This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

  • 1:
    • 2:

      Posture

      Sysdig is introducing enhanced security capabilities with a new Cloud Infrastructure Entitlements Management (CIEM) module. This feature allows organizations easily to identify areas in their cloud infrastructure with overly permissive access rights which could cause data breaches or other risks, and to quickly and easily update the related policies and user permissions as needed.

      Along with this capacity, the compliance standards and benchmark checks have all been moved under the umbrella module, Posture.

      Understand Each Component

      You can jump directly to each of the three related areas:

      1 -

      Permissions and Entitlements

      As cloud services proliferate, so do user access policies, and a majority of enterprises use overly permissive policies that create large attack surfaces and significant security risks. With Sysdig’s Permissions and Entitlements (P&E) module for cloud accounts, you can review and mitigate these risks in minutes.

      Understanding Permissions and Entitlements

      In Sysdig Secure for cloud, Permissions and Entitlements work together with Compliance and Benchmark tools under the Posture navigation tab in the Sysdig Secure menu.

      Analysis: From this interface you can quickly acertain risks from two different angles:

      User-Focused Risks

      • Users with excessive permissions
      • Inactive users that can be removed
      • Unnecessary permissions

      Resource-focused Risks

      • Who can access a resource
      • Any suspicious cloud resource activity from a user with excessive permissions
      • Recent permissions changes

      Remediation: From there, the tool can suggest an improved policy, based on users' actual activity, which you can immediately paste into your AWS policy in the linked AWS console.

      Understanding the Suggested Policy Changes

      When you find a user or a policy with excessive permissions, there are two suggested types of remediations:

      • Global Policy Change: In this case, you click a targeted policy (e.g. AdministratorAccess) from either:

        • The policy link on a user’s panel, or
        • The Optimize Policy button on a policy panel

        A revised policy is suggested based on the activities of all users in the system that have been granted this entitlement.

        You would copy the suggested code into your existing policy in the AWS console.

      • User-Specific Policy: In this case, when investigating an individual user entry, you click Generate User-Specific Policy and a policy is suggested based on a combination of all policies and activities detected for that user.

        You would copy the suggested code into a new user policy in your AWS console.

      Understanding the Wildcard Warnings

      The Policies list page flags policies that include wildcards for Action or Resource. By default, all recommended or optimized policies from Sysdig will remove the Action wildcards.

      Because Sysdig cannot detect the Resources deployed, it cannot automatically remediate Resourcewildcards in policy code.

      Prerequisites

      • Sysdig Secure for cloud for AWS, installed with Terraform
      • Adequate AWS permissions to edit policies related to users, roles, and access

      Limitations

      • Currently a beta release

      • Currently only the identity-based policies (managed, inline, and group policies) are considered for permission calculation. Resource-based, permission boundaries, organization SCPs, ACLs, and Session policies are not yet accounted for during permission calculations.

        More details on these policies here.

      • Two notes about the data displayed:

        • AWS Last seen timeis based on GetServiceLastAccessedDetails. For more information, see Amazon’s documentation.
        • The AWS permissions used by IAM identities is based on user activity observed in Cloudtrail logs. Currently, permissions used after assuming roles is not taken into account.

      Access the Overview

      1. Log in to Sysdig Secure.
      2. Select Posture >Permissions and Entitlements|Overview.
      3. Review the global Permissions posture from the various panels and use the filtered links to access the Users and Policies subpages as needed.

      Filter by Account

      On each page in the P&E section, all users and resources are listed by default. If desired, you can focus on a single cloud account, using the Accounts drop-down at the top of the page.

      Review Unused Permissions

      Total Permissions Usage

      See at a glance the number of permissions that have been granted vs those that have actually been used. Click on the Used and Given links to see the related Policies list and remediate those with the highest number of unused permissions.

      Users

      See at a glance the number of active vs inactive users. Clicked on the Active and Inactive links to see the related Users and Roles lists and to remediate.

      Average Permissions Per Policy

      See at a glance the average number of permissions granted per policy. per account, and click into the Policies list to remediate.

      Average Policies Per User

      See at a glance the average number of policies a user is associated with, per account and click into the Users and Roles list to remediate.

      Policies with Unused Permissions

      The Inventory section orders the Policies, Users, and Roles with the greatest number of unused permissions at the top of the list. Click to expand the lists and remediate.

      Users and Roles with Unused Permissions

      The Inventory section orders the Policies, Users, and Roles with the greatest number of unused permissions at the top of the list. Click to expand the lists and remediate.

      Users and Roles

      The Permissions and Entitlements| Users and Roles page provides numerous ways to sort, filter, and rank the detected user and role information and to quickly remediate permissions in policies.

      Filter and Sort

      Available filters:

      • By account, by just users, by just roles
      • By unused permissions vs inactive users and roles

      Each column in the table can be sorted to help target, for example, the users with the highest number of granted permissions or the highest percentage of unused permissions.

      Analyze and Remediate

      To reduce the entitlements for a particular user or role:

      1. Click on a user or role to open the detail pane.

        In the screenshot example above, the user has actually triggered only 1 of the 10,471 permissions issued, and is associated with five different policies. Full AdministratorAccess has not been needed for the job the user has been performing.

      2. Decide whether to Generate a User-Specific policy that takes into account all the policies and permissions this users has employed, or whether to use the Suggested Policy for e.g., AdministratorAccess, globally. See: Understanding the Suggested Policy Changes.

      3. Copy the generated policy and paste it into a policy in your AWS console.

      Policies

      The Permissions and Entitlements|Policies page currently displays AWS policies only. Other cloud vendors will be added over time.

      Filter and Sort

      As with the Users and Roles page, you can filter by account, and each column in the table is sortable.

      The most common sorting priorities are:

      • By Unused % or Unused Permissions: Immediately target the policies with the greatest exposure and refine them according to the suggestions

      • By Shared Policy (# of Users): Focus on the policies affecting the greatest number of users and make a global policy change

      • By Wildcard warning: The Policies list specifically calls out the security risks posed by policies containing Resource or Action Wildcards. The suggested policies eliminate Action wildcards.

        See also: Understanding the Wildcard Warnings.

      Analyze and Remediate

      To reduce the entitlements globally for a particular policy:

      1. Click on a policy name to open the detail pane.

      2. Click Optimize Policy and review the proposed code.

      3. You can copy (then paste), download (then upload), or open the adjusted policy directly in the AWS console and save.

      Posture Resources

      The Resources page will be further developed in future releases.

      At this time, you can use the S3 Bucket information to see all the S3 buckets currently set to Public and switch them to Private in the AWS console as needed.

      2 -

      Compliance

      The Regulatory Compliance module in Sysdig Secure is comprised of a validator tool that checks selected controls from various compliance standards, and the reports it compiles. New standards are being added regularly. At this time, checks are provided against specific controls in:

      • PCI/DSS 3.2.1

      • SOC2

      • NIST 800-53 rev4 and NIST 800-53 rev5

      • ISO 27001:2013

      • HIPAA

      • GDPR

      The validator checks many Sysdig Secure features, including: image scanning policies, Falco runtime policies and rules, scheduled benchmark testing, Admission Controller, Network Security Policies, Node Image Analyzer, and more. Over time we will add new compliance coverage.

      Disclaimer: Sysdig cannot check all controls within a framework, such as those related to physical security.

      Terminology note: Compliance standards are scoped to different platforms depending on the specific security rules they include, Broadly, these are divided into:

      • Workload types: Including any Falco rules for kernel system calls, Falco rules for Kubernetes audit logs, host benchmarks, and security features that affect hosts, containers, and kubernetes clusters

      • AWS/cloud type: Falco rules for CloudTrail and Cloud Custodian rules on Amazon Web Services

      Use Compliance Reports

      Access the Compliance Module

      1. Sysdig Secure admin: Enable the feature under Settings > Sysdig Labs.

      2. Click the Posture icon in the left-hand navigation and select AWS or Workloads under Regulatory Compliance.

      Review a Report

      Each of the standards controls is checked when you visit the Compliance page and it always shows the current state in your environment.

      Compliance Report Summary

      The top section of the page presents the compliance report summary, with the Pass|Fail summary data.

      • Pass %: Total percentage of all available checks that have passed

      • Passed: Total number of controls implemented that Sysdig was able to validate

      • Failed: Total number of controls not implemented that Sysdig was able to validate

      • Unchecked: Total number of controls that Sysdig configured to check but unable to validate (i.e. unavailable API at the time of validation)

      • Total Controls: Total number of controls Sysdig is configured to check

      Control Report and Common Fixes

      The controls are grouped together under collapsable sections of “control families."

      Open them to see each control description with a link to either the:

      • Proof: Link to the implemented Sysdig feature that permitted the control to pass, or the

      • Remediation: Link to the Sysdig feature that must be implemented to pass a check within the control

      The Rationale is the reason an implemented Sysdig feature will pass a check within the control.

      The Common Fixes section on the left consolidates the links for enabling Sysdig features in order to pass the control checks.

      Control Details

      Terminology note: Compliance standards are scoped to different platforms depending on the specific security rules they include, Broadly, these are divided into:

      • Workload types: Including any Falco rules for kernel system calls, Falco rules for Kubernetes audit logs, host benchmarks, and security features that affect hosts, containers, and kubernetes clusters

      • AWS/cloud type: Falco rules for CloudTrail and Cloud Custodian rules on Amazon Web Services

      PCI Controls Implemented

      The PCI Quick Reference describes the full range of controls required to pass a PCI 3.2 audit. In this release, Sysdig Secure will check the following subset:

      For PCI 3.2.1 workload protection: 1.1.2, 1.1.3, 1.1.5, 1.1.6.b, 2.2, 2.2.a, 2.2.1, 2.2.2, 2.4, 2.6, 4.1, 6.1, 6.2, 6.4.2, 6.5.1, 6.5.6, 6.5.8, 7.2.3, 10.1, 10.2, 10.2.1, 10.2.5, 10.2.7, 10.5.5, 11.5.1

      For PCI DSS v3.2.1 for AWS Sysdig Secure will check the following sections: 2.2, 2.2.2, 10.1, 10.2.1, 10.2.2, 10.2.5, 10.2.6, 10.2.7, 10.5.5, 11.4

      SOC2 Controls Implemented

      The American Institute of CPAs (AICPA) describes the full range of controls required to pass a SOC 2 audit.

      For workload protection, Sysdig Secure will check the following sections: CC3.2, CC5.1, CC5.2, CC6.1, CC6.2, CC6.6, CC6.8, CC7.1, CC7.2, CC7.5, CC8.1, CC9.1

      For AWS protection, Sysdig Secure will check the following sections: CC3.2, CC5.2, CC6.2, CC6.6, CC7.1, CC7.2.

      NIST 800-53 rev4 and rev5 Controls Implemented

      The National Institute of Standards and Technology (NIST) Special Publication 800-53 revision 4 describes the full range of controls required to pass a NIST 800-53 audit.

      For workload protection, Sysdig Secure will check the following sections: AC-2, AC-2(4), AC-2(12), AC-3, AC-4, AC-4(17), AC-6, AC-6(1), AC-6(2), AC-6(3), AC-6(5), AC-6(6), AC-6(9), AC-6(10), AC-14, AC-17, AC-17(1), AC-17(3), AC-17(4), AU-2, AU-6, AU-6(8), AU-10, AU-12, CA-9, CM-3, CM-3(6), CM-5, CM-7, CM-7(1), CM-7(4), IA-3, SA-10, SA-15(10), SC-2, SC-4, SC-7, SC-7(3), SC-7(10), SC-8, SC-8(1), SC-12(3), SC-17, SC-39, SI-3, SI-3(1), SI-3(2), SI-4, SI-4(2), SI-4(4), SI-4(11), SI-4(13), SI-4(18), SI-4(20), SI-4(22), SI-4(23), SI-4(24), SI-7, SI-7(3), SI-7(9), SI-7(11), SI-7(12), SI-7(13), SI-7(14), SI-7(15)

      For AWS protection, Sysdig Secure will check the following sections: AC-2, AC-2(4), AC-4, AC-6, AC-6(9), AU-6(8), AU-8, CA-7, CM-6, SC-8(1), SI-4, SI-12.

      Special Publication 800-53 revision 5 was published in September 2020 and includes some modifications. For 12 months both revisions will be valid, and revision 4 will be deprecated in September 2021.

      For workload protection, Sysdig Secure will check the following sections: AC-2, AC-2(4), AC-2(12), AC-3, AC-4, AC-4(17), AC-6, AC-6(1), AC-6(2), AC-6(3), AC-6(5), AC-6(6), AC-6(9), AC-6(10), AC-14, AC-17, AC-17(1), AC-17(3), AC-17(4), AC-17(10), AU-2, AU-6, AU-6(8), AU-10, AU-12, CA-3(6), CA-7(4), CA-7(5), CA-9, CM-3, CM-3(6), CM-3(7), CM-3(8), CM-4, CM-4(2), CM-5, CM-5(1), CM-7, CM-7(1), CM-7(4), CM-7(6), CM-7(7), CM-7(8), CM-8, CM-11(3), IA-3, MA-3(5), MA-3(6), PM-5(1), RA-3(4), RA-10, SA-10, SA-15(10), SA-23, SC-2, SC-4, SC-7, SC-7(3), SC-7(10), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-7(29), SC-8, SC-8(1), SC-12(3), SC-17, SC-39, SC-50, SI-3, SI-4, SI-4(2), SI-4(4), SI-4(11), SI-4(13), SI-4(18), SI-4(20), SI-4(22), SI-4(23), SI-4(24), SI-4(25), SI-7, SI-7(3), SI-7(9), SI-7(12), SI-7(15)

      For AWS protection, Sysdig Secure will check the following sections: AC-2, AC-2(4), AC-4, AC-6, AC-6(9), AU-6(8), AU-8, SC-8(1), SI-4.

      NIST 800-171 rev2 Compliance

      The National Institute of Standards and Technology (NIST) Special Publication 800-171 rev2  describes the full range of controls required to pass a NIST 800-171 audit. It provides agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when the information is resident in nonfederal systems and organizations.

      For workload protection, Sysdig Secure will check the following sections:3.1.1, 3.1.2, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.20, 3.3.1, 3.3.2, 3.3.5, 3.3.8, 3.3.9, 3.4.3, 3.4.5, 3.4.6, 3.4.7, 3.4.9, 3.5.1, 3.5.2, 3.11.2, 3.12.1, 3.13.1, 3.13.2, 3.13.3, 3.13.4, 3.13.5, 3.13.6, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.5, 3.14.6, 3.14.7

      For AWS protection, Sysdig Secure will check the following sections:3.1.1, 3.1.2, 3.1.3, 3.3.1, 3.3.2, 3.3.7, 3.5.7, 3.5.8, 3.14.6, 3.14.7

      ISO 27001:2013 Controls Implemented

      The ISO27001:2013 standard describes the full range of controls required to pass an ISO27001:2013 audit. 

      For workload protection, Sysdig Secure will check the following sections: A.6.1.2, A.8.1.1, A.8.1.2, A.8.1.3, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.10.1.1, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.14.1.2, A.14.2.2, A.14.2.4, A.18.1.3, A.18.1.5

      For AWS protection, Sysdig Secure will check the following sections: A.6.1.2, A.9.1.1, A.9.1.2, A.9.2.3, A.9.2.5, A.9.4.2, A.9.4.3, A.10.1.1, A.10.1.2, A.12.1.2, A.13.1.1, A.14.1.2, A.18.1.3, A.18.1.5.

      HIPAA Controls Implemented

      The HIPAA (Health Insurance Portability and Accountability Act) standard describes the full range of controls required to pass an HIPAA audit. 

      For workload protection, Sysdig Secure will check the following sections: 164.308(a)(1)(ii)(D), 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(d), 164.312(e)(2)(i), 164.312(e)(2)(ii)

      For AWS protection, Sysdig Secure will check the following sections: 164.308(a)(1)(ii)(D), 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(8), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i).

      GDPA Controls Implemented

      The General Data Protection Regulation 2016/679 (GDPR) is a regulation for data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas.

      For workload protection, Sysdig Secure will check the following sections: 5.1, 5.2, 24.1, 24.2, 24.3, 25.1, 25.2, 25.3, 32.1, 32.2, 40.2

      For AWS protection, Sysdig Secure will check the following sections: 5.1, 5.2, 24.1, 24.2, 24.3, 25.1, 25.2, 25.3, 30.1, 30.2, 30.3, 30.4, 30.5, 32.1, 32.2, 40.2

      AWS Well Architected Framework Compliance

      The AWS Well Architected Framework whitepaper defines best practices to build secure, high-performing, resilient, and efficient infrastructure for applications and workloads.

      For workload protection, Sysdig Secure will check the following sections: OPS 4, OPS 5, OPS 6, OPS 7, OPS 8, SEC 1, SEC 5, SEC 6, SEC 7, REL 2, REL 4, REL 5, REL 6, REL 10, PERF 5, PERF 6, PERF 7

      For AWS protection, Sysdig Secure will check the following sectionsOPS 6, SEC 1, SEC 2, SEC 3, SEC 8, SEC 9, REL 2, REL 9, REL 10

      AWS Foundational Security Best Practices v1 (FSBP) Compliance

      AWS Foundational Security Best Practices v1 (FSBP) describes the full range of controls to detect when your deployed accounts and resources deviate from security best practices.

      For AWS protection, Sysdig Secure will check the following sections: AutoScaling.1, CloudTrail.1, Config.1, EC2.6, CloudTrail.2, DMS.1, EC2.1, EC2.2, EC2.3, ES.1, IAM.1, IAM.2, IAM.4, IAM.5, IAM.6, IAM.7, Lambda.2, GuardDuty.1