Permissions and Resources
This document outlines the permissions required for installing and operating various Sysdig features on AWS, as well as the resources that will be created in your AWS environment.
Review AWS Roles and Permissions
Security Principals
There are two identities involved in the onboarding process:
- Installer: The Identity, either a User or Role that will be used to perform the onboarding. Sysdig does not have access to this identity.
- Sysdig: A set of IAM Roles created during onboarding with specific, less permissive permissions attached. Sysdig will be given access to these Roles.
Base AWS Integration - Cloud Security Posture Management (CSPM)
Agentless Cloud Security Posture Management (CSPM) assesses and manages the security posture of your cloud resources without requiring agents.
Permissions Required to Install
The Installer must have at least the following policies assigned in the AWS Account or Organization’s Management account:
| Policy | Description |
|---|---|
| IAMFullAccess | Required to create IAM Roles and associated permissions. |
| (Organization only) AWSCloudFormationFullAccess | This policy is required to create a CloudFormation StackSet that creates IAM roles in each Account in your Organization. |
| (Organization only) AWSOrganizationsReadOnlyAccess | This policy is required to list Accounts and OUIDs in your Organization. |
Permissions Granted to Sysdig
The Sysdig IAM Roles will have the following policies attached:
| Role | Policy | Description |
|---|---|---|
sysdig-secure-onboarding-XXXX | AWSAccountManagementReadOnlyAccess | Allows Sysdig to retrieve Account Alias |
(Organization only) sysdig-secure-onboarding-XXXX | AWSOrganizationsReadOnlyAccess | Allows Sysdig to list accounts in your Organization. |
sysdig-secure-posture-XXXX | SecurityAudit | Allows Sysdig to list resources within your Account. |
sysdig-secure-posture-XXXX | A Custom IAM Policy containing the following permissions: - account:GetContactInformation- elasticfilesystem:DescribeAccessPoints- lambda:GetFunction- lambda:GetRuntimeManagementConfig- macie2:ListClassificationJobs- waf-regional:ListRuleGroups- waf-regional:ListRules | Allows Sysdig to list resources within your Account that are not covered by the Security Audit policy. |
Resources Created
The following resources will be created in your AWS Environment:
| Resource | Description |
|---|---|
aws_iam_role | IAM Role with the name sysdig-secure-onboarding-XXXX. This role is used to manage the lifecycle of your Sysdig integration. |
aws_iam_role | IAM Role with the name sysdig-secure-posture-XXXX. This role is used for CSPM. |
(Organization only) aws_cloudformation_stack_set | Used to deploy the above Roles across all Accounts in your Organization. |
(Organization only) aws_cloudformation_stack_set_instance | Used to deploy the above Roles across all Accounts in your Organization. |
Log Ingestion
The Log Ingestion component is used to enable Cloud Detection and Response (CDR) and Cloud Infrastructure Entitlement Management (CIEM)
Permissions Required to Install
The Installer must have at least the following policies assigned in the AWS Account or Organization’s Management account:
| Policy | Description |
|---|---|
| IAMFullAccess | Required to create IAM Roles and associated permissions. |
| AWSCloudFormationFullAccess | Required to create a CloudFormation Stack/StackSet to provision the resources across your infrastructure. For S3 setup, required only if choosing CloudFormation setup method. |
| (EventBridge Organization setup only) AWSOrganizationsReadOnlyAccess | This policy is required to list Accounts and OUIDs in your Organization. |
Additionally, the S3 method requires some permissions on some resources:
| Permission(s) | Description |
|---|---|
sns:Subscribe, sns:SetTopicAttributes, sns:GetTopicAttributes | Required to subscribe to SNS. |
sns:CreateTopic | Required to create a SNS topic, if absent on the target Trail |
cloudtrail:UpdateTrail | Required to attach the SNS topic to the target Trail, if absent |
Permissions Granted to Sysdig
The Sysdig IAM Role will have the following policies attached:
EventBridge Setup
| Role | Policy | Description |
|---|---|---|
sysdig-secure-events-XXXX | A Custom IAM Policy containing the following permissions: - events:PutEvents- events:DescribeRule- events:ListTargetsByRule | Allows EventBridge to send events to Sysdig and Sysdig to inspect EventBridge resources to perform validation. |
S3 setup
| Role | Policy | Description |
|---|---|---|
sysdig-secure-cloudlogs-XXXX | A Custom IAM Policy containing s3:Get* and s3:List* on the S3 bucket in which the Trail writes files into | Allows Sysdig to access the bucket and download the files to process the logs they contain |
Resources Created
The following resources will be created in your AWS Environment based on the selected setup method:
| Resource | Method | Description |
|---|---|---|
aws_iam_role | Both | IAM Role with the name sysdig-secure-events-XXXX/sysdig-secure-cloudlogs-XXXX. See more in Permissions Granted to Sysdig |
aws_iam_role | EventBridge | IAM Role with the name AWSCloudFormationStackSetAdministrationRoleForEB. This role is used to deploy EventBridge Rules in the selected regions in your account. |
aws_iam_role | EventBridge | IAM Role with the name AWSCloudFormationStackSetExecutionRoleForEB. This role is used to deploy EventBridge Rules in the selected regions in your account. |
aws_cloudformation_stack_set | EventBridge | Used to deploy EventBridge Rules/Role in each Account/Region in your Organization. |
aws_cloudformation_stack_set_instance | EventBridge | Used to deploy EventBridge Rules/Role in each Account/Region in your Organization. |
aws_cloudwatch_event_rule | EventBridge | Defines which logs are to be sent to Sysdig. Deployed in each of the specified accounts and regions |
aws_cloudwatch_event_target | EventBridge | Defines Sysdig as target for the aws_cloudwatch_event_rule. Deployed in each of the specified accounts and regions |
Volume Access
The Volume Access component is used to enable Vulnerability Management Host Scanning (VM)
Permissions Required to Install
The Installer must have at least the following policies assigned in the AWS Account or Organization’s Management account:
| Policy | Description |
|---|---|
| IAMFullAccess | Required to create IAM Roles and associated permissions. |
| AWSCloudFormationFullAccess | Required to create a CloudFormation StackSet that creates KMS Keys/Aliases in each Account in your Organization. |
| (Organization only) AWSOrganizationsReadOnlyAccess | This policy is required to list Accounts and OUIDs in your Organization. |
Permissions Granted to Sysdig
The Sysdig IAM Role will have the following policies attached:
| Role | Policy | Description |
|---|---|---|
sysdig-secure-scanning-XXXX | A Custom IAM Policy containing the following permissions:kms:ListKeys- kms:ListAliases- kms:ListResourceTags- kms:DescribeKey- kms:Encrypt- kms:Decrypt- kms:ReEncrypt*- kms:GenerateDataKey*- kms:CreateGrant- kms:ListGrants- ec2:Describe*- ec2:CreateSnapshot- ec2:CopySnapshot- ec2:CreateTags with the additional constraint of ec2:CreateAction being equal to either CreateSnapshot or CopySnapshot- ec2:ModifySnapshotAttribute with the additional constraint of ec2:Add/userId being equal to Sysdig’s Worker Account ID- ec2:DeleteSnapshot with the additional constraint of aws:ResourceTag/CreatedBy being equal to Sysdig (which we add when creating the Snapshot) | Allows Sysdig to copy and scan Volumes. |
Resources Created
The following resources will be created in your AWS Environment:
| Resource | Description |
|---|---|
aws_iam_role | IAM Role with the name sysdig-secure-scanning-XXXX. This role is used to copy and scan disk snapshots. |
aws_iam_role | IAM Role with the name AWSCloudFormationStackSetAdministrationRoleForScanning. This role is used to deploy KMS Keys and Aliases in the selected regions in your account. |
aws_iam_role | IAM Role with the name AWSCloudFormationStackSetExecutionRoleForScanning. This role is used to deploy KMS Keys and Aliases in the selected regions in your account. |
aws_iam_policy | Custom IAM Policy with the permissions detailed above. |
aws_iam_policy_attachment | Custom IAM Policy with the permissions detailed above. |
aws_iam_policy_document | Custom IAM Policy with the permissions detailed above. |
aws_cloudformation_stack_set | Used to deploy EventBridge Rules/Role in each Account/Region in your Organization. |
aws_cloudformation_stack_set_instance | Used to deploy EventBridge Rules/Role in each Account/Region in your Organization. |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
