{"id":21392174,"url":"https://github.com/sysdiglabs/terraform-aws-secure-for-cloud","last_synced_at":"2025-07-13T18:31:00.559Z","repository":{"id":37757109,"uuid":"353307219","full_name":"sysdiglabs/terraform-aws-secure-for-cloud","owner":"sysdiglabs","description":"Terraform module that deploys the Sysdig Secure For Cloud stack in AWS","archived":false,"fork":false,"pushed_at":"2024-04-09T18:29:48.000Z","size":9272,"stargazers_count":13,"open_issues_count":8,"forks_count":26,"subscribers_count":12,"default_branch":"master","last_synced_at":"2024-04-09T23:17:55.892Z","etag":null,"topics":["aws","sysdig-secure","terraform","terraform-modules"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/sysdiglabs/secure-for-cloud/aws/latest","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sysdiglabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-03-31T09:53:32.000Z","updated_at":"2024-03-20T20:57:22.000Z","dependencies_parsed_at":"2024-04-09T19:47:14.852Z","dependency_job_id":"5cffbebe-7941-4516-9e19-991fdf25f590","html_url":"https://github.com/sysdiglabs/terraform-aws-secure-for-cloud","commit_stats":null,"previous_names":[],"tags_count":45,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fterraform-aws-secure-for-cloud","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fterraform-aws-secure-for-cloud/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fterraform-aws-secure-for-cloud/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fterraform-aws-secure-for-cloud/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sysdiglabs","download_url":"https://codeload.github.com/sysdiglabs/terraform-aws-secure-for-cloud/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225908305,"owners_count":17543475,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","sysdig-secure","terraform","terraform-modules"],"created_at":"2024-11-22T13:39:29.208Z","updated_at":"2024-11-22T13:39:29.984Z","avatar_url":"https://github.com/sysdiglabs.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Sunset Notice\n\n\u003e [!CAUTION]\n\u003e Sysdig released a new onboarding experience for AWS in September 2024. We recommend connecting your cloud accounts by [following these instructions](https://docs.sysdig.com/en/docs/sysdig-secure/connect-cloud-accounts/).\n\u003e\n\u003e This repository should be used solely in cases where Agentless Threat Detection cannot be used.\n\n## Usage\n\nThere are several ways to deploy Agent based Cloud Detection and Response (CDR) in your AWS infrastructure:\n  - [Single Account on ECS](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account-ecs/)\n  - [Single Account on AppRunner](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account-apprunner/)\n  - [Single-Account with a pre-existing Kubernetes Cluster](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account-k8s/)\n  - [Organizational](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/organizational/)\n\nIf you're unsure about how to use this module, please contact your Sysdig representative. Our experts will guide you through the process and assist you in setting up your account securely and correctly.\n\n## Required Permissions\n\n### Provisioning Permissions\n\nTerraform provider credentials/token, requires `Administrative` permissions in order to be able to create the\nresources specified in the per-example diagram.\n\nSome components may vary, or may be deployed on different accounts (depending on the example). You can check full resources on each module \"Resources\" section in their README's. You can also check our source code and suggest changes.\n\nThis would be an overall schema of the **created resources**, for the default setup.\n\n- Cloudtrail / SNS / S3 / SQS / KMS\n- SSM Parameter for Sysdig API Token Storage\n- Sysdig Workload: ECS / AppRunner creation (K8s cluster is pre-required, not created)\n  - each compute solution require a role to assume for execution\n- CodeBuild for on-demand image scanning\n- Sysdig role for [Compliance](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/modules/services/cloud-bench)\n\n### Runtime Permissions\n\nNote: service wiring required extra permissions are not stated here (ex.: ECS service requires a runtime and execution role)\n\n**Compliance**\n\nIAM Role and IAM Policies (`arn:aws:iam::aws:policy/SecurityAudit`)  to allow Sysdig to run Compliance tasks. More details on its module [cloud-bench](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-bench)\n\n```shell\nsts:AssumeRole\n```\n\n**Threat-Detection specific**\n\n```shell\nssm: GetParameters\n\nsqs: ReceiveMessage\nsqs: DeleteMessage\n\ns3: ListBucket\ns3: GetObject\n```\n\n**Image-Scanning specific**\n\n```shell\n\n# all type scanning\ncodebuild: StartBuild\n\n\n# deploy_image_scanning_ecs\necs:DescribeTaskDefinition\n\n# deploy_image_scanning_ecr\necr: GetAuthorizationToken\necr: BatchCheckLayerAvailability\necr: GetDownloadUrlForLayer\necr: GetRepositoryPolicy\necr: DescribeRepositories\necr: ListImages\necr: DescribeImages\necr: BatchGetImage\necr: GetLifecyclePolicy\necr: GetLifecyclePolicyPreview\necr: ListTagsForResource\necr: DescribeImageScanFindings\n  ```\n- Other Notes:\n  - [Runtime AWS IAM permissions on JSON Statement format](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/resources/sfc-policy.json)\n  - only Sysdig workload related permissions are specified above; infrastructure internal resource permissions (such as Cloudtrail permissions to publish on SNS, or SNS-SQS Subscription)\n  are not detailed.\n  - For a better security, permissions are resource pinned, instead of `*`\n  - Check [Organizational Use Case - Role Summary](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/examples/organizational/README.md#role-summary) for more details\n\n\n\u003cbr/\u003e\n\n## Confirm the Services are Working\n\nCheck official documentation on [Secure for cloud - AWS, Confirm the Services are working](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/deploy-sysdig-secure-for-cloud-on-aws/#confirm-the-services-are-working)\n\n### General\n\nGenerally speaking, a triggered situation (threat or image-scanning) whould be check (from more functional-side to more technical)\n- Secure UI \u003e Events / Insights / ...\n- Cloud-Connector Logs - To access logs in AWS visit - Cloudwatch \u003e LogGroup \u003e sysdig or cloudconnector\n- Cloudtrail \u003e Event History\n\n### Forcing Events - Threat Detection\n\nChoose one of the rules contained in an activated Runtime Policies for AWS, such as `Sysdig AWS Activity Logs` policy and execute it in your AWS account.\nex.: 'Delete Bucket Public Access Block' can be easily tested going to an\n`S3 bucket \u003e Permissions \u003e Block public access (bucket settings) \u003e edit \u003e\nuncheck 'Block all public access'`\n\nRemember that in case you add new rules to the policy you need to give it time to propagate the changes.\n\nIn the `cloud-connector` logs you should see similar logs to these (within the `console-notifier` component log)\n\u003e A public access block for a bucket has been deleted (requesting  user=OrganizationAccountAccessRole, requesting IP=x.x.x.x, AWS  region=eu-central-1, bucket=***\n\nIf that's not working as expected, some other questions can be checked\n- are events consumed in the sqs queue, or are they pending?\n- are events being sent to sns topic?\n\n\nIn `Secure \u003e Events` you should see the event coming through, but beware you may need to activate specific levels such as `Info` depending on the rule you're firing.\n\nAlternativelly, use Terraform example module to trigger **Create IAM Policy that Allows All** event can be found on [examples/trigger-events](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/test/trigger-events).\n\n### Forcing Events - Image Scanning\n\n:warning: Image scanning is not activated by default.\nEnsure you have the [required scanning enablers](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/deploy-sysdig-secure-for-cloud-on-aws/#enabling-image-scanner) in place.\n\nWhen scanning is activated, should see following lines on the cloud-connector compute componente logs\n```\n{\"component\":\"ecs-action\",\"message\":\"starting Cloud Scanning ECS action\"}\n{\"component\":\"ecr-action\",\"message\":\"starting Cloud Scanning ECR action\"}\n```\n\n  - For ECR image scanning, upload any image to an ECR repository of AWS. Can find CLI instructions within the UI of AWS\n\n    It may take some time, but you should see logs detecting the new image in the ECR repository\n    ```\n    {\"component\":\"ecr-action\",\"message\":\"processing detection {\\\"account\\\":\\\"***\\\",\\\"image\\\":\\\"***.dkr.ecr.us-east-1.amazonaws.com/myimage:tag\\\",\\\"region\\\":\\\"us-east-1\\\"}. source=aws_cloudtrail\"}\n    {\"component\":\"ecr-action\",\"message\":\"starting ECR scanning for ***.dkr.ecr.us-east-1.amazonaws.com/myimage:tag at account ‘***’ region ‘us-east-1’\"}\n    ```\n    and a CodeBuild project being launched successfully\n\n  - For ECS running image scanning, deploy any task in your own cluster, or the one that we create to deploy our workload (ex.`amazon/amazon-ecs-sample` image).\n\n    It may take some time, but you should see logs detecting the new image in the ECS cloud-connector task\n\n    ```\n    {\"component\":\"ecs-action\",\"message\":\"processing detection {\\\"account\\\":\\\"***\\\",\\\"region\\\":\\\"eu-west-3\\\",\\\"taskDefinition\\\":\\\"apache:1\\\"}. source=aws_cloudtrail\"}\n    {\"component\":\"ecs-action\",\"message\":\"analyzing task 'apache:1' in region 'eu-west-3'\"}\n    {\"component\":\"ecs-action\",\"message\":\"starting ECS scanning for container index 0 in task 'apache:1'\"}\n    ```\n    and a CodeBuild project being launched successfully\n\n\u003cbr/\u003e\u003cbr/\u003e\n\n## Troubleshooting\n\n### Q-Terraform 1.3:  Getting error \"Error: Plugin did not respond\nA: Seems a bug with some providers\n\u003cbr/\u003eS: Upgrade to Terraform [1.3.1](https://github.com/hashicorp/terraform/blob/v1.3.1/CHANGELOG.md)\n\n### Q-Debug: Need to modify cloud-connector config (to troubleshoot with `debug` loglevel, modify ingestors for testing, ...)\nA: both in ECS and AppRunner workload types, cloud-connector configuration is passed as a base64-encoded string through the env var `CONFIG`\n\u003cbr/\u003eS: Get current value, decode it, edit the desired (ex.:`logging: debug` value), encode it again, and spin it again with this new definition.\n\u003cbr/\u003eFor information on all the modifyable configuration see [Cloud-Connector Chart](https://charts.sysdig.com/charts/cloud-connector/#configuration-detail) reference\n\n### Q-General: I'm not able to see any data\nA: Solution is based on Cloudtrail delivery times\n\u003cbr/\u003eS: Wait at least 15 minutes [as specified in the official AWS documentation](https://aws.amazon.com/cloudtrail/faqs/#Event_payload.2C_Timeliness.2C_and_Delivery_Frequency)\n\u003cbr/\u003eFor Identity and Access Management, when connected it will be in the [learning mode](https://docs.sysdig.com/en/docs/sysdig-secure/posture/identity-and-access/#understanding-learning-mode-and-disconnected-states)\n\n### Q-CIEM: I'm not able to see Cloud Infrastructure Entitlements Management (CIEM) results\nA: Make sure you installed both [cloud-bench](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-bench) and [cloud-connector](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/modules/services/cloud-connector) modules\n\n### Q-Scanning: I'm not able to see any image scanning results\nA: Need to check several steps\n\u003cbr/\u003eS: First, image scanning is not activated by default. Ensure you have the [required scanning enablers](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/deploy-sysdig-secure-for-cloud-on-aws/#enabling-image-scanner) in place.\n\u003cbr/\u003eCurrently, images are scanned on registry/repository push events, and on the supported compute services on deployment. Make sure these events are triggered.\n\u003cbr/\u003eDig into secure for cloud compute log (cloud-connector) and check for errors.\n\u003cbr/\u003eIf previous logs are ok, check [spawned scanning service](http://localhost:1313/en/docs/sysdig-secure/sysdig-secure-for-cloud/#summary) logs\n\n### Q-AWS-Scanning: Images pushed to Management Account ECR are not scanned\nA: We don’t scan images from the management account ECR because is [not a best pratice](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html#best-practices_mgmt-use) to have an ECR in this account.\n\u003c/br\u003eS: Following Role has to be created in the management account\n- Role Name: **OrganizationAccountAccessRole**\n- Permissions Policies:\n  ```json\n  {\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"CustomPolicy\",\n            \"Effect\": \"Allow\",\n            \"Action\": \"ecr:GetAuthorizationToken\",\n            \"Resource\": \"*\"\n        }\n    ]\n  }\n  ```\n- Trust Relationships:\n  ```json\n  {\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"AWS\": \"arn:aws:iam::\u003cORG_MANAGEMENT_ACCOUNT_ID\u003e:root\"\n            },\n            \"Action\": \"sts:AssumeRole\"\n        }\n    ]\n  }\n  ```\n\n### Q-General: Getting error \"Error: cannot verify credentials\" on \"sysdig_secure_trusted_cloud_identity\" data\nA: This happens when Sysdig credentials are not working correctly.\n\u003cbr/\u003eS: Check sysdig provider block is correctly configured with the `sysdig_secure_url` and `sysdig_secure_api_token` variables\nwith the correct values. Check [Sysdig SaaS per-region URLs if required](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges)\n\n### Q-General-Networking: What's the requirements for the inbound/outbound connection?\nA: Refer to [Sysdig SASS Region and IP Ranges Documentation](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/) to get Sysdig SaaS endpoint and allow both outbound (for compute vulnerability report) and inbound (for scheduled compliance checkups)\n\u003cbr/\u003eECS type deployment will create following [security-group setup](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/modules/services/cloud-connector-ecs/sec-group.tf)\n\n### Q-AWS: Getting Error \"BadRequestException: Cannot create group: group already exists\nA: This happens when a previous installation of secure-for-cloud exists. On each account where Sysdig has to create resources, it will create a grouping resource-group using the `name` variable (defaulted to `sfc` on main examples).\n\u003cbr/\u003eS: Remove previous installation, or if multiple setups are required, use the `name` varible to change the resource-group name.\n\n### Q-AWS: In the ECS compute flavor of secure for cloud, I don't see any logs in the cloud-connector component\nA: This may be due to the task not beinb able to start, normally due not not having enough permissions to even fetch the secure apiToken, stored in the AWS SSM service.\n\u003cbr/\u003eS: Access the task and see if there is any value in the \"Stopped Reason\" field.\n\n### Q-AWS: Getting error \"Error: failed creating ECS Task Definition: ClientException: No Fargate configuration exists for given values.\nA: Your ECS task_size values aren't valid for Fargate. Specifically, your mem_limit value is too big for the cpu_limit you specified\n\u003cbr/\u003eS: Check [supported task cpu and memory values](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html)\n\n### Q-AWS: Getting error \"404 Invalid parameter: TopicArn\" when trying to reuse an existing cloudtrail-sns\n\n```text\n│ Error: error creating SNS Topic Subscription: InvalidParameter: Invalid parameter: TopicArn\n│ \tstatus code: 400, request id: 1fe94ceb-9f58-5d39-a4df-169f55d25eba\n│\n│   with module.cloudvision_aws_single_account.module.cloud_connector.module.cloud_connector_sqs.aws_sns_topic_subscription.this,\n│   on ../../../modules/infrastructure/sqs-sns-subscription/main.tf line 6, in resource \"aws_sns_topic_subscription\" \"this\":\n│    6: resource \"aws_sns_topic_subscription\" \"this\" {\n\n```\n\nA: In order to subscribe to a SNS Topic, SQS queue must be in the same region\n\u003cbr/\u003eS: Change `aws provider` `region` variable to match same region for all resources\n\n### Q-AWS: Getting error \"400 availabilityZoneId is invalid\" when creating the ECS subnet\n```text\n│ Error: error creating subnet: InvalidParameterValue: Value (apne1-az3) for parameter availabilityZoneId is invalid. Subnets can currently only be created in the following availability zones: apne1-az1, apne1-az2, apne1-az4.\n│ \tstatus code: 400, request id: 6e32d757-2e61-4220-8106-22ccf814e1fe\n│\n│   with module.vpc.aws_subnet.public[1],\n│   on .terraform/modules/vpc/main.tf line 376, in resource \"aws_subnet\" \"public\":\n│  376: resource \"aws_subnet\" \"public\" {\n```\n\nA: For the ECS workload deployment a VPC is being created under the hood. Some AWS zones, such as the 'apne1-az3' in the 'ap-northeast' region does not support NATS, which is activated by default.\n\u003cbr/\u003eS: Specify the desired VPC region availability zones for the vpc module, using the `ecs_vpc_region_azs` variable to explicit its desired value and workaround the error until AWS gives support for your region.\n\n\n### Q-AWS: I get 400 api error AuthorizationHeaderMalformed on the Sysdig workload ECS Task\n\n```text\nerror while receiving the messages: error retrieving from S3 bucket=crit-start-trail: operation error S3: GetObject,\nhttps response error StatusCode: 400, RequestID: ***, HostID: ***,\napi error AuthorizationHeaderMalformed: The authorization header is malformed; a non-empty Access Key (AKID) must be provided in the credential.\"}\n```\nA: When the S3 bucket, where cloudtrail events are stored, is not in the same account as where the Cloud Connector workload is deployed, it requires the\nuse of the [`assumeRole` configuration](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/modules/services/cloud-connector/s3-config.tf#L30).\nThis error happens when the ECS `TaskRole` has no permissions to assume this role\n\u003cbr/\u003eS: Give permissions to `sts:AssumeRole` to the role used.\n\n\n### Q-AWS: Getting error 409 `EntityAlreadyExists`\n\nA: Probably you or someone in the same environment you're using, already deployed a resource with the sysdig terraform module and a naming collision is happening.\n\u003cbr/\u003eS: If you want to maintain several versions, make use of the [`name` input var of the examples](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account-ecs#input_name)\n\n### Q-AWS-Datasources: I'm not able to see my acccount alias in the `Data Sources \u003e Cloud page`\nA: There are several causes to this.\n\u003cbr/\u003eCheck that your aws account has an alias set-up. It's not the same as the account name.\n```bash\n$ aws iam list-account-aliases\n```\nIf all good, test `deploy_benchmark` flag is enabled on your account, hence the trust-relationship is enabled between Sysdig and your cloud infrastructure.\nIn order to validate the trust-relationship expect no errows on following API.\n```shell\n$ curl -v https://\u003cSYSDIG_SECURE_ENDPOINT\u003e/api/cloud/v2/accounts/\u003cAWS_ACCOUNT_ID\u003e/validateRole \\\n--header 'Authorization: Bearer \u003cSYSDIG_SECURE_API_TOKEN\u003e'\n```\n\n### Q-RuntimeThreat Detection: Getting error 403 `\"could not load rule set from Sysdig Secure: ruleprovider#newPartialRuleSet | error loading default-rules: error from Sysdig Secure API: 403`\n\nA: The Sysdig User that deployed the components is a standard user within the Sysdig Platform. Only administrator users are given permissions to read falco rule sets. Once this permission is changed, you should no longer get this error and CSPM Cloud events should start populating.\n\n\u003cbr/\u003e\u003cbr/\u003e\n\n## Upgrading\n\n1. Uninstall previous deployment resources before upgrading\n  ```\n  $ terraform destroy\n  ```\n\n2. Upgrade the full terraform example with\n  ```\n  $ terraform init -upgrade\n  $ terraform plan\n  $ terraform apply\n  ```\n\n- If the event-source is created throuh SFC, some events may get lost while upgrading with this approach. however, if the cloudtrail is re-used (normal production setup) events will be recovered once the ingestion resumes.\n\n- If required, you can upgrade cloud-connector component by restarting the task (stop task). Because it's not pinned to an specific version, it will download the `latest` one.\n\n\u003cbr/\u003e\n\n## Authors\n\nModule is maintained and supported by [Sysdig](https://sysdig.com).\n\n## License\n\nApache 2 Licensed. See LICENSE for full details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysdiglabs%2Fterraform-aws-secure-for-cloud","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsysdiglabs%2Fterraform-aws-secure-for-cloud","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysdiglabs%2Fterraform-aws-secure-for-cloud/lists"}