Forwarding to Amazon Kinesis Firehose
Prerequisites
To forward events to Amazon Kinesis Firehose you will need:
- A Kinesis Firehose Stream
- An Identity and Access Management (IAM) user
- An Access Key and Secret to authenticate Sysdig as that IAM user
- Permission for the IAM user to publish on that stream.
Configure on AWS
Prepare your AWS Console for Event Forwarding to Amazon Kinesis Firehose. You will need an IAM User, an Access Key and Secret for authentication, and a Kinesis Firehose stream.
Create or identify a target Kinesis Firehose Stream. See Tutorial: Create a Firehose stream from console. The stream Source must be “Direct PUT”.
Take note of the Amazon Resource Name (ARN) for the Kinesis Firehose stream. Its format will resemble
arn:aws:firehose:us-west-2:222222222222:deliverystream/sysdig. You will need to input this later in the Sysdig UI.Create or identify a target AWS IAM User you want to give Sysdig access to. We recommend you create a new user for security reasons. See Creating an IAM user in your AWS account.
Take note of the Amazon Resource Name (ARN) for the IAM User. Its format will resemble
arn:aws:iam::111111111111:user/sysdig-efo-user. You will need to input these later to configure the permissions to access the Kinesis Firehose stream.Attach an IAM Policy to allow publishing to the Kinesis Firehose Stream:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Sysdig0",
"Effect": "Allow",
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch"
],
"Resource": [
"arn:aws:firehose:us-west-2:111111111111:deliverystream/sysdig"
]
}
]
}
Create an Access Key and Secret Key for the user. See Managing access keys for IAM users.
Take note of the Access Key and Secret Key. You will need to input these later in the Sysdig UI.
Configure Event Forwarding
Log in to Sysdig Secure as Admin and select Settings > Event Forwarding.
Click +Add Integration and choose Amazon Kinesis Firehose from the dropdown.
Configure the required options:
- Integration Name: Choose an integration name, for example,
sysdig-efo-firehose. - Access Key: Enter your IAM user’s Access Key.
- Access Secret: Enter your IAM user’s Secret Key.
- Region: Enter the AWS region where you created Amazon Kinesis Firehose Stream, for example,
us-west-2. - Stream Name: Enter the name of the target Amazon Kinesis Firehose Stream. Note, this is not the full URL or the ARN, but just the name. For example:
sysdig. - Data to Send: Select from the dropdown the types of Sysdig data that should be forwarded. The available list depends on the Sysdig features and products you have enabled.
- Integration Name: Choose an integration name, for example,
Toggle the Enabled switch as necessary. You will need to Test Integration with the button below before enabling the integration.
Click Save.
Configure Agent Local Forwarding
Review the Agent Local Forwarding configuration steps and use the following parameters for this integration.
This integration requires Host Shield 14.4.0 or higher.
| Type | Attribute | Required? | Type | Allowed values | Default | Description |
|---|---|---|---|---|---|---|
| KINESIS_FIREHOSE | accessKey | yes | string | Access Key for authenticating on AWS to send data on the stream | ||
| KINESIS_FIREHOSE | accessSecret | yes | string | Access Secret for authenticating on AWS to send data on the stream | ||
| KINESIS_FIREHOSE | token | no | string | Session token for authenticating on AWS to send data on the stream | ||
| KINESIS_FIREHOSE | region | yes | string | Region in which the Kinesis Firehose stream is hosted | ||
| KINESIS_FIREHOSE | streamName | yes | string | Kinesis Firehose Stream name |
