Integrate with AWS Role Delegation

This section describes how to configure Sysdig Monitor to utilize the Amazon Web Service (AWS) AssumeRole functionality and authorize Sysdig Monitor to discover cloud assets, grab CloudWatch metrics from your AWS account, and utilize custom S3 bucket for storing captures. Upon integrating with an AWS role, you can delegate access to AWS resources that are not associated with your Sysdig AWS account.

Setting up cross-account access through roles eliminates the need to create individual IAM users in each account. In addition, users don't have to sign out of one account and sign in to another in order to access resources in different AWS accounts.

Role delegation is an alternative to the existing integration method using the access keys. This method is considered secure as sharing developer access keys with third-parties is not recommended by Amazon.

Prerequisites and Guidelines

This topic assumes that you have the following ready and you are familiar with AWS.

  • Sysdig Monitor API Token

  • External ID

  • API endpoint. In this topic, it is referred to as {{host}}

    • SaaS: The endpoint is https://app.sysdigcloud.com for Monitor and https://secure.sysdig.com for Secure.

    • On-Prem: Depends on the on-prem deployment.

  • Administrator privileges to configure AWS integration

  • API client. Examples in this topic use curl

  • AWS account ID

    • SaaS: The AWS account ID is 273107874544

    • On-Prem: Customer-specific.

Enable AWS Role Delegation with API

This section describes how to enable AWS role delegation using an API.

Instructions for SaaS

Instructions for On-Prem

Get Your External ID

Retrieve your external ID as follows:

curl -k --request GET \ --url {{host}}/api/users/me \ --header 'authorization: Bearer e71d7c0f-501e-47d4-a159-39da8b716f44' | jq '.[] | .customer | .externalId'

An example of External ID from the response will be 04acdd59-4c98-4d11-8ee5-424326248161.

Configure Role Delegation

Integrating the Sysdig Platform with Amazon Web Services requires configuring role delegation using AWS IAM.

  1. Create a new role in the AWS IAM Console:

    create-aws-role.png
    1. For the role type, select Another AWS account.

    2. (SaaS) Enter the Sysdig account ID for Account ID.

      This means that you are granting read-only access to your AWS data.

    3. Select Require external ID and enter the one you retrieved in the previous step. Leave MFA disabled.

  2. Click Next: Permissions.

  3. Create the following policies:

    • sysdig_cloudwatch: Gives access to the list and describe supported AWS resources and get CloudWatch metrics for them.

    • sysdig_s3: Defines the bucket name where we wish to store the captures

      For more information on policies, see IAM Policy Code to Use.

    For detailed instructions on how to create a policy, see Integrate AWS Account Manually.

    1. If a policy has already been created, search for it on this page and select it, then skip to step. Otherwise, click Create Policy, which opens in a new window.

    2. Click Review policy.

    3. Name the policy and provide an apt description. For example, sysdig_cloudwatch.

    4. Click Create Policy.

      You can now close this window.

  4. In the Create role window, refresh the list of policies and select the policies you just created.

  5. Click Next: Review.

  6. Give the role a name and an apt description. For example, sysdig_role.

  7. Click Create Role.

Get Role ARN

  1. Select Roles > sysdig-role.

    sysdig_role.png
  2. Copy Role ARN.

Add the AWS Account

Using the role that you have created, add an AWS account on the Sysdig Monitor side. Use the following API call:

curl --request POST \
  --url {{host}}/api/providers \
  --header 'authorization: Bearer e71d7c0f-501e-47d4-a159-39da8b716f44' \
  --header 'content-type: application/json' \
  --data '{"name": "aws","credentials": {"role": "<Role_ARN>"},"alias": "role_delegation"}'

Replace <Role_ARN> with the one that you have copied in the previous section.

The response lists all the providers. An example response is given below:

{

  "provider": {

    "id": 7,
    "name": "aws",
    "credentials": {

      "id": "role_delegation",
      "role": "arn:aws:iam::485365068658:role/sysdig-access3"
    },
    "tags": [],
    "status": {

      "status": "configured",
      "lastUpdate": null,
      "percentage": 0,
      "lastProviderMessages": []
    },
    "alias": "role_delegation"
  }
}

Verify the role delegation has been created.

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator.

  2. Select Settings > AWS.

    The role that you have been created will be added to the list of AWS Accounts.

  3. Proceed to enable CloudWatch and AWS S3 bucket.

    See AWS: Integrate AWS Account and CloudWatch Metrics (Optional) for more information.

Additional Configuration for On-Prem

  1. Create an AWS user that will be used to fetch temporary credentials.

  2. Assign a policy to the user to allow AssumeRole. For example:

    {
      "Version": "2012-10-17",
      "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::{ACCOUNT-ID}:role/{ROLE_NAME}*"
      }
    }
    
  3. Make the access keys available to users from one of the sources:

    • Environment variables

    • Java system properties

    • Instance profile credentials delivered through the Amazon EC2 metadata service.

      EC2 metadata service is recommended if the installation is on AWS.

Example: Set Environment Variables on a Kubernetes Installation

  1. Create Secret:

    apiVersion: v1
    kind: Secret
    metadata:
      name: aws-credentials
    type: Opaque
    data:
      aws.accessKey: {{BASE64_ENCODED_ACCESS_KEY_ID}}
      aws.secretKey: {{BASE64_ENCODED_ACCESS_KEY_SECRET}}
    
  2. Expose variables in deployment descriptors (sysdigcloud-collector, sysdigcloud-worker, sysdigcloud-api) and reference values in the newly created secret:

    - name: AWS_ACCESS_KEY_ID
        valueFrom:
        secretKeyRef:
            key: aws.accessKey
            name: aws-credentials
    - name: AWS_SECRET_ACCESS_KEY
        valueFrom:
        secretKeyRef:
            key: aws.secretKey
            name: aws-credentials
    

    Add variables to descriptors on each platform update until new variables are part of the installer.

Set Up Resource Discovery

The supported AWS are EC2, RDS, Elastic Load Balancer (ELB), ElastiCache, SQS, DynamoDB, and Application Load Balancer (ALB).

By default, all the resources are fetched for all regions supported by AWS. You can avoid this by whitelisting regions when creating a provider key via the API. Example body of the provider key request when whitelisting regions:

{
    "name": "aws",
    "credentials": {
        "role": "arn:aws:iam::676966947806:role/test-assume-role"
    },
    "additionalOptions": "{\"regions\":[\"US_EAST_1\",\"US_EAST_2\"]}"
}