Configure CDR and CIEM for AWS
Sysdig released a new onboarding experience for AWS in September 2024. If you onboarded your AWS Organization or Account before September 30, 2024, and would like to add more features, contact your Sysdig representative.
Prerequisites
- An AWS Account or Organization connected to Sysdig.
- Access to a user with the permissions required to install:
- At least one CloudTrail trail in the accounts to be monitored.
Set Up Log Ingestion
To configure Agentless CDR and CIEM, you must set up log ingestion with either EventBridge or S3.
- EventBridge provides a real-time solution for Sysdig to receive CloudTrail logs and AWS service events, such as object events and GuardDuty Findings, with minimal latency. EventBridge setups support log volume tuning of which logs you want Sysdig to receive based on Event pattern.
- S3 provides a cost-effective solution for streaming CloudTrail logs with a latency in the order of minutes. Log volume tuning is not available for S3 setups.
| EventBridge | S3 | |
|---|---|---|
| Supported logs | CloudTrail events, GuardDuty findings, Object events | CloudTrail events |
| Latency | Sub-second | Minutes |
| Price (data transfer excluded) | By event-type and for transferring data to Sysdig’s Event bus. | SNS notifications delivered via HTTP and file transferring |
| Log volume tuning | Fine-grained, using Event pattern | Up to accounts and regions |
EventBridge Setup
To set up Log Ingestion for EventBridge:
Log in to Sysdig Secure, and select Integrations > Cloud Accounts | AWS.
Select an onboarded account you would like to add features to.
The detail panel appears on the right. Here, you can see a list of features.
Select either Setup Identity and Access Management or Setup Cloud Detection and Response.
The Organization Overview page appears. You can see which features are enabled.
Under Identity and Access Management or Cloud Detection and Response, and beside Log Ingestion, select Go to Setup.
Select EventBridge.
Select whether you wish to set up CDR and CIEM with Terraform or a CloudFormation Template.
The wizard will guide you to review prerequisites and check your account details.
Select the regions you would like to collect logs from.
Ensure you select at least
us-east-1. Add any other AWS regions you use for your account. AWS logs global service events tous-east-1region. Without this region in your AWS setup, you might miss key events, including IAM events.Select which log types and sources you want to monitor. This will affect the terraform of CloudFormation Template generated at the end of the setup:
- Default Setup: Includes both CIEM and CDR.
- Guided Customization: Un-tick the boxes beside sources you wish to exclude from collection.
- Advanced Customization: You can customize the terraform or CloudFormation template generated to define a custom Event pattern to use in the Event Bridge rules. For details, see Customize Log Ingestion.
For terraform, save the generated terraform file
log_ingestion.tf, in the folder that contains yourmain.tf.- For CloudFormation, follow the link in the setup to your AWS Console.
Copy the snippet provided into the
log_ingestion.tffile.Run the command:
terraform init && terraform apply.GuardDuty findings are ingested if the service is enabled in the AWS Accounts.
S3 Setup
To set up Log Ingestion for S3:
Log in to Sysdig Secure, and select Integrations > Cloud Accounts | AWS.
Select an onboarded account you would like to add features to.
The detail panel appears on the right. Here, you can see a list of features.
Select either Setup Identity and Access Management or Setup Cloud Detection and Response.
The Organization Overview or Account Overview page appears. You can see which features are enabled.
Under Identity and Access Management or Cloud Detection and Response, and beside Log Ingestion, select Go to Setup.
Select S3.
Select whether you wish to set up CDR and CIEM with Terraform or a CloudFormation Template.
The wizard will guide you to review prerequisites and check your account details.
Verify or select your CloudTrail trail:
- If you have only one trail, reviews its details.
- If you have multiple trails, select which trail you want to access.
- If your trail data hasn’t been fetched, enter the trail data manually.
Based on the selected trail, Sysdig will either:
- Subscribe to the SNS topic configured on the trail.
- In this case you should review the details.
- Define the name and the region for the SNS topic to be created and attached to the trail afterwards.
- In case of manual setup, you must specify the right option based on the configuration of your trail.
- Subscribe to the SNS topic configured on the trail.
Select the regions you would like to collect logs from. By default, you must have at least
us-east-1. Add any other AWS regions you use for your account.AWS logs global service events to
us-east-1region. Without this region in your AWS setup, you might miss key events, including IAM events.For Terraform, save the generated terraform file
log_ingestion.tf, in the folder that contains your main.tf and run the command:terraform init && terraform apply- For CloudFormation, follow the link in the setup to your AWS Console.
If you didn’t have the SNS notification delivery configured on the trail, you’ll be guided to set it up. This can be accomplished through the AWS Management Console or via the AWS CLI tool.
Disable Features
When you configure a Log Ingestion component, both CIEM and CDR are enabled by default. You can disable one of these features. This is available for both EventBridge and S3 terraform setups. It is not available for CloudFormation Template setups. To disable either of these features, comment out the relevant stanza in the Terraform snippet:
Retrieve the
log_ingestion.tfTerraform snippet from the onboarding wizard as described in Set Up Log Ingestion.To disable CIEM comment out the
identity_entitlementresource. For example:resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_IDENTITY_ENTITLEMENT" enabled = true components = [module.event-bridge.event_bridge_component_id] depends_on = [module.event-bridge, sysdig_secure_cloud_auth_account_feature.config_posture] }To disable CDR, comment out the
threat_detectionresource. For example:resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" { account_id = module.onboarding.sysdig_secure_account_id type = "FEATURE_SECURE_THREAT_DETECTION" enabled = true components = [module.event-bridge.event_bridge_component_id] depends_on = [module.event-bridge] }Run
terraform init && terraform apply.
We recommend you comment out the stanza instead of removing it entirely. Later, if you want to enable a disabled feature, you can un-comment the stanza.
Check Connection Status
To check the connection status:
Log in to Sysdig Secure and select Integrations > Cloud Accounts | AWS.
Select your account.
The detail panel appears on the right.
If the connection is successful, you will see the feature as Connected. This may take up to 5 minutes after deploying the Terraform.
Advanced Customization for EventBridge
In EventBridge log ingestion setups, you can perform advanced customization to tune log volumes and monitor S3 buckets.
Tuning and S3 bucket monitoring are not available for S3 log ingestion setups.
Tune Log Volume
When used with AWS EventBridge, the Log Ingestion component creates an EventBridge rule that sends events matching the conditions defined in an event pattern to Sysdig. You can tune the event pattern to your preference to change which events you collect. This can be accomplished during setup with the UI, Terraform, or CFT. After setup, you can manually edit the Terraform snippet or the CFT parameters.
For a starting point, see default Event pattern.
Tuning the pattern will change the logs that will be sent to Sysdig. This will affect Sysdig runtime visibility and threat detection capabilities. Contact your Sysdig representative for more information or assistance with this process.
Tune Log Volume During Setup with the UI
Login to Sysdig Secure.
Go to Integrations > AWS.
Select the account you want to configure the Log Ingestion component for.
Configure either Identity and Access Management or Cloud Detection and Response. The Account Overview page opens.
Click Go to Setup next to Log Ingestion. The wizard opens.
Under Select Sources (optional), you can choose:
- Guided customization, to simply select the sources you want to use.
- Advanced customization, to define a custom Event pattern inside your Terraform snippet/CloudFormation Template parameters. Additional guidance on this is available in the next paragraph.
Tune Log volume via Terraform/CFT
Once you have your desired Event pattern, you can customize the event_pattern parameter in the log_ingestion.tf Terraform snippet, located in the event-bridge module. Example:
module "event_bridge" {
...
event_pattern = <<EOF
{
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventCategory": [
"Management"
]
}
}
EOF
}
To customize this in the CFT stack creation, edit the EventBridge Rule Event Pattern parameter, setting it to your desired value.
Monitor Buckets with Notifications
For EventBridge log ingestion setups, CloudTrail allows you to monitor operations on S3 buckets as part of Data events. If you’re using EventBridge and look for an alternative, Agentless AWS Cloud Threat Detection (CDR) can monitor operations performed on objects stored in AWS Simple Storage Service (S3) buckets through S3 notifications.
This feature is not available for S3 log ingestion setups.
- To learn about supported event types, see AWS’s documentation on EventBridge.
- To enable this function, see Enabling Amazon EventBridge.
Once enabled, the events from those buckets will be forwarded to Sysdig and processed using the configured policies and rules.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
