Forwarding to Amazon SQS

With SQS event forwarding, you can send, store, and receive events from Sysdig in an SQS queue and route them to other services in AWS.


To set up this integration you will need:

  • An SQS queue
  • An IAM user
  • Permission for the user to write messages on the target queue
  • Access Key for Sysdig to be authenticated as that IAM user

Create a New AWS IAM User

Creating a new IAM user is not required, but for security reasons, it is recommended. You will need to create an access key and an SQS queue.

  1. Create or identify a target AWS IAM User you want to give Sysdig access to.

    Creating a user is not required, but it is recommended for security reasons. See the AWS documentation to perform that. Finally, take note of the ARN for the IAM User (similar to arn:aws:iam::12345:user/sysdig-efo-user)

  2. Create an Access key for the user:

    1. Open the target IAM User.
    2. Create an access key, selecting “Third-party service” as the use case.
    3. Save the Access key and the Secret access key. You will need to input these later in the Sysdig UI. See the AWS documentation.
  3. Create or identify a target SQS Queue.

    See the AWS documentation for details.

  4. Take note of the ARN for the SQS Queue (similar to arn:aws:sqs:us-west-2:12345:sysdig-efo-queue).

  5. Configure the Access Policy for the queue, allowing the target user to perform SQS:SendMessage, sqs:ListQueues and sqs:GetQueueUrl on that queue.

    Here is an example of the policy change:

       "Version": "2012-10-17",
       "Id": "__default_policy_ID",
       "Statement": [
         ...existing statements...
           "Sid": "sysdig_efo_statement",
           "Effect": "Allow",
           "Principal": {
             "AWS": "arn:aws:iam::12345:user/sysdig-efo-user"
           "Action": [
           "Resource": "arn:aws:sqs:us-west-2:12345:sysdig-efo-queue"

Configure a Standard Integration

  1. Log in to Sysdig Secure as Admin and go to Profile > Settings > Event Forwarding.
  2. Click +Add Integration and choose Amazon SQS from the drop-down.
  3. Configure the required options:
  • Integration Name: Define an integration name sysdig-efo-queue
  • Access Key and Access Secret: Enter your AWS access key and secret.
  • Token: Enter the AWS token used.
  • Region: Enter the AWS region where you created you Amazon SQS us-west-2.
  • Delay Optional: Enter a value (in seconds) between 0 and 900 that a message delivery should be delayed.
  • Metadata Optional: Set up to 10 10 key value headers with which the messages should be tagged. Entries can be string values.
  • Queue: Enter your Amazon SQS queue name, not the full URL. For example: sysdig-efo-queue.
  • Data to Send: Select from the drop-down the types of Sysdig data that should be forwarded. The available list depends on the Sysdig features and products you have enabled.
  • Toggle the enable switch as necessary. Remember that you will need to “Test Integration” with the button below before enabling the integration.
  1. Click Save.

Configure Agent Local Forwarding

Review the configuration steps and use the following parameters for this integration.

TypeAttributeRequired?TypeAllowed valuesDefaultDescription
SQSaccessKeyyesstringAccess Key for authenticating on AWS to send data on the queue
SQSaccessSecretyesstringAccess Secret for authenticating on AWS to send data on the queue
SQStokennostringSession token for authenticating on AWS to send data on the queue
SQSregionyesstringRegion in which the SQS queue is hosted
SQSqueueyesstringSQS queue name
SQSdelaynoint0-9000Delay, in seconds, applied to the data
SQSheadersnosequence of mappingsExtra headers to add to the payload. Each header mapping requires 2 keys: “key” for the header key and “value” for its value