Terraform module that deploys the Sysdig Secure for Cloud stack in AWS.
Provides unified threat-detection, compliance, forensics and analysis through these major components:
-
CSPM: It evaluates periodically your cloud configuration, using Cloud Custodian, against some benchmarks and returns the results and remediation you need to fix. Managed through
trust-relationshipmodule. -
CIEM: Permissions and Entitlements management. Requires BOTH modules
cloud-connectorandcspm. -
Cloud Threat Detection: Tracks abnormal and suspicious activities in your cloud environment based on Falco language. Managed through
cloud-connectormodule.
For other Cloud providers check: GCP, Azure
There are several ways to deploy this in you AWS infrastructure:
Sysdig workload will be deployed in the same account where user's resources will be watched.
More info in ./examples/single-account-ecs
If you already own a Kubernetes Cluster on AWS, you can use it to deploy Sysdig Secure for Cloud, instead of default ECS cluster.
More info in ./examples/single-account-k8s
Using an organizational configuration Cloudtrail.
More info in ./examples/organizational-ecs
If no examples fit your use-case, be free to call desired modules directly.
In this use-case we will ONLY deploy cspm, into the target account, calling modules directly
provider "aws" {}
module "secure-for-cloud_example_single-account" {
source = "draios/terraform-aws-secure-for-cloud/modules/services/trust-relationship"
role_name = "role_name"
trusted_identity = "trusted_identity"
external_id = "id1"
}
output "role_arn" {
value = module.secure-for-cloud_example_single-account.cspm_role_arn
description = "ARN of cspm role"
}
See inputs summary or main module variables.tf file for more optional configuration.
To run this example you need have your aws master-account profile configured in CLI and to execute:
$ terraform init
$ terraform plan
$ terraform applyNotice that:
- This example will create resources that cost money.
Runterraform destroywhen you don't need them anymore - All created resources will be created within the tags
product:sysdig-secure-for-cloud, within the resource-groupsysdig-secure-for-cloud
Threat Detection
Choose one of the rules contained in the AWS Best Practices policy and execute it in your AWS account.
ex.: 'Delete Bucket Public Access Block' can be easily tested going to an
S3 bucket > Permissions > Block public access (bucket settings) > edit > uncheck 'Block all public access'
Remember that in case you add new rules to the policy you need to give it time to propagate the changes.
In the cloud-connector logs you should see similar logs to these
A public access block for a bucket has been deleted (requesting user=OrganizationAccountAccessRole, requesting IP=x.x.x.x, AWS region=eu-central-1, bucket=***
If that's not working as expected, some other questions can be checked
- are events consumed in the sqs queue, or are they pending?
- are events being sent to sns topic?
A: Make sure you installed both cspm and cloud-connector modules
A: Build a custom docker image of cloud-connector docker build . -t <DOCKER_IMAGE> -f ./build/cloud-connector/Dockerfile and upload it to any registry (like dockerhub).
Modify the var.image variable to point to your image and deploy
A: After applying your modifications (vía terraform for example) restart the service
$ aws ecs update-service --force-new-deployment --cluster sysdig-secure-for-cloud-ecscluster --service sysdig-secure-for-cloud-cloudconnector --profile <AWS_PROFILE>
For the AWS_PROFILE, set your ~/.aws/config to impersonate
[profile secure-for-cloud]
region=eu-central-1
role_arn=arn:aws:iam::<AWS_MANAGEMENT_ORGANIZATION_ACCOUNT>:role/OrganizationAccountAccessRole
source_profile=<AWS_MANAGEMENT_ACCOUNT_PROFILE>
Module is maintained and supported by Sysdig.
Apache 2 Licensed. See LICENSE for full details.