AWS Marketplace

Unified multi-account security and compliance with Sysdig Secure and AWS Control Tower

Managing security across multiple cloud accounts can be complicated and error-prone if you’re taking a manual, piecemeal approach. As you scale, misconfigurations and missed accounts and services can leave you exposed. Automation can help you maintain speed and agility for DevOps and security teams.

To quickly onboard and manage security for multiple accounts in AWS, Sysdig has integrated its cloud and container solution with AWS Control Tower. AWS Control Tower enables the automation of structure, governance, network, and security configurations in AWS multi-account environments. Combining Sysdig Secure with AWS Control Tower, you’ll be able to manage your security posture, keeping track of AWS management events, configurations, roles, threats, and compliance to reduce risk. In this blog post, I will show you how to onboard Sysdig Secure using AWS Control Tower in a multi-account environment.

Solution overview

The Sysdig AWS Control Tower integration is provided by Sysdig and available as AWS CloudFormation templates and AWS Lambda functions. This open-source solution is available for customers to review in GitHub.

AWS Control Tower integration with Sysdig Secure enables customers to automatically protect existing and newly enrolled AWS accounts through ingestion of AWS CloudTrail logs. This solution orchestrates the following:

The following diagram illustrates the solution architecture for first-time setup to deploy the solution. The AWS Control Tower admin deploys the solution in the AWS Control Tower Management Account’s home Region. This deploys the Sysdig Cloud Connector Fargate infrastructure in the Log Archive account, including the dedicated VPC, ECS cluster, ECS service, ECS task and role for AWS CloudTrail ingestion. An SQS queue is deployed to subscribe to CloudTrail SNS topic. AWS Systems Manager Parameter store is deployed for token and endpoint information, along with an Amazon S3 bucket for Sysdig Cloud Connector config and logs.

The diagram illustrates the solution architecture for first time setup to deploy the solution.

The following diagram illustrates the solution architecture when a new account is enrolled using AWS Control Tower. Once a new account is enrolled using AWS Control Tower, the already deployed solution adds the SNS topic policy to aws-controltower-AllConfigNotification SNS topic, located in the Audit account. It subscribes the SQS queue in the log account to aws-controltower-AllConfigNotification SNS topic. It also adds permissions to the Sysdig Cloud Connector Fargate task to decrypt the AWS KMS key used for AWS CloudTrail encryption. The Fargate cluster read logs from CloudTrail S3 bucket, which are ingested into Sysdig Secure.

The diagram illustrates the solution architecture when a new account is enrolled using AWS Control Tower.


  • You need a fully deployed AWS Control Tower. For information about setting up an AWS Control Tower landing zone, see Getting Started with AWS Control Tower. You also need administrator privileges in the AWS Control Tower management account.
  • You need an active Sysdig Secure or Sysdig Platform account. You can subscribe to Sysdig’s free trial via AWS Marketplace and follow the instructions on AWS Marketplace to complete the registration.
  • You also need administrator privileges in the AWS Control Tower management account.

Solution walkthrough: Unified multi-account security and compliance with Sysdig Secure and AWS Control Tower

Step 1: Sysdig runtime policy and AWS CloudFormation parameters

Sysdig provides a collection of runtime policy that check against the CloudTrail activities. I will enable Sysdig AWS best-practice runtime policy and collect additional parameters that are required for the next steps.

  1. Navigate to your Sysdig Secure console, and from the left sidebar, select Get Started. On the right-hand panel, choose the dropdown arrow next to Connect your Cloud account.
  2. Copy the Sysdig Secure API Token and Sysdig Secure Endpoint URLs.
  3. On the left sidebar, select Policies and then select Runtime Policies. On the Runtime Policies Search panel, enter Sysdig AWS Best Practices.
  4. You should see Sysdig AWS Best Practices in your search results. To enable the runtime policies, select the toggle.
  5. Next, sign in to your AWS Control Tower management account and navigate to the AWS Control Tower console.
  6. In the AWS Control Tower console left panel, select Accounts. Locate the audit account and log archive accounts from the list and take note of both account IDs.

Step 2: Deploy the AWS CloudFormation template

You deploy this solution using the AWS CloudFormation template. In this section, you launch the CloudFormation template provided by Sysdig.

  1. Sign in to the management account in AWS Control Tower as admin role. Ensure you are selecting the home Region where your AWS Control Tower is deployed.
  2. Launch the CloudFormation template using the following Quick-Create link.
  3. On the parameter sections:
    • Enter values for Sysdig Secure Endpoint and Sysdig Secure API Token from step 1.2
    • Enter values for AWS Control Tower audit account ID and AWS Control Tower log archive account ID from step 1.6.
    • Optionally, you can change StackSet name and Stack name.
  4. Select the checkbox I acknowledge that AWS CloudFormation might create IAM resources and select Create Stack. Wait until the CloudFormation stack is successfully deployed.
  5. This CloudFormation stack will automatically launch a StackSet. Navigate to AWS CloudFormation StackSet console, and search for Sysdig stackset according to the parameter you entered earlier in step 3c.
  6. Select Operations and wait until the operation is completed. This operation will take 5–10 minutes to complete.

The stackset deploys Sysdig CloudConnector in the log archive account and starts to ingest CloudTrail logs from all AWS Control Tower managed accounts.

Step 3: Validate the solution setup

After the deployment of the CloudFormation stack and stackset are complete, validate that the integration is successful.

  • Navigate back to Sysdig Secure console. From the sidebar navigation, select your user name and choose Data Sources.
  • The log archive account ID should be automatically registered in the list as the data source.
  • Other AWS account IDs will be automatically listed here once the CloudTrail logs are ingested, and events are triggered.

This completes the deployment steps. Any new AWS account launched via AWS Control Tower now automatically sends its CloudTrail log to the log archive account. The Sysdig Cloud Connector ingests these logs centrally from the S3 bucket in the log archive account.

Threat detection based on CloudTrail

To identify potential security events, Sysdig analyzes the centralized AWS CloudTrail audit log events against a set of security rules based on open-source Falco. A comprehensive Sysdig AWS best practices runtime policy warns you about suspicious activity, including:

  • Inline policies allowing all commands
  • Accounts without MFA activated
  • Access to the root account
  • Public S3 buckets
  • Interactive shells in containers
  • Disabling security features like AWS CloudTrail or AWS Security Hub.

To demonstrate the functionality, I sign in to one of the AWS Control Tower managed accounts to create a sample S3 bucket with default encryption enabled. After the S3 bucket has been created, I select the bucket properties and change the default encryption for server-side encryption to Disable.

Back in the Sysdig console, I navigate to the Insight section and select Cloud Activity console. Here I can see that my action generated a new event called Delete Bucket Encryption. From here, I can drill deeper into the events to learn more about the source of an event, the type of resource, and the user that performed this action.

The Cloud Activity console shows activity from all connected AWS accounts. I can filter my view by the account or region and select a specific time frame. To further customize the findings, I can tune the runtime policy or create my own custom Falco rule to filter and trigger an event based on logged CloudTrail events.


Navigate to the AWS CloudFormation console in your management account. Delete the stack you created in Step 2.


In this blog post, I showed you how to use AWS Control Tower to automate multi-account enrollment and the process of subscribing and configuring resources for running Sysdig Secure. The combined solution can help your teams improve productivity, and it simplifies management of your cloud security posture at scale on AWS. Get started now with the Sysdig Secure in the AWS Marketplace.

Contents of this post were validated to work on the publishing date. The code and templates in this post are those of the third-party author, and AWS is not responsible for the content or accuracy of this post.

About the authors

About the author Manuel Boira Manuel Boira

Manuel Boira is a Strategic Partners Solutions Architect at Sysdig. He has been a software developer, solutions architect, founder of a startup and managing director of an IT company. He has built multiple applications from scratch like Online Shops, client-server solutions, booking engines or multi-tenant SaaS. Manuel loves to spend time with his family, listen to music, play his guitar and read books.

About the author Shakthi Dakuri

Shakthi is a Senior Partner Solutions Architect at AWS, working with ISV Startup Partners helping them build AWS-optimized architecture in the DevOps and Security space. Prior to AWS, Shakthi spent several years architecting and driving cloud solutions at technology companies in various industries.

About the author Welly Siauw

Welly Siauw is a Sr. Partner Solution Architect at Amazon Web Services (AWS). He spends his day working with customers and partners, solving architectural challenges. He is passionate about service integration and orchestration, serverless and artificial intelligence (AI) and machine learning (ML). He authored several AWS blogs and actively leading AWS Immersion Days and Activation Days. Welly spends his free time tinkering with espresso machine and outdoor hiking.

Author photograph - Pranjal Gururani

Pranjal Gururani is a Solutions Architect at AWS based out of Seattle. Pranjal works with various customers to architect cloud solutions that address their business challenges. He enjoys hiking, kayaking, skydiving, and spending time with family during his spare time.