Legacy Agent-Based with CIEM

This script-based legacy installation option deploys agentless CSPM, plus agent-based Threat Detection and CIEM, for either a single account or an organizational account. If you want to add host scanning for Vulnerability Management, it is done in a seaparate step.

Install CSPM and Threat Detection with CIEM

Prerequisites

  • Terraform installed

Gather the following:

  • Sysdig Secure endpoint (by region)
  • Sysdig API token
  • AWS Region for example, us-east-1 The region where resources will be created in your AWS account by default. All resources created by this module are global, so this region can be set to any value.
  • AWS Account ID of the account in which compute resources will be deployed.

Single Account

  1. Create a file called sysdig.tf with the following contents:

    terraform {
       required_providers {
          sysdig = {
             source  = "sysdiglabs/sysdig"
          }
       }
    }
    
    provider "sysdig" {
       sysdig_secure_url       = "<SYSDIG_SECURE_URL>"
       sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
    }
    
    provider "aws" {
       region = "<AWS-REGION>; ex. us-east-1"
    }
    
    module "secure_for_cloud_aws_single_account_ecs" {
       source           = "sysdiglabs/secure-for-cloud/aws//examples/single-account-ecs"
    }
    
  2. Run terraform init.

  3. Run terraform apply

After deploying, perform any necessary configuration steps and confirm the services are working.

Organizational Account

  1. Create a file called sysdig.tf with the following contents:

    terraform {
      required_providers {
        sysdig = {
          source  = "sysdiglabs/sysdig"
        }
      }
    }
    
    provider "sysdig" {
      sysdig_secure_url       = "<SYSDIG_SECURE_URL>"
      sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
    }
    
    provider "aws" {
      region = "<AWS_REGION>   # same region in both providers. ex. us-east-1"
    }
    
    provider "aws" {
      alias  = "member"
      region = "<AWS_REGION>  # same region in both providers. ex. us-east-1"
      assume_role {
        role_arn = "arn:aws:iam::${ORG_MEMBER_SFC_ACCOUNT_ID}:role/OrganizationAccountAccessRole"
      }
    }
    
    module "secure_for_cloud_organizational" {
      providers = {
        aws.member = aws.member
      }
    
      source                                    = "sysdiglabs/secure-for-cloud/aws//examples/organizational"
      sysdig_secure_for_cloud_member_account_id = "<ORG_MEMBER_SFC_ACCOUNT_ID>"
    }
    
  2. Run terraform init.

  3. Run terraform apply

Features and Resources on AWS

Agentless CSPM

Available as a stand-alone manual install or as part of the full install.

Resources Created

  • aws_cloudformation_stack_set
  • aws_cloudformation_stack_set_instance
  • aws_iam_role
  • aws_iam_role_policy_attachment

Threat Detection and CIEM

Resources Created

  • aws_apprunner_service
  • aws_cloudtrail
  • aws_cloudwatch_log_group
  • aws_cloudwatch_log_stream
  • aws_ecs_cluster
  • aws_ecs_service
  • aws_ecs_task_definition
  • aws_iam_access_key
  • aws_iam_role
  • aws_iam_role_policy
  • aws_iam_user
  • aws_iam_user_policy
  • aws_kms_alias
  • aws_kms_key
  • aws_resourcegroups_group
  • aws_s3_bucket
  • aws_s3_bucket_acl
  • aws_s3_bucket_lifecycle_configuration
  • aws_s3_bucket_policy
  • aws_s3_bucket_public_access_block
  • aws_security_group
  • aws_sns_topic
  • aws_sns_topic_policy
  • aws_sns_topic_subscription
  • aws_sqs_queue
  • aws_sqs_queue_policy
  • aws_ssm_parameter

Next Steps