Skip to main content

AWS

1. Prerequisites

  • A Sysdig Secure administrator account.
  • An AWS user or role with permission to install IAM policies, as shown in the table below.
  • A local workstation with Terraform v1.5+ installed or access to CloudFormation.
  • Docs Help
  • Onboard AWS Help
import TerraformSnippet from ‘/snippets/terraform-snippet.mdx’;
AccessDescription
IAMFullAccessRequired to create IAM Roles and associated permissions.
AWSOrganizationsReadOnlyAccessRequired to list Accounts and OUIDs in your Organization.
AWSCloudFormationFullAccessRequired to create a CloudFormation StackSet that creates IAM roles in each Account in your Organization.
Only IAMFullAccess is required for individual accounts.

2. Collect Your Account Details

  • Sign in to the AWS Console. For an Organization, ensure you sign in to your organization’s management account.
  • Expand the dropdown in the top right corner of the AWS Console and copy your Account ID. You can also get your AWS AccountID by using this command via AWS CLI or the AWS Console terminal: 
    aws sts get-caller-identity \
    --query Account \
    --output text
  • Optional Organization Unit IDs. By default, your entire AWS Organization will be onboarded. If you want to restrict onboarding to a subset of your Organization, you can gather specific OUIDs now and enter them in the following steps.

3. Connect with Terraform

1

Log in

Log in to Sysdig Secure.
2

Click Integrations

Click Integrations at the bottom of the main left-hand navigation menu, and choose AWS Cloud Accounts.
3

Choose account type

Choose whether to connect an AWS Organization or a Single Account.
4

Enter IDs and region

For Organization accounts, in Step 2, enter your AWS management Account ID and select your Primary Region. For Single Accounts, enter only your AWS Account ID.
5

Enter OUIDs

In Step 3, you can onboard a subset of your Organization Accounts by entering the OUIDs in a comma-separated list. Leave the field blank to onboard your entire Organization.
6

Generate Terraform file

In Step 4, click the Next button to generate a main.tf file to use with Terraform. Copy its contents and paste them into a new file, or download the file to an empty folder on your workstation, such as /home/user/sysdig_onboarding.
7

Execute Terraform

  • On your workstation, navigate using the CLI to the folder containing your main.tf file and execute the following commands:
$ cd /home/user/sysdig_onboarding   # Your main.tf file location
$ terraform init && terraform apply
8

Complete Onboarding

  • When Terraform completes, click the Complete Onboarding button in the Sysdig Secure dashboard. Your newly added account will appear in the Cloud Accounts page.

4. Connect with CloudFormation

  • Log in to Sysdig Secure.
  • In a separate browser window, log in to your AWS Account. For Organization installs, be sure to log into your Organization’s Management Account.
  • For Organization accounts, in Step 2, enter your AWS management account ID and your OUID(s). For a Single Account, enter only your AWS Account ID.
  • In Step 3, click the Launch Stack button. This will shift you to an AWS console browser window. Follow any prompts in AWS to deploy the required resources, and be sure to check the Acknowledgements in the AWS Capabilities section.
  • When CloudFormation completes, click the Complete Onboarding button in the Sysdig dashboard. Your newly added account will appear in the Cloud Accounts page.

5. Check the Connection

  • To validate your AWS connection, navigate to Sysdig Secure’s Integrations > Environments > AWS.
  • Click the Added On column heading to show the most recently added account on top.
  • The Status column shows the overall connection status:
    • Connected
    • Error
    • Needs Attention
    • Unknown
Select the desired AWS account to review the individual services in the detail drawer. There you can view the status of each feature you’ve enabled.
CSPM StatusDescription
HealthyThe account has been successfully connected, and all the resources have been scanned.
! Needs AttentionSome features are not working properly.
ErrorAuthentication errors. For example:
  • Invalid account ID
  • Invalid client secret
  • Invalid access credentials
  • Access token errors
  • Deny policy created by the user is preventing Sysdig from collecting resources
  • The scan takes too long and eventually times out.
  • Unknown error

Further Reading

Permissions Granted to Sysdig

The above installation creates two IAM Roles that Sysdig can access. These Roles have the following permissions:
  • A role named sysdig-secure-onboarding-XXXX, used to manage the base integration with Sysdig
    • AWSAccountManagementReadOnlyAccess
    • AWSOrganizationsReadOnlyAccess (Organizational install)
  • A role named sysdig-secure-posture-XXXX, used to collect an inventory of cloud resources and perform CSPM
    • SecurityAudit
    • A Custom IAM Policy containing the following permissions:
      • account:GetContactInformation
      • elasticfilesystem:DescribeAccessPoints
      • lambda:GetFunction
      • lambda:GetRuntimeManagementConfig
      • macie2:ListClassificationJobs
      • waf-regional:ListRuleGroups
      • waf-regional:ListRules
      • bedrock:ListAgents
      • bedrock:GetAgent
      • bedrock:ListKnowledgeBases
      • bedrock:GetKnowledgeBase
      • bedrock:ListGuardrails
      • bedrock:GetGuardrail
      • bedrock:GetModelInvocationLoggingConfiguration

Identities

Two AWS identities are required in the onboarding process:
  • Installer: Either an AWS user or a role used to perform the onboarding. Sysdig does not have access to this identity.
  • Sysdig: A set of IAM Roles created during onboarding with specific, less permissive permissions attached. Sysdig is given access to these roles.
(Original: https://docs.sysdig.com/en/sysdig-secure/connect-aws/)