Deployed on the target AWS account(s):
- The required IAM Role and IAM Policies (
arn:aws:iam::aws:policy/SecurityAudit) to allow Sysdig to run AWS Benchmarks on your behalf.- A Sysdig provided
ExternalIdwill be used. - This is done using
aws_cloudformation_stack_set.
- A Sysdig provided
Deployed on Sysdig Backend
- The required provisioning on Sysdig Backend to use the
ExternalId-basedIAM Role with an AssumeRole. - An
aws_foundations_bench-1.3.0benchmak task schedule on a random hour of the dayrand rand * * *
This module will be deployed as a StackSet and it will take into account newly member accounts added to the Organization.
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 3.62.0 |
| random | >= 3.1.0 |
| sysdig | >= 0.5.29 |
| Name | Version |
|---|---|
| aws | 4.26.0 |
| random | 3.3.2 |
| sysdig | 0.5.39 |
No modules.
| Name | Type |
|---|---|
| aws_cloudformation_stack_set.stackset | resource |
| aws_cloudformation_stack_set_instance.stackset_instance | resource |
| aws_iam_role.cloudbench_role | resource |
| aws_iam_role_policy_attachment.cloudbench_security_audit | resource |
| random_integer.hour | resource |
| random_integer.minute | resource |
| sysdig_secure_benchmark_task.benchmark_task | resource |
| sysdig_secure_cloud_account.cloud_account | resource |
| aws_caller_identity.me | data source |
| aws_iam_policy.security_audit | data source |
| aws_iam_policy_document.trust_relationship | data source |
| aws_organizations_organization.org | data source |
| sysdig_secure_trusted_cloud_identity.trusted_identity | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| benchmark_regions | List of regions in which to run the benchmark. If empty, the task will contain all aws regions by default. | list(string) |
[] |
no |
| is_organizational | whether secure-for-cloud should be deployed in an organizational setup | bool |
false |
no |
| name | The name of the IAM Role that will be created. | string |
"sfc-cloudbench" |
no |
| provision_in_management_account | Whether to deploy the stack in the management account | bool |
true |
no |
| region | Default region for resource creation in organization mode | string |
"eu-central-1" |
no |
| tags | sysdig secure-for-cloud tags. always include 'product' default tag for resource-group proper functioning | map(string) |
{ |
no |
No outputs.
Module is maintained by Sysdig.
Apache 2 Licensed. See LICENSE for full details.