Threat Detection with AWS CloudTrail

Threat Detection leverages audit logs from AWS CloudTrail plus Falco rules to detect threats as soon as they occur and bring governance, compliance, and risk auditing for your cloud accounts.

Deploy Sysdig Secure for cloud on AWS and choose the Threat Detection module to track abnormal and suspicious activities in your AWS environment. (In the future, cloud Threat Detection will extend into other environments such as Google and Azure.)

With out-of-the-box Falco rules, this feature can detect events such as:

  • Add an AWS user to a group

  • Allocate a new elastic IP address to AWS account

  • Associate an elastic IP Address to an AWS network interface

  • Attach an Administrator Policy

  • CloudTrail logging disabled

  • Create an HTTP target group without SSL

  • Create an AWS user

  • Create an internet-facing AWS public-facing load balancer

  • Deactivate MFA for user access

  • Delete bucket encryption

  • Put inline policy in a group to allow access to all resources

Usage Steps

  1. Deploy Sysdig Secure for cloud on AWS.

  2. Choose the Threat Detection with CloudTrail option.

    Insights becomes your default landing page in Sysdig Secure.

  3. Review the Events feed for detected activity.

    • Policies: Check Policies > Runtime Policies and confirm the AWS Best Practices policy is enabled.

      This consists of the most-frequently-recommended rules for AWS and CloudTrail.

      You can customize it by creating a new policy of the AWS CloudTrail type.

    • Events: In the Events feed, search “cloud” to show events from AWS CloudTrail.