Sysdig Documentation

Storage: Configure AWS Capture File Storage (Optional)

The Sysdig Capture feature allows you to record detailed system trace data via remote connection from any of your agent-installed hosts. In SaaS installations, by default, this data will be stored on Sysdig's secure Amazon S3 storage location, under a separate partition for your account. In on-premises installations, by default, the data will be stored in the Cassandra database.

Alternatively, you can configure your own S3 bucket to store the files.

Enable Custom S3 Bucket Storage

To configure this option, use the fields provided Sysdig Settings UI and then append some code to the IAM Policy you created in AWS for Sysdig integration.

Prerequisites

On the Sysdig Monitor Side

  1. Log in as Administrator to Sysdig Monitor.

  2. From the Selector button in the lower left navigation, select Settings >Sysdig Storage.

    216596584
  3. Enable the Use a custom S3 bucket toggle and enter your AWS S3 bucket name.

In the AWS IAM Console

  1. If you do not yet have an AWS account integrated with Sysdig, see our instructions on creating a IAM policy, IAM user, and attaching the two IAM objects together. The following policy code can be pasted into the IAM Policy editor's JSON view to specifically allow Sysdig to access the required AWS S3 Bucket.

    Note: You must replace BUCKET_NAME with the name of your AWS S3 bucket.

    { "Version" : "2012-10-17" , "Statement" : [ { "Action" : [ "s3:Put*" , "s3:List*" , "s3:Delete*" , "s3:Get*" ], "Effect" : "Allow" , "Resource" : [ "arn:aws:s3:::BUCKET_NAME" , "arn:aws:s3:::BUCKET_NAME/*" ] } ] }

  2. If you have previously integrated Sysdig with your AWS account for the purpose of collecting AWS Cloudwatch Metrics, you can replace your existing IAM policy with the following policy code using the IAM Policy editor's JSON view.

    Note: You must replace BUCKET_NAME with the name of your AWS S3 bucket.

    #CloudWatch integration code and S3 bucket code combined { "Version" : "2012-10-17" , "Statement" : [ { "Effect" : "Allow" , "Action" : [ "autoscaling:Describe*" , "cloudwatch:Describe*" , "cloudwatch:Get*" , "cloudwatch:List*" , "dynamodb:ListTables" , "ec2:Describe*" , "ecs:Describe*" , "ecs:List*" , "elasticache:DescribeCacheClusters" , "elasticache:ListTagsForResource" , "elasticloadbalancing:Describe*" , "rds:Describe*" , "rds:ListTagsForResource" , "sqs:GetQueueAttributes" , "sqs:ListQueues" , "sqs:ReceiveMessage" ], "Resource" : "*" }, { "Effect" : "Allow" , "Action" : [ "s3:Put*" , "s3:List*" , "s3:Delete*" , "s3:Get*" ], "Resource" : [ "arn:aws:s3:::BUCKET_NAME/*" , "arn:aws:s3:::BUCKET_NAME" ] } ] }

To Test: Capture a Trace File in Sysdig Monitor UI

When enabled, you will have the option to select between "Sysdig Monitor Storage" or your own storage bucket when configuring a file capture. See Create a Sysdig Capture File.