Configure Vulnerability Management for AWS

After you connect your AWS environment to Sysdig, you can configure Vulnerability Management (VM) Host Scanning. Vulnerability Management lets you identify and mitigate security risks to protect your software and data. To access VM, set up Volume Access.

Sysdig released a new onboarding experience for AWS in September 2024. If you onboarded your AWS Organization or Account before September 30, 2024, and would like to add more features, contact your Sysdig representative.

Prerequisites

An AWS Account or Organization already connected to Sysdig.
Access to a User with the permissions required to install.

Set Up Volume Access

Log in to Sysdig Secure, select Integrations > Cloud Accounts | AWS.
Select an Account that is part of the Organization you would like to add features to, or the individual Account you onboarded.
The detail panel appears on the right. It displays a list of features.
Click Setup beside a desired feature to open the wizard.
Ensure you have the necessary permissions configured as described in the initial setup.
Exclude or Include Resources from Vulnerability Scanning:
- You can exclude VPCs or Hosts from scans using tags.
- For more information, see Exclude/Include Resources From Vulnerability Scanning.
Verify the details of your Organization or Account where the features will be added.
Generate and apply the Terraform code:
Create a volume_access.tf file in the folder that contains your main.tf.
Copy the snippet provided into the volume_access.tf file.
Run the command: terraform init && terraform apply.

Exclude/Include Resources from Vulnerability Scanning

When you connect your AWS account with Vulnerability Host Scanning, by default all Virtual Private Cloud (VPC) and Elastic Compute Cloud (EC2) Instances with root volumes in the account are included in the scan.

You can use tags to exclude specific VPCs or EC2 Instances from being scanned.

How to exclude VPCs or Hosts: To exclude certain VPCs or EC2 instances from being scanned, assign specific tags to them in the AWS Console or using AWS APIs.

We recommend you set these tags before initiating the scanning process. You can add tags after onboarding, but the exclusion will only take effect in subsequent scans.

How to include Data Volumes in Scans: By default, only root volumes of EC2 Instances are scanned.

To also include data volumes in scans, use specific tags as follows:

Tagging Semantics

You can use the following tags at volume, EC2, or VPC level. You can add tagging at any time, for example, if you want to exclude/include something that was or was not scanned.

Keys: sysdig:secure:scan, sysdig:secure:data-volumes:scan.

Values: true, false

Usage Examples

“sysdig:secure:scan” : “false” on a VPC excludes all resources in the VPC from scanning.
“sysdig:secure:scan” : “false” on an EC2 Instance excludes the instance and all its volumes from scanning
“sysdig:secure:scan” : “true” on a data-volume of an EC2 Instance includes such volume for scanning
“sysdig:secure:data-volumes:scan” : “true” on a VPC has the same effect as applying the “sysdig:secure:scan” : “true” tag to all the data-volumes of all the EC2 instances in it
“sysdig:secure:data-volumes:scan” : “true” on an EC2 Instance has the same effect as applying the “sysdig:secure:scan” : “true” tag to all its data-volumes
“sysdig:secure:data-volumes:scan” : “true” on a VPC, while “sysdig:secure:data-volumes:scan” : “false” on an EC2 Instance of the same VPC, has the same effect as applying the “sysdig:secure:scan” : “true” tag to all data-volumes of all the EC2 instances within the VPC except the one explicitly excluded via the tag.

The following tags are redundant; using them will have the same effect as not having them. This is either because Sysdig scans them by default or because the values have been overridden by a tag at a higher level, such as a VPC or an EC2 Instance.

“sysdig:secure:scan” : “true” on a VPC
“sysdig:secure:scan” : “true” on an EC2 Instance
“sysdig:secure:scan” : “true” on the root volume of an EC2 Instance
“sysdig:secure:scan” : “false” on any data-volumes of an EC2 Instance
“sysdig:secure:scan” : “false” on the root volume of an EC2 Instance has no effect. The root volume is always scanned as part of the EC2 instance scan.
“sysdig:secure:data-volumes:scan” : “false” on a VPC
“sysdig:secure:data-volumes:scan” : “false” on an EC2 Instance
“sysdig:secure:data-volumes:scan” : “false” on any data-volumes of an EC2 Instance

Check Connection Status

To check the connection status:

Log in to Sysdig Secure and select Integrations > Cloud Accounts | AWS.
Select your account.
The Detail panel will open on the right.
If the connection is successful, you will see the feature as Connected. This may take up to 5 minutes after deploying the Terraform.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.