingestion.tf, in the folder that contains your main.tf and run the command: terraform init && terraform apply

    • For CloudFormation, follow the link in the setup to your AWS Console.
  11. If you didn’t have the SNS notification delivery configured on the trail, you’ll be guided to set it up. This can be accomplished through the AWS Management Console or via the AWS CLI tool.

Disable Features

When you configure a Log Ingestion component, both CIEM and CDR are enabled by default. You can disable one of these features. This is available for both EventBridge and S3 terraform setups. It is not available for CloudFormation Template setups. To disable either of these features, comment out the relevant stanza in the Terraform snippet:

  1. Retrieve the log_ingestion.tf Terraform snippet from the onboarding wizard as described in Set Up Log Ingestion.

  2. To disable CIEM comment out the identity_entitlement resource. For example:

    resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
        account_id = module.onboarding.sysdig_secure_account_id
        type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
        enabled    = true
        components = [module.event-bridge.event_bridge_component_id]
        depends_on = [module.event-bridge, sysdig_secure_cloud_auth_account_feature.config_posture]
    }
    
  3. To disable CDR, comment out the threat_detection resource. For example:

    resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
        account_id = module.onboarding.sysdig_secure_account_id
        type       = "FEATURE_SECURE_THREAT_DETECTION"
        enabled    = true
        components = [module.event-bridge.event_bridge_component_id]
        depends_on = [module.event-bridge]
    }
    
  4. Run terraform init && terraform apply.

We recommend you comment out the stanza instead of removing it entirely. Later, if you want to enable a disabled feature, you can un-comment the stanza.

Check Connection Status

To check the connection status:

  1. Log in to Sysdig Secure and select Integrations > Cloud Accounts | AWS.

  2. Select your account.

    The detail panel appears on the right.

    If the connection is successful, you will see the feature as Connected. This may take up to 5 minutes after deploying the Terraform.

Advanced Customization for EventBridge

In EventBridge log ingestion setups, you can perform advanced customization to tune log volumes and monitor S3 buckets.

Tuning and S3 bucket monitoring are not available for S3 log ingestion setups.

Tune Log Volume

When used with AWS EventBridge, the Log Ingestion component creates an EventBridge rule that sends events matching the conditions defined in an event pattern to Sysdig. You can tune the event pattern to your preference to change which events you collect. This can be accomplished during setup with the UI, Terraform, or CFT. After setup, you can manually edit the Terraform snippet or the CFT parameters.

For a starting point, see default Event pattern.

Tuning the pattern will change the logs that will be sent to Sysdig. This will affect Sysdig runtime visibility and threat detection capabilities. Contact your Sysdig representative for more information or assistance with this process.

Tune Log Volume During Setup with the UI

  1. Login to Sysdig Secure.

  2. Go to Integrations > AWS.

  3. Select the account you want to configure the Log Ingestion component for.

  4. Configure either Identity and Access Management or Cloud Detection and Response. The Account Overview page opens.

  5. Click Go to Setup next to Log Ingestion. The wizard opens.

  6. Under Select Sources (optional), you can choose:

    • Guided customization, to simply select the sources you want to use.
    • Advanced customization, to define a custom Event pattern inside your Terraform snippet/CloudFormation Template parameters. Additional guidance on this is available in the next paragraph.

Tune Log volume via Terraform/CFT

Once you have your desired Event pattern, you can customize the event_pattern parameter in the log_ingestion.tf Terraform snippet, located in the event-bridge module. Example:

module "event_bridge" {
  ...
  event_pattern = <<EOF
{
  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventCategory": [
      "Management"
    ]
  }
}
EOF
}

To customize this in the CFT stack creation, edit the EventBridge Rule Event Pattern parameter, setting it to your desired value.

Monitor Buckets with Notifications

For EventBridge log ingestion setups, CloudTrail allows you to monitor operations on S3 buckets as part of Data events. If you’re using EventBridge and look for an alternative, Agentless AWS Cloud Threat Detection (CDR) can monitor operations performed on objects stored in AWS Simple Storage Service (S3) buckets through S3 notifications.

This feature is not available for S3 log ingestion setups.

Once enabled, the events from those buckets will be forwarded to Sysdig and processed using the configured policies and rules.