Permissions and Resources
This document outlines the permissions required for installing and operating various Sysdig features on AWS, as well as the resources that will be created in your AWS environment.
Review AWS Roles and Permissions
Security Principals
There are two identities involved in the onboarding process:
- Installer: The Identity, either a User or Role that will be used to perform the onboarding. Sysdig does not have access to this identity.
- Sysdig: A set of IAM Roles created during onboarding with specific, less permissive permissions attached. Sysdig will be given access to these Roles.
Base AWS Integration - Cloud Security Posture Management (CSPM)
Agentless Cloud Security Posture Management (CSPM) assesses and manages the security posture of your cloud resources without requiring agents.
Permissions Required to Install
The Installer must have at least the following policies assigned in the AWS Account or Organization’s Management account:
| Policy | Description |
|---|---|
| IAMFullAccess | Required to create IAM Roles and associated permissions. |
| (Organization only) AWSKeyManagementServicePowerUser | This policy provides access to AWS Key Management Service (KMS). |
| (Organization only) AWSCloudFormationFullAccess | This policy is required to create a CloudFormation StackSet that creates IAM roles in each Account in your Organization. |
| (Organization only) AWSOrganizationsReadOnlyAccess | This policy is required to list Accounts and OUIDs in your Organization. |
Permissions Granted to Sysdig
The Sysdig IAM Roles will have the following policies attached:
| Role | Policy | Description |
|---|---|---|
sysdig-secure-onboarding-XXXX | AWSAccountManagementReadOnlyAccess | Allows Sysdig to retrieve Account Alias |
(Organization only) sysdig-secure-onboarding-XXXX | AWSOrganizationsReadOnlyAccess | Allows Sysdig to list accounts in your Organization. |
sysdig-secure-posture-XXXX | SecurityAudit | Allows Sysdig to list resources within your Account. |
sysdig-secure-posture-XXXX | A Custom IAM Policy containing the following permissions: - account:GetContactInformation- elasticfilesystem:DescribeAccessPoints- lambda:GetFunction- lambda:GetRuntimeManagementConfig- macie2:ListClassificationJobs- waf-regional:ListRuleGroups- waf-regional:ListRules | Allows Sysdig to list resources within your Account that are not covered by the Security Audit policy. |
Resources Created
The following resources will be created in your AWS Environment:
| Resource | Description |
|---|---|
aws_iam_role | IAM Role with the name sysdig-secure-onboarding-XXXX. This role is used to manage the lifecycle of your Sysdig integration. |
aws_iam_role | IAM Role with the name sysdig-secure-posture-XXXX. This role is used for CSPM. |
(Organization only) aws_cloudformation_stack_set | Used to deploy the above Roles across all Accounts in your Organization. |
(Organization only) aws_cloudformation_stack_set_instance | Used to deploy the above Roles across all Accounts in your Organization. |
Log Ingestion
The Log Ingestion component is used to enable Threat Detection and Cloud Infrastructure Entitlement Management (CIEM)
Permissions Required to Install
The Installer must have at least the following policies assigned in the AWS Account or Organization’s Management account:
| Policy | Description |
|---|---|
| IAMFullAccess | Required to create IAM Roles and associated permissions. |
| AWSCloudFormationFullAccess | Required to create a CloudFormation Stack/StackSet to provision the resources across your infrastructure. |
| AWSOrganizationsReadOnlyAccess | This policy is required to list Accounts and OUIDs in your Organization. |
Additionally, the S3 method requires some permissions on some resources:
| Permission(s) | Description |
|---|---|
sns:Subscribe, sns:SetTopicAttributes, sns:GetTopicAttributes | Required to subscribe to SNS. |
sns:CreateTopic | Required to create a SNS topic, if absent on the target Trail |
cloudtrail:UpdateTrail | Required to attach the SNS topic to the target Trail, if absent |
kms:GetKeyPolicy, kms:SetKeyPolicy | Required to subscribe to allow Sysdig to decrypt CloudTrail files |
Permissions Granted to Sysdig
The Sysdig IAM Role will have the following policies attached:
EventBridge Setup
| Role | Policy | Description |
|---|---|---|
sysdig-secure-events-XXXX | A Custom IAM Policy containing the following permissions: - events:PutEvents- events:DescribeRule- events:ListTargetsByRule | Allows EventBridge to send events to Sysdig and Sysdig to inspect EventBridge resources to perform validation. |
S3 setup
| Role | Policy | Description |
|---|---|---|
sysdig-secure-cloudlogs-XXXX | A Custom IAM Policy containing:
| Allows Sysdig to access the bucket, unencrypt the files if encrypted and download them to process the logs they contain. |
Resources Created
The following resources will be created in your AWS Environment based on the selected setup method:
| Resource | Method | Description |
|---|---|---|
aws_iam_role | Both | IAM Role with the name sysdig-secure-events-XXXX/sysdig-secure-cloudlogs-XXXX. See more in Permissions Granted to Sysdig |
aws_iam_role | EventBridge | IAM Role with the name sydig-secure-events-XXXX-AdministrationRole. This role is used to deploy EventBridge Rules in the selected regions in your account. |
aws_iam_role | EventBridge | IAM Role with the name sysdig-secure-events-XXXX-ExecutionRole. This role is used to deploy EventBridge Rules in the selected regions in your account. |
aws_cloudformation_stack_set | EventBridge | Used to deploy EventBridge Rules/Role in each Account/Region in your Organization. |
aws_cloudformation_stack_set_instance | EventBridge | Used to deploy EventBridge Rules/Role in each Account/Region in your Organization. |
aws_cloudwatch_event_rule | EventBridge | Defines which logs are to be sent to Sysdig. Deployed in each of the specified accounts and regions |
aws_cloudwatch_event_target | EventBridge | Defines Sysdig as target for the aws_cloudwatch_event_rule. Deployed in each of the specified accounts and regions |
aws_sns_topic_subscription | S3 | Subscribes to the specified SNS topic, for Sysdig to receive updates on new CloudTrail files written |
Cloud Response Actions
The Cloud Response Actions component is used to enable Threat Response.
Permissions Required to Install
The Installer must have at least the following policies assigned in the AWS Account or the Organization’s Management account:
| Policy | Description |
|---|---|
| IAMFullAccess | Required to create IAM Roles and associated permissions. |
| AWSCloudFormationFullAccess | Required to create a CloudFormation StackSet that creates KMS Keys/Aliases in each region of the target accounts |
| (Organization only) AWSOrganizationsReadOnlyAccess | This policy is required to list Accounts and OUIDs in your Organization. |
Permissions Granted to Sysdig
Cloud Response Actions create a cross-account IAM role that Sysdig assumes to invoke Lambda functions, along with Lambda execution roles that perform the actual response actions.
| Role | Policy | Description |
|---|---|---|
sysdig-secure-ra-XXXX-cross-account-invoker | A Custom IAM Policy containing: - tag:GetResources- lambda:InvokeFunction (for enabled response action Lambdas)- lambda:GetFunction (for enabled response action Lambdas) | Allows Sysdig platform to invoke Response Action Lambda functions the configured account (management account in the Organizational case). |
sysdig-secure-ra-XXXX-quarantine-user-role | A Custom IAM Policy containing: - IAM user and policy management permissions ( iam:AttachUserPolicy, iam:DetachUserPolicy, iam:PutUserPolicy, iam:DeleteUserPolicy, iam:GetUser, etc.)- IAM role and policy read permissions - sts:AssumeRole, sts:GetCallerIdentity | Allows the quarantine user Lambda to attach deny-all policies to IAM users and roles. |
sysdig-secure-ra-XXXX-remove-policy-role | A Custom IAM Policy containing: - iam:DetachUserPolicy, iam:DetachRolePolicy- IAM user and role read permissions - sts:GetCallerIdentity, sts:AssumeRole | Allows the remove policy Lambda to un-quarantine IAM users and roles. |
sysdig-secure-ra-XXXX-fetch-cloud-logs-role | A Custom IAM Policy containing: - cloudtrail:LookupEvents- sts:GetCallerIdentity, sts:AssumeRole | Allows the fetch cloud logs Lambda to retrieve CloudTrail logs. |
sysdig-secure-ra-XXXX-confi-res-access-role | A Custom IAM Policy containing: - S3 public access block permissions ( s3:GetBucketPublicAccessBlock, s3:PutBucketPublicAccessBlock)- RDS instance modification permissions ( rds:DescribeDBInstances, rds:ModifyDBInstance)- sts:GetCallerIdentity, sts:AssumeRole | Allows the make private Lambda to remove public access from S3 buckets and RDS instances. The same permission is used for public access restore (reverse action). |
sysdig-secure-ra-XXXX-create-vol-snap-role | A Custom IAM Policy containing: - EC2 snapshot creation and tagging permissions ( ec2:CreateSnapshot, ec2:CreateTags, ec2:DescribeInstances, ec2:DescribeVolumes, ec2:DescribeSnapshots)- CloudWatch Logs permissions - sts:GetCallerIdentity, sts:AssumeRole | Allows the create volume snapshot Lambda to create EBS snapshots for forensic investigation. |
sysdig-secure-ra-XXXX-delete-vol-snap-role | A Custom IAM Policy containing: - EC2 snapshot deletion permissions ( ec2:DeleteSnapshot, ec2:DescribeSnapshots)- CloudWatch Logs permissions - sts:GetCallerIdentity, sts:AssumeRole | Allows the delete volume snapshot Lambda to delete EBS snapshots. |
Resources Created
The following resources will be created in your AWS Environment:
| Resource | Description |
|---|---|
aws_iam_role | Cross-account invoker role with the name sysdig-secure-ra-XXXX-cross-account-invoker. This role is assumed by Sysdig to invoke Lambda functions in the configured account (management account in the Organizational case). |
aws_iam_role | IAM Role with the name sysdig-secure-ra-XXXX-package-downloader-role. This role is used by the installer to download response action packages from Sysdig and upload them to regional S3 buckets. |
aws_iam_role | IAM Role with the name sysdig-secure-ra-XXXX-stackset-admin. This role is used to administer CloudFormation StackSets. |
aws_iam_role | IAM Role with the name sysdig-secure-ra-XXXX-stackset-execution. This role is used to execute CloudFormation StackSets. |
aws_lambda_function | Lambda function with the name sysdig-secure-ra-XXXX-quarantine-user. Attaches a deny-all policy to IAM users to prevent further actions. |
aws_lambda_function | Lambda function with the name sysdig-secure-ra-XXXX-remove-policy. Detaches policies from IAM users to undo quarantine actions. |
aws_lambda_function | Lambda function with the name sysdig-secure-ra-XXXX-fetch-cloud-logs. Retrieves CloudTrail logs. |
aws_lambda_function | Lambda function with the name sysdig-secure-ra-XXXX-configure-resource-access. Removes public access from S3 buckets and RDS instances (make private action). The same Lambda is used for public access restore (reverse action). |
aws_lambda_function | Lambda function with the name sysdig-secure-ra-XXXX-create-volume-snapshots. Creates EBS volume snapshots for forensic investigation. |
aws_lambda_function | Lambda function with the name sysdig-secure-ra-XXXX-delete-volume-snapshots. Deletes EBS volume snapshots. |
aws_cloudwatch_log_group | CloudWatch Log Groups for Lambda function execution logs. One log group per Lambda function per region. |
aws_s3_bucket | Regional S3 buckets with the name sysdig-secure-ra-XXXX-packages-{region}. These buckets store Lambda deployment packages. One bucket is created per region. |
aws_cloudformation_stack_set | CloudFormation StackSet with the name sysdig-secure-ra-XXXX-lambda. Used to deploy Lambda functions and S3 buckets across specified regions. |
aws_cloudformation_stack_set_instance | CloudFormation StackSet instances. One instance per region to deploy Lambda functions. |
aws_cloudformation_stack_set (Organization only) | CloudFormation StackSet with the name sysdig-secure-ra-XXXX-delegate-roles. Used to deploy delegate roles across member accounts in your Organization. |
aws_cloudformation_stack_set_instance (Organization only) | CloudFormation StackSet instances. One instance per organizational unit to deploy delegate roles to member accounts. |
Volume Access
The Volume Access component is used to enable Vulnerability Management Host Scanning (VM)
Permissions Required to Install
The Installer must have at least the following policies assigned in the AWS Account or Organization’s Management account:
| Policy | Description |
|---|---|
| IAMFullAccess | Required to create IAM Roles and associated permissions. |
| AWSCloudFormationFullAccess | Required to create a CloudFormation StackSet that creates KMS Keys/Aliases in each Account in your Organization. |
| (Organization only) AWSOrganizationsReadOnlyAccess | This policy is required to list Accounts and OUIDs in your Organization. |
Permissions Granted to Sysdig
The Sysdig IAM Role will have the following policies attached:
| Role | Policy | Description |
|---|---|---|
sysdig-secure-scanning-XXXX | A Custom IAM Policy containing the following permissions:kms:ListKeys- kms:ListAliases- kms:ListResourceTags- kms:DescribeKey- kms:Encrypt- kms:Decrypt- kms:ReEncrypt*- kms:GenerateDataKey*- kms:CreateGrant- kms:ListGrants- ec2:Describe*- ec2:CreateSnapshot- ec2:CopySnapshot- ec2:CreateTags with the additional constraint of ec2:CreateAction being equal to either CreateSnapshot or CopySnapshot- ec2:ModifySnapshotAttribute with the additional constraint of ec2:Add/userId being equal to Sysdig’s Worker Account ID- ec2:DeleteSnapshot with the additional constraint of aws:ResourceTag/CreatedBy being equal to Sysdig (which we add when creating the Snapshot) | Allows Sysdig to copy and scan Volumes. |
Resources Created
The following resources will be created in your AWS Environment:
| Resource | Description |
|---|---|
aws_iam_role | IAM Role with the name sysdig-secure-scanning-XXXX. This role is used to copy and scan disk snapshots. |
aws_iam_role | IAM Role with the name sydig-secure-scanning-XXXX-AdministrationRole. This role is used to deploy KMS Keys and Aliases in the selected regions in your account. |
aws_iam_role | IAM Role with the name sysdig-secure-scanning-XXXX-ExecutionRole. This role is used to deploy KMS Keys and Aliases in the selected regions in your account. |
aws_iam_policy | Custom IAM Policy with the permissions detailed above. |
aws_iam_policy_attachment | Custom IAM Policy with the permissions detailed above. |
aws_iam_policy_document | Custom IAM Policy with the permissions detailed above. |
aws_cloudformation_stack_set | Used to deploy EventBridge Rules/Role in each Account/Region in your Organization. |
aws_cloudformation_stack_set_instance | Used to deploy EventBridge Rules/Role in each Account/Region in your Organization. |
Workload Access
Workload Access is used to perform agentless vulnerability scanning on ECR images for ECS and on Lambda functions.
Permissions Required to Install
The Installer must have at least the following policies assigned in the AWS Account or Organization’s Management account:
| Policy | Description |
|---|---|
| IAMFullAccess | Required to create the IAM Role and associated policies. |
| (Organization only) AWSCloudFormationFullAccess | Required to create a CloudFormation StackSet that deploys the IAM Role across all accounts in your Organization. |
| (Organization only) AWSOrganizationsReadOnlyAccess | Required to list accounts and OUIDs in your Organization. |
Permissions Granted to Sysdig
The Sysdig IAM Role will have the following policies attached:
| Role | Policy | Description |
|---|---|---|
sysdig-vm-workload-scanning-XXXX | A Custom IAM Policy containing the following permissions: - ecr:GetDownloadUrlForLayer- ecr:BatchGetImage- ecr:BatchCheckLayerAvailability- ecr:ListImages- ecr:GetAuthorizationToken | Allows Sysdig to access and scan ECR images. |
sysdig-vm-workload-scanning-XXXX | (Optional) A Custom IAM Policy containing the following permissions: - lambda:GetFunction- lambda:GetFunctionConfiguration- lambda:GetRuntimeManagementConfig- lambda:ListFunctions- lambda:ListTagsForResource- lambda:GetLayerVersionByArn- lambda:GetLayerVersion- lambda:ListLayers- lambda:ListLayerVersions | Allows Sysdig to access and scan Lambda functions. This is enabled by setting the lambda_scanning_enabled variable to true. |
Resources Created
The following resources will be created in your AWS Environment:
| Resource | Description |
|---|---|
aws_iam_role | IAM Role with the name sysdig-vm-workload-scanning-XXXX. This role is used by Sysdig to perform workload scanning. |
aws_iam_policy | Custom IAM policies granting the permissions detailed above. |
aws_iam_policy_attachment | Attaches the custom policies to the sysdig-vm-workload-scanning-XXXX role. |
(Organization only) aws_cloudformation_stack_set | Used to deploy the sysdig-vm-workload-scanning-XXXX role and its policies across all accounts in your organization. |
(Organization only) aws_cloudformation_stack_set_instance | Creates instances of the StackSet for the target accounts and organizational units. |
