Configure CDR and CIEM for AWS

After you connect your AWS environment to Sysdig, you can configure Cloud Detection and Response (CDR) and Cloud Infrastructure Entitlement Management (CIEM). Agentless CDR provides threat detection for your assets on AWS by leveraging CloudTrail logs, GuardDuty findings and S3 notifications. To configure CDR and CIEM, set up log ingestion.

Sysdig released a new onboarding experience for AWS in September 2024. If you onboarded your AWS Organization or Account before September 30, 2024, and would like to add more features, contact your Sysdig representative.

The feature relies on AWS EventBridge to access AWS service events, and analyzes threats through Falco-based policies, rules, and machine learning policies.

Prerequisites

  • You must have an AWS Account or Organization already connected to Sysdig.
  • Access to a User with the permissions required to install.
  • You must have (at least) one CloudTrail Trail in the accounts to be monitored. GuardDuty findings are ingested if the service is enabled in the AWS Accounts.

Set Up Log Ingestion

  1. Log in to Sysdig Secure, and select Integrations > Cloud Accounts | AWS.

  2. Select an account that is part of the Organization you would like to add features to, or the individual Account you onboarded.

    The detail panel appears on the right. Here, you can see a list of features.

  3. Click Setup beside a desired feature to open the wizard.

  4. Ensure you have the necessary permissions configured as described in the prerequisites above.

  5. Verify the details of your Organization or Account where the features will be added.

  6. Select the regions from which events will be sent to Sysdig. AWS logs global service events to us-east-1 region. Without this region in your AWS setup, you might miss key events, including IAM events. Ensure you select us-east-1 plus any other AWS regions you currently use for the account.

  7. Generate and apply the Terraform code:

  8. Create a log_ingestion.tf file in the folder that contains your main.tf.

  9. Copy the snippet provided into the log_ingestion.tf file.

  10. Run the command: terraform init && terraform apply.

(Optional) CDR Monitoring of S3 buckets via Notifications

Optionally, you can enable Data Events in AWS CloudTrail through granular configuration of S3 buckets. Agentless AWS Cloud Threat Detection (CDR) can monitor operations performed on objects stored in AWS Simple Storage Service (S3) buckets through S3 notifications. To learn about supported event types, see AWS’s documentation on EventBridge. To enable this function, see Enabling Amazon EventBridge. Once enabled, the events from those buckets will be forwarded to Sysdig and processed using the configured policies and rules.

Customize Log Ingestion

When you configure a Log Ingestion component, both Identity and Access Management and Cloud Detection and Response are enabled by default.

To disable either of these features, follow the instructions below.

  1. Retrieve the log_ingestion.tf Terraform snippet as described above.
  2. Comment out the relevant stanza from the snippet.

We recommend commenting out the stanza instead of removing it entirely, in case you want to enable the feature in the future.

  1. To disable Identity and Access Management, comment out:
    resource "sysdig_secure_cloud_auth_account_feature" "identity_entitlement" {
    account_id = module.onboarding.sysdig_secure_account_id
    type       = "FEATURE_SECURE_IDENTITY_ENTITLEMENT"
    enabled    = true
    components = [module.event-bridge.event_bridge_component_id]
    depends_on = [module.event-bridge, sysdig_secure_cloud_auth_account_feature.config_posture]
}
  2. To disable Cloud Detection and Response, comment out:
    resource "sysdig_secure_cloud_auth_account_feature" "threat_detection" {
    account_id = module.onboarding.sysdig_secure_account_id
    type       = "FEATURE_SECURE_THREAT_DETECTION"
    enabled    = true
    components = [module.event-bridge.event_bridge_component_id]
    depends_on = [module.event-bridge]
}
  3. Run terraform init && terraform apply.

Advanced Customization

The Log Ingestion component creates an EventBridge rule that sends events matching the conditions defined in an event pattern. You can customize this behavior either through the UI or directly using Terraform/CFT.

Customizing this behavior may cause installation and/or feature operation to fail. Contact your Sysdig representative for more information or assistance with this process.

Customize Log Ingestion Using the UI

  1. Login to Sysdig Secure.
  2. Go to Integrations > AWS.
  3. Select the account you want to configure the Log Ingestion component for.
  4. Configure either Identity and Access Management or Cloud Detection and Response.
    The Account Overview page opens.
  5. Click Go to Setup next to Log Ingestion.
    The wizard opens.
  6. Under Select Sources (optional), choose Guided customization and select the sources you want to use.

Customize Log Ingestion Using Terraform

To customize Log Ingestion directly in Terraform, modify the event_pattern parameter in the event-bridge module.

module "event_bridge" {
  ...
  event_pattern = <<EOF
{
  "detail-type": [
    "AWS API Call via CloudTrail"
  ],
  "detail": {
    "eventCategory": [
      "Management"
    ]
  }
}
EOF
}

To customize this in the CFT stack creation, edit the EventBridge Rule Event Pattern parameter and provide the JSON pattern. Use the heredoc content from the example above (the text between the two EOF markers).

Tuning the pattern will change the logs that will be sent to Sysdig. This will affect Sysdig runtime visibility and threat detection capabilities.

Check Connection Status

To check the connection status:

  1. Log in to Sysdig Secure and select Integrations > Cloud Accounts | AWS.

  2. Select your account.

    The detail panel appears on the right.

    If the connection is successful, you will see the feature as Connected. This may take up to 5 minutes after deploying the Terraform.