Unified multi-account security and compliance with Sysdig Secure and AWS Control Tower
Managing security across multiple cloud accounts can be complicated and error-prone if you’re taking a manual, piecemeal approach. As you scale, misconfigurations and missed accounts and services can leave you exposed. Automation can help you maintain speed and agility for DevOps and security teams.
To quickly onboard and manage security for multiple accounts in AWS, Sysdig has integrated its cloud and container solution with AWS Control Tower. AWS Control Tower enables the automation of structure, governance, network, and security configurations in AWS multi-account environments. Combining Sysdig Secure with AWS Control Tower, you’ll be able to manage your security posture, keeping track of AWS management events, configurations, roles, threats, and compliance to reduce risk. In this blog post, I will show you how to onboard Sysdig Secure using AWS Control Tower in a multi-account environment.
The Sysdig AWS Control Tower integration is provided by Sysdig and available as AWS CloudFormation templates and AWS Lambda functions. This open-source solution is available for customers to review in GitHub.
AWS Control Tower integration with Sysdig Secure enables customers to automatically protect existing and newly enrolled AWS accounts through ingestion of AWS CloudTrail logs. This solution orchestrates the following:
- Deployment of the Sysdig Cloud Connector Fargate infrastructure in the log archive account, including:
- Dedicated Virtual Private Cloud (VPC), Amazon Elastic Container Service (Amazon ECS) cluster, ECS service, ECS task and role for AWS CloudTrail (CloudTrail) ingestion
- Amazon Simple Queue Service (Amazon SQS) queue to subscribe to CloudTrail Amazon Simple Notification Service (Amazon SNS) topic
- AWS Systems Manager Parameter Store for token and endpoint information
- Amazon Simple Storage Service (Amazon S3) bucket for Sysdig Cloud Connector config and logs
- Adding the SNS topic policy to aws-controltower-AllConfigNotification SNS topic located in the audit account
- Subscribing the SQS queue to aws-controltower-AllConfigNotification SNS topic
- Adding permissions to the Sysdig Cloud Connector Fargate task to decrypt the AWS Key Management Service (AWS KMS) key used for AWS CloudTrail encryption.
The following diagram illustrates the solution architecture for first-time setup to deploy the solution. The AWS Control Tower admin deploys the solution in the AWS Control Tower Management Account’s home Region. This deploys the Sysdig Cloud Connector Fargate infrastructure in the Log Archive account, including the dedicated VPC, ECS cluster, ECS service, ECS task and role for AWS CloudTrail ingestion. An SQS queue is deployed to subscribe to CloudTrail SNS topic. AWS Systems Manager Parameter store is deployed for token and endpoint information, along with an Amazon S3 bucket for Sysdig Cloud Connector config and logs.
The following diagram illustrates the solution architecture when a new account is enrolled using AWS Control Tower. Once a new account is enrolled using AWS Control Tower, the already deployed solution adds the SNS topic policy to aws-controltower-AllConfigNotification SNS topic, located in the Audit account. It subscribes the SQS queue in the log account to aws-controltower-AllConfigNotification SNS topic. It also adds permissions to the Sysdig Cloud Connector Fargate task to decrypt the AWS KMS key used for AWS CloudTrail encryption. The Fargate cluster read logs from CloudTrail S3 bucket, which are ingested into Sysdig Secure.
- You need a fully deployed AWS Control Tower. For information about setting up an AWS Control Tower landing zone, see Getting Started with AWS Control Tower. You also need administrator privileges in the AWS Control Tower management account.
- You need an active Sysdig Secure or Sysdig Platform account. You can subscribe to Sysdig’s free trial via AWS Marketplace and follow the instructions on AWS Marketplace to complete the registration.
- You also need administrator privileges in the AWS Control Tower management account.
Solution walkthrough: Unified multi-account security and compliance with Sysdig Secure and AWS Control Tower
Step 1: Sysdig runtime policy and AWS CloudFormation parameters
Sysdig provides a collection of runtime policy that check against the CloudTrail activities. I will enable Sysdig AWS best-practice runtime policy and collect additional parameters that are required for the next steps.
- Navigate to your Sysdig Secure console, and from the left sidebar, select Get Started. On the right-hand panel, choose the dropdown arrow next to Connect your Cloud account.
- Copy the Sysdig Secure API Token and Sysdig Secure Endpoint URLs.
- On the left sidebar, select Policies and then select Runtime Policies. On the Runtime Policies Search panel, enter Sysdig AWS Best Practices.
- You should see Sysdig AWS Best Practices in your search results. To enable the runtime policies, select the toggle.
- Next, sign in to your AWS Control Tower management account and navigate to the AWS Control Tower console.
- In the AWS Control Tower console left panel, select Accounts. Locate the audit account and log archive accounts from the list and take note of both account IDs.
Step 2: Deploy the AWS CloudFormation template
You deploy this solution using the AWS CloudFormation template. In this section, you launch the CloudFormation template provided by Sysdig.
- Sign in to the management account in AWS Control Tower as admin role. Ensure you are selecting the home Region where your AWS Control Tower is deployed.
- Launch the CloudFormation template using the following Quick-Create link.
- On the parameter sections:
- Enter values for Sysdig Secure Endpoint and Sysdig Secure API Token from step 1.2
- Enter values for AWS Control Tower audit account ID and AWS Control Tower log archive account ID from step 1.6.
- Optionally, you can change StackSet name and Stack name.
- Select the checkbox I acknowledge that AWS CloudFormation might create IAM resources and select Create Stack. Wait until the CloudFormation stack is successfully deployed.
- This CloudFormation stack will automatically launch a StackSet. Navigate to AWS CloudFormation StackSet console, and search for Sysdig stackset according to the parameter you entered earlier in step 3c.
- Select Operations and wait until the operation is completed. This operation will take 5–10 minutes to complete.
The stackset deploys Sysdig CloudConnector in the log archive account and starts to ingest CloudTrail logs from all AWS Control Tower managed accounts.
Step 3: Validate the solution setup
After the deployment of the CloudFormation stack and stackset are complete, validate that the integration is successful.
- Navigate back to Sysdig Secure console. From the sidebar navigation, select your user name and choose Data Sources.
- The log archive account ID should be automatically registered in the list as the data source.
- Other AWS account IDs will be automatically listed here once the CloudTrail logs are ingested, and events are triggered.
This completes the deployment steps. Any new AWS account launched via AWS Control Tower now automatically sends its CloudTrail log to the log archive account. The Sysdig Cloud Connector ingests these logs centrally from the S3 bucket in the log archive account.
Threat detection based on CloudTrail
To identify potential security events, Sysdig analyzes the centralized AWS CloudTrail audit log events against a set of security rules based on open-source Falco. A comprehensive Sysdig AWS best practices runtime policy warns you about suspicious activity, including:
- Inline policies allowing all commands
- Accounts without MFA activated
- Access to the root account
- Public S3 buckets
- Interactive shells in containers
- Disabling security features like AWS CloudTrail or AWS Security Hub.
To demonstrate the functionality, I sign in to one of the AWS Control Tower managed accounts to create a sample S3 bucket with default encryption enabled. After the S3 bucket has been created, I select the bucket properties and change the default encryption for server-side encryption to Disable.
Back in the Sysdig console, I navigate to the Insight section and select Cloud Activity console. Here I can see that my action generated a new event called Delete Bucket Encryption. From here, I can drill deeper into the events to learn more about the source of an event, the type of resource, and the user that performed this action.
The Cloud Activity console shows activity from all connected AWS accounts. I can filter my view by the account or region and select a specific time frame. To further customize the findings, I can tune the runtime policy or create my own custom Falco rule to filter and trigger an event based on logged CloudTrail events.
Navigate to the AWS CloudFormation console in your management account. Delete the stack you created in Step 2.
In this blog post, I showed you how to use AWS Control Tower to automate multi-account enrollment and the process of subscribing and configuring resources for running Sysdig Secure. The combined solution can help your teams improve productivity, and it simplifies management of your cloud security posture at scale on AWS. Get started now with the Sysdig Secure in the AWS Marketplace.
Contents of this post were validated to work on the publishing date. The code and templates in this post are those of the third-party author, and AWS is not responsible for the content or accuracy of this post.