org-existing-cloudtrail-ecs-vpc-subnet.md

OrganizationSetup - Existing Cloudtrail - Existing ECS/VPC/Subnet

Use-Case explanation

Client Setup

• organizational setup
  • organizational cloudtrail that reports to SNS and persists events in a managed-account stored S3 bucket
  • member account usage - all required and pre-existing resources exist in the same account
    • cloudtrail/sns/s3 in the management account
    • and pre-existing objects in the same account where Sysdig Secure for Cloud workload is to be deployed
  • member account usage - all required resources are in scattered organizational member accounts
• pre-existing resources
  • organizational cloudtrail, reporting to an SNS topic and delivering events to the S3 bucket
  • ecs cluster/vpc/subnet we want to use to deploy Sysdig for Cloud workload
  • k8s cluster we want to use to deploy Sysdig for Cloud workload

Sysdig Secure For Cloud Features

• threat Detection
  • all accounts of the organization (management account included)
• image Scanning (?)
  • ecr pushed images
  • ecs running images
• CSPM/Compliance (?)
• CIEM (?)

Suggested setup

For this use-case we're going to use the ./examples/organizational setup. In order for this setup to work, several roles and permissions are required. Before proceeding, please read the example README and check whether you comply with requirements.

Please contact us if something requires to be adjusted.

Step by Step Example Guide

1. Configure AWS_PROFILE with an organizational Administration credentials

2. Choose an Organizational Member account for Sysdig Workload to be deployed.

   • This accountID will be provided in the SYSDIG_SECURE_FOR_CLOUD_MEMBER_ACCOUNT_ID parameter
   • Use-case workload-related pre-existing resources (ecs,vpc,subnets) must live within this member account

3. Use organizational example snippet with following parameters

   • General

     • AWS_REGION Same region is to be used for both organizational managed account and Sysdig workload member account resources.
     • SYSDIG_SECURE_FOR_CLOUD_MEMBER_ACCOUNT_ID where Sysdig Workload is to be deployed under the pre-existing ECS

   • Existing Organizational Cloudtrail Setup

     • CLOUDTRAIL_SNS_ARN
     • CLOUDTRAIL_S3_ARN
     • You MUST grant manual permissions to the organizational cloudtrail, for the AWS member-account management role OrganizationAccountAccessRole to be able to perform SNS:Subscribe.
       • This will be required for the CloudConnector SQS Topic subscription.
       • Use ./modules/infrastructure/cloudtrail/sns_permissions.tf as guideline

   • Existing ECS Cluster and networking setup

     • Create an ECS cluster and configure it with the existing VPC/Subnet/... network configuration suiting your needs.
       Refer to Sysdig SASS Region and IP Ranges Documentation to get Sysdig SaaS endpoint and allow both outbound (for compute vulnerability report) and inbound (for scheduled compliance checkups)
       ECS type deployment will create following security-group setup
     • ECS_CLUSTER_NAME ex.: "sfc"
     • ECS_VPC_ID ex.: "vpc-0e91bfef6693f296b"
     • ECS_VPC_SUBNET_PRIVATE_ID_X Two subnets for the VPC. ex.: "subnet-0c7d803ecdc88437b"
       
       

Terraform Manifest Snippet

terraform {
  required_providers {
    sysdig = {
      source  = "sysdiglabs/sysdig"
      configuration_aliases = [aws.member]
    }
  }
}

provider "sysdig" {
  sysdig_secure_url         = "<SYSDIG_SECURE_URL>"
  sysdig_secure_api_token   = "<SYSDIG_SECURE_API_TOKEN>"
}

provider "aws" {
  region = "<AWS_REGION>"   # must match s3 AND sns region
}

# you can setup this provider as desired, just giving an example
provider "aws" {
  alias  = "member"
  region = "<AWS_REGION>"   # must match s3 AND sns region
  assume_role {
    # 'OrganizationAccountAccessRole' is the default role created by AWS for management-account users to be able to admin member accounts.
    # <br/>https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html
    role_arn = "arn:aws:iam::<SYSDIG_SECURE_FOR_CLOUD_MEMBER_ACCOUNT_ID>:role/OrganizationAccountAccessRole"
  }
}

module "sysdig-sfc" {
  providers = {
    aws.member = aws.member
  }

  source = "sysdiglabs/secure-for-cloud/aws//examples/organizational"
  name   = "sysdig-sfc"

  sysdig_secure_for_cloud_member_account_id="<SYSDIG_SECURE_FOR_CLOUD_MEMBER_ACCOUNT_ID>"

  cloudtrail_sns_arn  = "<CLOUDTRAIL_SNS_ARN>"
  cloudtrail_s3_arn   = "<CLOUDTRAIL_S3_ARN>"

  ecs_cluster_name              = "<ECS_CLUSTER_NAME>"
  ecs_vpc_id                    = "<ECS_VPC_ID>"
  ecs_vpc_subnets_private_ids   = ["<ECS_VPC_SUBNET_PRIVATE_ID_1>","<ECS_VPC_SUBNET_PRIVATE_ID_2>"]

}