Inventory

Sysdig Secure now offers an Inventory, so you can gain visibility into resources across your cloud (GCP, Azure, and AWS) and Kubernetes environments.

Sysdig Secure SaaS currently offers Inventory as Technical Preview.

Overview

With this release of Inventory, you can:

  • View all deployed resources across your cloud environment(s)
  • View all code resources from IaC integrations
  • Protect all resources and mitigate blind spots
  • Know all current resources in your infrastructure that share properties
  • Know which resources belong to a business unit
  • Review posture violations for a resource and take action (remediate or handle risk)

Enablement Steps

  • If you are already leveraging the new Compliance module, no further configuration is required for Posture data
  • If you are new to Sysdig Secure, enable KSPM in the agent or connect a cloud account or both
  • To view code resources from Git integrations, enable and configure IaC scanning

Usage

Navigate the Inventory Landing Page

  1. Access: Log in to Sysdig Secure and click the Inventory top-level menu item.

    Inventory displays all resources from cloud accounts, Kubernetes data sources, and IaC Git resources connected to Sysdig, along with their Compliance policy passing score.

    Data shown in the UI is refreshed every 24 hours when a compliance evaluation is run.

  2. Filter: Use the unified filter to find targeted resources. Some common Featured Queries are offered below.

  3. Use Policy Data: Within a resource card, hover over the Posture Policies Passing gauge to open the popover and see the failing/passing policies applied to your resource. You can also link directly to the policy from there.

  4. View a Resource 360: Click a card to review the resource Posture and Configuration details (below).

Use the Resource Posture Tab

Sysdig provides sample queries related specifically to posture. For every resource, we provide visibility into its posture status based on the zones and policies it belongs to.

  1. Click a resource card to open the resource’s 360 drawer and access the Posture tab.

    The number of failed policies is highlighted next to the tab name.

  2. Select a failed policy to see the relevant controls to be remediated. The controls are grouped by requirement within each policy.

    For more information, see Evaluate and Remediate from Inventory.

Use the Resource Configuration Tab

  1. Click a resource card to open the resource’s 360 drawer and access the Configuration tab. It contains additional metadata and configuration details.

    You can copy this or save it as a .txt file.

  2. For Kubernetes hosts and clusters, you can search within the resource configuration by Origin or Attribute.

Work with IaC Resources

If you have configured IaC scanning, you can view the resources supported by the Git-integrated scanner in the Inventory (YAML, Terraform, Helm charts, etc.). The 360-view of each code resource includes:

  • resource metadata
  • configuration details
  • posture violations that can be remediated with automated workflows.
Search for IaC Resources

IaC resources from Git repository scans are labeled code in the Inventory UI, to distinguish them from deployed resources in your cloud environments.

  1. Filter for Resource Origin = Code.

  2. Notice the resulting list includes a visual tag (< >) on the logo to distinguish code resources.

  3. Other options: Filter by Source Type, Location, Git Integration, or Repository.

The following are ways to structure queries in the unified filter to solve common use cases.

Find Resources by Name and/or Attributes

  • I want to search for all S3 buckets in the EU regions
    • Resource Type contains S3 AND Region startsWith eu
  • I want to search for all Workloads of type host with names starting with prod
    • Resource Type is host AND Name startsWith prod
  • I want to view the configuration of my GKE Worker nodes
    • Node Type is Worker AND Kubernetes Distribution is gke
  • I want to search for all clusters running on OpenShift V4
    • Resource Type is Cluster AND Kubernetes Distribution is ocp4
  • I want to search for all IaC resources
    • Resource Origin is Code

Find Resources Owned by Business Unit

  • I want to search for all resources belonging to my PCI zones

    • Zones startsWith PCI

  • I want to search for all resources labeled app:retail

    • Labels in app:retail

  • I want to search for all resources within the finance namespace

    • Namespace is finance

  • I want to search for all resources belonging to my docker clusters

    • Cluster contains docker

Find your Environment Blind Spots

  • I want to view all resources on which there are 0 policies applied
    • Posture Applied Policy not exists
  • I want to view all resources that belong to 0 zones
    • Zones not exists
  • I want to view all resources that are not labeled
    • Labels not exists

Find Resources by Posture Details

  • I want to view all resources on which policy X is applied

    • Posture Applied Policy is (p1)
    • Posture Applied Policy in (p1, p2, p3)

  • I want to view all resources on which CIS Kubernetes V1.23 Benchmark policy is applied

    • Posture Applied Policy in CIS Kubernetes V1.23 Benchmark

  • I want to view all resources that fail ISO/IEC 27001 policy

    • Posture Failed Policy in ISO/IEC 2700

  • I want to view all resources that are failing at least one policy

    • Posture Failed Policy exists

  • I want to view all resources that are failing at least one control

    • Posture Failed Control exists

  • I want to view all resources for which a risk has been accepted on a control

    • Posture Accepted Risk exists

Find IaC Resources

  • I want to find the code for the deployment of my mobile app’s frontend
    • Resource Origin is Code AND Resource Type is Deployment AND Location contains mobile-app AND Name contains mobile-frontend
  • I want to see all Terraform code managed by the Marketing team
    • Source Type is Terraform AND Labels in OwnedBy:team-marketing AND Repository is my-git-repo

  • I want to know which IaC of my EC2 Instances are failing a control

    • Resource Origin is Code AND Resource Type is EC2 Instance AND Posture Failed Control exists

  • I want to see all IaC repos not being evaluated by policies

    • Git Integration is my-iac-repos AND Posture Applied Policy not exists

View a Resource’s Applied Configuration

  • I want to view the bucket policy for bucket 123
    • Resource Type contains bucket AND Name contains 123 + click on resource card to scroll through configuration details
  • I want to view the default runAsUser applied configuration for workload abc
    • Name is abc + click on resource card to scroll through configuration details

Evaluate and Remediate from Inventory

You can now evaluate and remediate posture violations for your deployed and code (IaC) resources from within the Inventory interface.

The steps are the same as in the Compliance module, with the following modification:

  • For IaC resources, there is no manual remediation nor “Accept Risk” function.

For certain controls, you can open a pull request to remediate a code resource, as described in Continue Remediation > Pull Request .

Use the Inventory API

Query the Secure API to get a list of multiple inventory resources or retrieve a single one.

For API doc links for additional regions, or steps to access them from within the Sysdig Secure UI, see the Developer Tools overview.

Inventory Data Dictionary

You can construct searches/filters by attribute name in the Inventory unified filter.

Filter Operators
is (=)
is not (!=)
in (in)
not in (!in)
startsWith (^)
contains (%) (wildcards not supported)
exists/not exists
Attribute NameAttribute Definition
AccountThe container for your AWS resources. You create and manage your AWS resources in an AWS account.
Attribute*The attributes defined within the configuration of your Kubernetes host or cluster
* Only filtered from within a Kubernetes host or cluster resource configuration.
ClusterName of your Kubernetes cluster
External DNSThe DNS name of your Kubernetes host’s node that will resolve into an address with external address characteristics
Git IntegrationName of the Git integration. See IaC Scanning/Git Integrations
Kubernetes DistributionGKE, EKS, AKS, Rancher, Vanilla, OpenShift v4, IKS, MKE
LabelsLabels are key/value pairs (ex: team:research) that you have applied to your resource from Kubernetes or Managed Cloud platforms (AWS, GCP, Azure). For Kubernetes, the Labels field includes all the labels for the resource (including nested labels). For example, a search on a label that exists on a container will return the workload that contains the container.
LocationPath to the file or module directory in the repository (IaC resources):
- Kubernetes manifest: path to the YAML file
- Helm charts: Helm chart folder
- Kustomize: path to the manifests folder (folder containing the base kustomization.yaml file)
- Terraform: path to the .tf module folder
NameName of your resource
NamespaceKubernetes cluster namespace
Node TypeMaster or Worker node of your Kubernetes host
Operating SystemOperating System of your Kubernetes host
OrganizationRoot node of your managed cloud resources hierarchy
Origin*The origin of your Kubernetes host’s or your cluster’s configuration (Docker, Linux, Kubernetes, etc.)
* Only filtered from within a Kubernetes host’s resource configuration..
OS ImageName and version of your host’s Operating System
PlatformAWS, Azure, GCP, Kubernetes, or Linux
Posture Accepted RiskWhether or not a risk has been accepted for a resource’s control
Posture Applied PolicyName(s) of the policies applied to the resource
Posture Failed Control SeverityHigh, medium, or low
Posture Failed ControlName(s) of the failed control(s) applied to the resource
Posture Failed PolicyName(s) of the failed policy(ies) applied to the resource
Posture Failed RequirementName(s) of the failed requirement(s) applied to the resource
Posture Passed PolicyName(s) of the passed policy(ies) applied to the resource
ProjectThe container for your Google Cloud resources. You create and manage your GCP resources in a GCP project
RegionRegion of the world where your managed cloud resource is deployed (such as us-east, eu-west, asia-northeast)
RepositoryName of the repository, example: IaC_Demo
Resource Origin- Code: IaC resources from Git integrations
- Deployed: Runtime resources
Resource TypeFor Kubernetes, can be a Workload, Service Account, Role, Cluster Role, Host, User, Cluster, or Group.
For managed clouds, it can be a Resource (S3 bucket, Deployment, DaemonSet…) or an Identity (Access Key, User, Policy…)
Source TypePossible values for IaC source: YAML, Helm, Kustomize, Terraform
SubscriptionThe container for your Azure resources. You create and manage your Azure resources in an Azure subscription
VersionThe version of your cluster
ZonesA business group of resources, defined by a collection of scopes of various resource types (for example: “Dev” - all my development resources)

Additional Attributes

Attributes that appear in the interface but cannot be searched/filtered on include:

Attribute NameAttribute Definition
Last SeenLast date when the resource was evaluated
Value*The value of your Kubernetes host’s or your cluster’s attribute.
* Only for Kubernetes hosts and clusters

For information on using Zones, see Zones.