Cloud Vision deployment in AWS

Terraform module that deploys the Sysdig CloudVision stack in AWS.

Currently supported cloudvision components:

• cloud-connector (organizational account only)
• cloud-scanner
• cloud-bench

For other cloud providers check:

• terraform-azure-cloudvision
• terraform-google-cloudvision

---

Notes

• all created resources will be created within the tags product:sysdig-cloudvision
• within the resource-group sysdig-cloudvision

---

Examples

Organizational Cloudvision

More info in the ./examples/organizational_cloudvision/README.md

Prerequisites

1. Have an existing AWS account as the organization master account
   • organzational cloudTrail service must be enabled
2. AWS profile credentials configuration of the master account of the organization
   • this account credentials must be able to manage cloudtrail creation

     You must be logged in with the management account for the organization to create an organization trail. You must also have sufficient permissions for the IAM user or role in the management account to successfully create an organization trail.

   • credentials will be picked from default aws profile, but can be changed vía provider profile
   • cloudvision organizational member account id, as input variable value

     org_cloudvision_account_id=<ORGANIZATIONAL_CLOUDVISION_ACCOUNT_ID>
     

3. Secure requirements, as input variable value

   sysdig_secure_api_token=<SECURE_API_TOKEN>
   

See main module variables.tf file for more optional configuration.

Usage

module "cloudvision_aws" {
  source = "sysdiglabs/cloudvision/aws"

  sysdig_secure_api_token        = "00000000-1111-2222-3333-444444444444"
  org_cloudvision_account_id     = "<ORG_MEMBER_ACCOUNT_FOR_CLOUDVISION>"
  org_cloudvision_account_region = "<REGION_CLOUDVISION_RESOURCES; eg: eu-central-1>"
}

---

Requirements

Name	Version
terraform	>= 0.14.0
aws	>= 3.50.0

Providers

Name	Version
aws	>= 3.50.0

Modules

Name	Source	Version
cloudtrail_organizational	./modules/cloudtrail_organizational
services	./modules/services

Resources

Name	Type
aws_iam_role.cloudvision_role	resource
aws_iam_role_policy.cloudtrail_s3	resource
aws_resourcegroups_group.sysdig_cloudvision	resource
aws_iam_policy_document.cloud_vision_role_trusted	data source
aws_iam_policy_document.cloudtrail_s3	data source

Inputs

Name	Description	Type	Default	Required
org_cloudvision_account_id	the account id within the organization to be used as cloudvision account	string	n/a	yes
org_cloudvision_account_region	default cloudvision member account region for services provisioning	string	n/a	yes
sysdig_secure_api_token	Sysdig Secure API token	string	n/a	yes
cloudtrail_org_is_multi_region_trail	testing/economization purpose. true/false whether cloudtrail will ingest multiregional events	bool	true	no
cloudtrail_org_kms_enable	testing/economization purpose. true/false whether s3 should be encrypted	bool	true	no
sysdig_secure_endpoint	Sysdig Secure API endpoint	string	"https://secure.sysdig.com"	no
tags	sysdig cloudvision tags	map(string)	{ "product": "sysdig-cloudvision" }	no

Outputs

No outputs.

---

Troubleshooting

• Q: How to validate cloudvision cloud-connect (thread-detection) provisioning is working as expected?
  A: Check each pipeline resource is working as expected (from high to low lvl)

  • select a rule to break manually, from the 'Sysdig AWS Best Practices' policies. for example, 'Delete Bucket Public Access Block'. can you see the event?
  • are there any errors in the ECS task logs? can also check cloudwatch logs for previous example we should see the event

    {"level":"info","component":"console-notifier","time":"2021-07-26T12:45:25Z","message":"A pulic access block for a bucket has been deleted (requesting  user=OrganizationAccountAccessRole, requesting IP=x.x.x.x, AWS  region=eu-central-1, bucket=sysdig-cloudvision-nnnnnn-config)"}
    

  • are events consumed in the sqs queue, or are they pending?
  • are events being sent to sns topic?

• Q: How to iterate cloud-connect modification testing
  A: Build a custom docker image of cloud-connect docker build . -t <DOCKER_IMAGE> -f ./build/cloud-connector/Dockerfile and upload it to any registry (like dockerhub). Modify the var.image variable to point to your image and deploy

• Q: How can I iterate ECS testing
  A: After applying your modifications (vía terraform for example) restart the service

  $ aws ecs update-service --force-new-deployment --cluster sysdig-cloudvision-ecscluster --service sysdig-cloudvision-cloudconnector --profile <AWS_PROFILE>
  

  For the AWS_PROFILE, set your ~/.aws/config to impersonate

  [profile cloudvision]
  region=eu-central-1
  role_arn=arn:aws:iam::<AWS_MASTER_ORGANIZATION_ACCOUNT>:role/OrganizationAccountAccessRole
  source_profile=<AWS_MASTER_ACCOUNT_PROFILE>
  

---

Authors

Module is maintained by Sysdig.

License

Apache 2 Licensed. See LICENSE for full details.