https://github.com/sysdiglabs/aws-control-tower-integration

Sysdig AWS Control Tower
https://github.com/sysdiglabs/aws-control-tower-integration

Last synced: 2 months ago
JSON representation

Sysdig AWS Control Tower

• Host: GitHub
• URL: https://github.com/sysdiglabs/aws-control-tower-integration
• Owner: sysdiglabs
• Created: 2021-10-13T11:01:15.000Z (over 3 years ago)
• Default Branch: main
• Last Pushed: 2023-03-10T10:33:30.000Z (about 2 years ago)
• Last Synced: 2025-01-23T01:22:03.879Z (4 months ago)
• Language: Python
• Size: 723 KB
• Stars: 0
• Watchers: 5
• Forks: 2
• Open Issues: 1
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# :no_entry: This repository is [DEPRECATED] and will be archived. 

To access to the AWS deployment options please go to the Sysdig documenation for AWS https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/deploy-sysdig-secure-for-cloud-on-aws/

# Sysdig AWS Control Tower Integration

This repo provide example of integration for Sysdig CloudConnector (Real-Time Threat Investigation based on CloudTrail) inside AWS Control Tower environment.

## Architecture

![Architecture Diagram](sysdig-ct-architecture.png)

This solution utilize existing AWS Control Tower infrastructure and centralized the CloudTrail log collection in the `log archive` account. CloudTrail logs from existing linked accounts and future vending accounts is automatically ingested.

## Getting Started 

Run the following command on your AWS Control Tower management account (requires Admin privilege)

```

aws cloudformation create-stack --stack-name Sysdig-CT --template-url https://cf-templates-cloudvision-controltower.s3.amazonaws.com/sysdig/templates/sysdig_ct_onboarding.yaml --parameters file://params.json --capabilities CAPABILITY_NAMED_IAM

```

Example of the `params.json`:

```

[

  {

    "ParameterKey": "SysdigSecureEndpoint",

    "ParameterValue": "CHANGE WITH YOUR SYSDIG ENDPOINT, i.e. https://us2.app.sysdig.com"

  }, 

  {

    "ParameterKey": "SysdigSecureAPIToken",

    "ParameterValue": "REDACTED - CHANGE WITH YOUR SYSDIG TOKEN"

  },

  {

    "ParameterKey": "StackSetName",

    "ParameterValue": "Sysdig-Secure-CT"

  },

  {

    "ParameterKey": "StackSetUrl",

    "ParameterValue": "https://cf-templates-cloudvision-controltower.s3.amazonaws.com/sysdig/templates/sysdig_ct_stackset.yaml"

  },

  {

    "ParameterKey": "QSS3BucketName",

    "ParameterValue": "cf-templates-cloudvision-controltower"

  },

  {

    "ParameterKey": "QSS3KeyPrefix",

    "ParameterValue": "sysdig/"

  },

  {

    "ParameterKey": "AuditAccount",

    "ParameterValue": "CHANGE WITH YOUR AWS CT AUDIT ACCOUNT"

  },

  {

    "ParameterKey": "LogArchiveAccount",

    "ParameterValue": "CHANGE WITH YOUR AWS CT LOG ARCHIVE ACCOUNT"

  }

]

```

## Build

To build this solution:

- git clone `https://github.com/wellsiau-aws/sysdig-ct-integration.git`

- Locate the `Makefile` in the root directory

- Update the `BUCKET_PREFIX` with your own S3 bucket (require public read)

- Run `make build`

- Run `make upload`

- Launch the onboarding stack: `aws cloudformation create-stack --stack-name Sysdig-CT --template-url https://[BUCKET_PREFIX].s3.amazonaws.com/sysdig/templates/sysdig_ct_onboarding.yaml --parameters file://params.json --capabilities CAPABILITY_NAMED_IAM`

- See reference to `params.json` in the getting started section

## Maintenance

### Control Tower solution

### Deployment Pipeline

- Beta. Pending to review GitHub actions.