Threat Detection with AWS CloudTrail
Threat Detection leverages audit logs from AWS CloudTrail plus Falco rules to detect threats as soon as they occur and bring governance, compliance, and risk auditing for your cloud accounts.
Deploy Sysdig Secure for cloud on
AWS and choose the
Threat Detection module to track abnormal and suspicious activities in
your AWS environment. (In the future, cloud Threat Detection will extend
into other environments such as Google and Azure.)
With out-of-the-box Falco rules, this feature can detect events such as:
Add an AWS user to a group
Allocate a new elastic IP address to AWS account
Associate an elastic IP Address to an AWS network interface
Attach an Administrator Policy
CloudTrail logging disabled
Create an HTTP target group without SSL
Create an AWS user
Create an internet-facing AWS public-facing load balancer
Deactivate MFA for user access
Delete bucket encryption
Put inline policy in a group to allow access to all resources
Deploy:Deploy Sysdig Secure for cloud on AWS and choose the
Threat Detection with CloudTrailoption.
Insights becomes your default landing page in Sysdig Secure.
Review the Events feed for detected activity.
Policies > Runtime Policiesand confirm that the
AWS Best Practicespolicy is enabled. This consists of the most-frequently-recommended rules for AWS and CloudTrail. You can customize it by creating a new policy of the AWS CloudTrail type.
Events: In the
Eventsfeed, search ‘cloud’ to show events from AWS CloudTrail.