Forwarding to Amazon Kinesis Data Streams

With Amazon Kinesis Data Streams (KDS) event forwarding, you can stream data from Sysdig to a Kinesis Data Stream, and receive it directly in Amazon Web Services (AWS).

Prerequisites

To forward events to Amazon Kinesis Data Streams you will need:

  • A Kinesis Data Stream
  • An Identity and Access Management (IAM) user
  • An Access Key and Secret to authenticate Sysdig as that IAM user
  • Permission for the IAM user to publish on that stream.

Configure on AWS

Prepare your AWS Console for Event Forwarding to Amazon Kinesis Data Streams. You will need an IAM User, an Access Key and Secret for authentication, and a Kinesis Data Stream.

  1. Create or identify a target Kinesis Data Stream. See Create and manage Kinesis data streams.

  2. Take note of:

  • The Amazon Resource Name (ARN) for the Kinesis Data Stream. Its format will resemble arn:aws:kinesis:us-west-2:222222222222:stream/sysdig. You will need to input this later in the Sysdig UI.
  • The Maximum record size, as you can customize this on Sysdig as well.

If the max record size is lower than the size of a Sysdig payload, such payload will be discarded, consequently raising an error in the integration.

  1. Create or identify a target AWS IAM User you want to give Sysdig access to. We recommend you create a new user for security reasons. See Creating an IAM user in your AWS account.

  2. Take note of the Amazon Resource Name (ARN) for the IAM User. Its format will resemble arn:aws:iam::111111111111:user/sysdig-efo-user.

  3. Attach an IAM Policy to allow publishing to the Kinesis Data Stream:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Sysdig0",
            "Effect": "Allow",
            "Action": [
                "kinesis:PutRecord",
                "kinesis:PutRecords"
            ],
            "Resource": [
                "arn:aws:kinesis:us-west-2:222222222222:stream/sysdig"
            ]
        }
    ]
}

  1. Create an Access Key and Secret Key for the user. See Managing access keys for IAM users.

  2. Take note of the Access Key and Secret Key. You will need to input these later in the Sysdig UI.

  3. If the Data Stream and the IAM User are on different accounts, go back on the Kinesis Data Stream and configure the Access Policy for the stream to allow the target AWS IAM User to perform kinesis:PutRecord and kinesis:PutRecords on that stream. See Example resource-based policies for Kinesis Data Streams.

    The resulting policy will have Amazon Resource Names (ARNs) referencing different accounts. For example:

  • 111111111111 is the AWS IAM user account.
  • 222222222222 is the Data Stream ownerAccount.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Sysdig0",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:user/sysdig-efo-user"
            },
            "Action": [
                "kinesis:PutRecord",
                "kinesis:PutRecords"
            ],
            "Resource": [
                "arn:aws:kinesis:us-west-2:222222222222:stream/sysdig"
            ]
        }
    ]
}

Configure Event Forwarding

  1. Log in to Sysdig Secure as Admin and select Settings > Event Forwarding.

  2. Click +Add Integration and choose Amazon Kinesis Data Streams from the dropdown.

  3. Configure the required options:

    • Integration Name: Choose an integration name, for example, sysdig-efo-kds.
    • Access Key: Enter your IAM user’s Access Key.
    • Access Secret: Enter your IAM user’s Secret Key.
    • Owner Account: Enter the AWS account where the Data Stream is. If unspecified, Sysdig assumes it’s the same account as that of the IAM user.
    • Region: Enter the AWS region where you created the Data Stream, for example, us-west-2.
    • Stream Name: Enter the name of the target Amazon Data Stream. Note, this is not the full URL or the ARN, but just the name. For example: sysdig-efo-queue.
    • Max Record Size: This is the maximum size for a single entry that will be sent to the Stream. It must not be higher than what’s set in the Data Stream settings in AWS. Records bigger than this size will be discarded. Defaults to 1 MB.
    • Data to Send: Select from the dropdown the types of Sysdig data that should be forwarded. The available list depends on the Sysdig features and products you have enabled.

  4. Toggle the Enabled switch as necessary. You will need to Test Integration with the button below before enabling the integration.

  5. Click Save.

Configure Agent Local Forwarding

Review the Agent Local Forwarding configuration steps and use the following parameters for this integration.

This integration requires Host Shield 14.4.0 or higher.

TypeAttributeRequired?TypeAllowed valuesDefaultDescription
KINESIS_DATA_STREAMSaccessKeyyesstringAccess Key for authenticating on AWS to send data on the stream
KINESIS_DATA_STREAMSaccessSecretyesstringAccess Secret for authenticating on AWS to send data on the stream
KINESIS_DATA_STREAMSownerAccountnostringThe AWS Account where the stream is. If unspecified, Sysdig assumes it’s the same account as that of the IAM user.
KINESIS_DATA_STREAMStokennostringSession token for authenticating on AWS to send data on the stream
KINESIS_DATA_STREAMSregionyesstringRegion in which the stream is hosted
KINESIS_DATA_STREAMSstreamNameyesstringKinesis Data Stream name
KINESIS_DATA_STREAMSmaxRecordSizenoint>= 1048576, <= 104857601048576Maximum record size, according to what’s in AWS (or lower).