Configure Threat response for AWS

After you connect your AWS environment to Sysdig, you can configure Response Actions. Cloud Response Actions allow you to execute Threat response in AWS Cloud environments on threats targeting AWS resources.

Sysdig released a new onboarding experience for AWS in September 2024. If you onboarded your AWS Organization or Account before September 30, 2024, and would like to add more features, contact your Sysdig representative.

Prerequisites

Set Up Cloud Response Actions

  1. Log in to Sysdig Secure, and select Integrations > AWS.

  2. Select an onboarded account you would like to add features to.

    The detail panel appears on the right. Here, you can see a list of features.

  3. Select Setup Threat Response.

    The Account Overview page appears. Here, you can review which features are enabled.

  4. Under Threat Response, and beside Cloud Response Actions, select Go to Setup.

  5. Select whether you wish to use Terraform or a CloudFormation Template.

  6. Ensure you have the necessary permissions configured as described in the first step.

  7. Verify the details of your Organization or Account where the features will be added.

  8. Select which Response Actions you want to set up. By selecting an action, you’re provisioning one or more Lambda functions, along with Roles and the required Permissions to execute them. See Permissions and Resources for additional information.

  9. Deploy the configured setup.

Ensure that you are using Terraform provider version ~>3.3 and the latest available module versions. If it has been some time since your initial onboarding, regenerate the Terraform main.tf file from the Sysdig UI under Integrations > AWS. For example:

terraform {
  required_providers {
    sysdig = {
      source  = "sysdiglabs/sysdig"
      version = "~>3.3"
    }
  }
}

...

module "onboarding" {
  source  = "sysdiglabs/secure/aws//modules/onboarding"
  version = "~>5.0"
}

...

module "config-posture" {
  source                   = "sysdiglabs/secure/aws//modules/config-posture"
  version                  = "~>5.0"
  sysdig_secure_account_id = module.onboarding.sysdig_secure_account_id
}
  • For Terraform, save the generated Terraform snippet as cloud_response_actions.tf, in the folder that contains your main.tf and then run terraform init && terraform apply.
  • For CloudFormation, follow the link in the setup to your AWS Console. Once completed, come back to the Sysdig UI and click “Complete”.

Check Connection Status

To check the connection status:

  1. Log in to Sysdig Secure.

  2. Select Integrations > AWS.

  3. Select your account.

    The detail panel appears on the right.

    If the connection is successful, you will see the feature as Connected. This may take up to 5 minutes after deploying with Terraform.