Skip to content

Commit

Permalink
Deprecate cloud-bench
Browse files Browse the repository at this point in the history
  • Loading branch information
nkraemer-sysdig committed Oct 9, 2024
1 parent 220725f commit aa1e597
Show file tree
Hide file tree
Showing 25 changed files with 23 additions and 710 deletions.
3 changes: 0 additions & 3 deletions CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -1,4 +1 @@
* @sysdiglabs/cloud-native

# compliance
/modules/services/cloud-bench/ @haresh-suresh @nkraemer-sysdig @sysdiglabs/cloud-native
1 change: 0 additions & 1 deletion CONTRIBUTE.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
- Use **conventional commits** | https://www.conventionalcommits.org/en/v1.0.0
- Current suggested **scopes** to be used within feat(scope), fix(scope), ...
- threat
- bench
- scan
- docs
- tests
Expand Down
67 changes: 8 additions & 59 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,54 +1,19 @@
# Sysdig Secure for Cloud in AWS

Terraform module that deploys the [**Sysdig Secure for Cloud** stack in **AWS**](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/deploy-sysdig-secure-for-cloud-on-aws).
<br/>

Provides unified threat-detection, compliance, forensics and analysis through these major components:

* **[Threat Detection](https://docs.sysdig.com/en/docs/sysdig-secure/insights/)**: Tracks abnormal and suspicious activities in your cloud environment based on Falco language. Managed through `cloud-connector` module. <br/>

* **[Compliance](https://docs.sysdig.com/en/docs/sysdig-secure/posture/compliance/compliance-unified-/)**: Enables the evaluation of standard compliance frameworks. Requires just `cloud-bench` module. <br/>

* **[Identity and Access Management](https://docs.sysdig.com/en/docs/sysdig-secure/posture/identity-and-access/)**: Analyses user access overly permissive policies. Requires both modules `cloud-connector` and `cloud-bench`. <br/>

* **[Image Scanning](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/)**: Automatically scans all container images pushed to the registry (ECR) and the images that run on the AWS workload (currently ECS). Managed through `cloud-connector`. <br/>Disabled by Default, can be enabled through `deploy_image_scanning_ecr` and `deploy_image_scanning_ecs` input variable parameters.<br/>

For other Cloud providers check: [GCP](https://github.com/sysdiglabs/terraform-google-secure-for-cloud), [Azure](https://github.com/sysdiglabs/terraform-azurerm-secure-for-cloud)

<br/>
# Sunset Notice

> [!CAUTION]
> Sysdig released a new onboarding experience for AWS in September 2024. We recommend connecting your cloud accounts by [following these instructions](https://docs.sysdig.com/en/docs/sysdig-secure/connect-cloud-accounts/).
>
> This repository should be used solely in cases where Agentless Threat Detection cannot be used.
## Usage

There are several ways to deploy Secure for Cloud in you AWS infrastructure,
- **[`/examples`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples)** for the most common scenarios
There are several ways to deploy Agent based Cloud Detection and Response (CDR) in your AWS infrastructure:
- [Single Account on ECS](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account-ecs/)
- [Single Account on AppRunner](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account-apprunner/)
- [Single-Account with a pre-existing Kubernetes Cluster](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/single-account-k8s/)
- [Organizational](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/examples/organizational/)
- Many module,examples and use-cases, we provide ways to **re-use existing resources (as optionals)** in your
infrastructure. Check input summary on each example/module.

- **[`/use-cases`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/tree/master/use-cases)** with self-baked customer-specific alternative scenarios.
<br/>

Find specific overall service arquitecture diagrams attached to each example/use-case.

In the long-term our purpose is to evaluate those use-cases and if they're common enough, convert them into examples to make their usage easier.

If you're unsure about what/how to use this module, please fill the [questionnaire](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/use-cases/_questionnaire.md) report as an issue and let us know your context, we will be happy to help.

### Notice

* [AWS regions](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints)
* **Resource creation inventory** Find all the resources created by Sysdig examples in the resource-group `sysdig-secure-for-cloud` (AWS Resource Group & Tag Editor) <br/>
* All Sysdig Secure for Cloud features but [Image Scanning](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/) are enabled by default. You can enable it through `deploy_scanning` input variable parameters.<br/>
- **Management Account ECR image scanning** is not support since it's [not a best practice](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html#best-practices_mgmt-use) to have an ECR in the management account. However, we have a workaround to [solve this problem](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud#q-aws-scanning-images-pushed-to-management-account-ecr-are-not-scanned) in case you need to scan images pushed to the management account ECR.
* **Deployment cost** This example will create resources that cost money.<br/>Run `terraform destroy` when you don't need them anymore
* For **free subscription** users, beware that organizational examples may not deploy properly due to the [1 cloud-account limitation](https://docs.sysdig.com/en/docs/administration/administration-settings/subscription/#cloud-billing-free-tier). Open an Issue so we can help you here!


<br/>

If you're unsure about how to use this module, please contact your Sysdig representative. Our experts will guide you through the process and assist you in setting up your account securely and correctly.

## Required Permissions

Expand Down Expand Up @@ -333,22 +298,6 @@ $ curl -v https://<SYSDIG_SECURE_ENDPOINT>/api/cloud/v2/accounts/<AWS_ACCOUNT_ID
--header 'Authorization: Bearer <SYSDIG_SECURE_API_TOKEN>'
```
### Q-Benchmark: Getting Error: Not enough privileges to complete the action, Access is denied
```
Error: Not enough privileges to complete the action, Access is denied
│ with module.secure -for-cloud_organizational.module.cloud_bench_org[0].sysdig_secure_benchmark_task.benchmark_task,
│ on.terraform / modules / secure -for-cloud_organizational / modules / services / cloud - bench / main.tf line 55, in resource "sysdig_secure_benchmark_task" "benchmark_task":
│ Error: error waiting for CloudFormation StackSet(sysdig - secure - cloudbench) update: unexpected state 'FAILED', wanted target 'SUCCEEDED'.last error: Operation(terraform - 20221130212414336200000001) Results: 6 errors occurred:
│ * Account(***) Region(us - east - 1) Status(SUCCEEDED) Status Reason: No updates are to be performed.
│ * Account(***) Region(us - east - 1) Status(FAILED) Status Reason: Account *** should have
'stacksets-exec-70e2f8a88d368a5d3df60f4eb8c247dc' role with trust relationship to Role 'aws-service-role/stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgAdmin
```
A: For **Organizational** Setup for cloudbench (deployed through management account / delegated administrator vía stackset) make sure it's being deployed in the management account. [enable organizational trusted access to stackset](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html) as part of the [prerequisites for stackset operations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html)
### Q-RuntimeThreat Detection: Getting error 403 `"could not load rule set from Sysdig Secure: ruleprovider#newPartialRuleSet | error loading default-rules: error from Sysdig Secure API: 403`
A: The Sysdig User that deployed the components is a standard user within the Sysdig Platform. Only administrator users are given permissions to read falco rule sets. Once this permission is changed, you should no longer get this error and CSPM Cloud events should start populating.
Expand Down
6 changes: 0 additions & 6 deletions examples/organizational/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,14 +74,12 @@ Role usage for this example comes as follows. Check [permissions](../../README.m
- used by Sysdig to subscribe to cloudtrail events
- used by Sysdig, for image scanning feature, to `assumeRole` on `OrganizationAccountAccessRole` to be able to fetch image data from ECS Tasks and scan ECR hosted images
<!-- - assuming previous role will also enable the access of cloudtrail s3 buckets when they are in a different region than were the terraform module is deployed -->
- `SysdigCloudBench` role will be created for SecurityAudit read-only purpose, used by Sysdig to benchmark

- **member accounts**
- terraform aws provider: 'member' aliased
- this provider can be configured as desired, we just provide a default option
- by default, we suggest using an assumeRole to the [AWS created default role `OrganizationAccountAccessRole`](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html)
- if this role does not exist provide input var `organizational_member_default_admin_role` with the role
- `SysdigCloudBench` role will be created for SecurityAudit read-only purpose, used by Sysdig to benchmark

- **sysdig workload member account**
- if ECS workload is deployed, `ECSTaskRole` will be used to define its permissions
Expand Down Expand Up @@ -160,8 +158,6 @@ $ terraform apply

| Name | Source | Version |
|------|--------|---------|
| <a name="module_cloud_bench_org"></a> [cloud\_bench\_org](#module\_cloud\_bench\_org) | ../../modules/services/cloud-bench | n/a |
| <a name="module_cloud_bench_single"></a> [cloud\_bench\_single](#module\_cloud\_bench\_single) | ../../modules/services/cloud-bench | n/a |
| <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector-ecs | n/a |
| <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail | n/a |
| <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild | n/a |
Expand Down Expand Up @@ -191,8 +187,6 @@ $ terraform apply
| <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether the created cloudtrail should deliver encrypted events to s3 | `bool` | `true` | no |
| <a name="input_cloudtrail_s3_bucket_expiration_days"></a> [cloudtrail\_s3\_bucket\_expiration\_days](#input\_cloudtrail\_s3\_bucket\_expiration\_days) | Number of days that the logs will persist in the bucket | `number` | `5` | no |
| <a name="input_connector_ecs_task_role_name"></a> [connector\_ecs\_task\_role\_name](#input\_connector\_ecs\_task\_role\_name) | Name for the ecs task role. This is only required to resolve cyclic dependency with organizational approach | `string` | `"organizational-ECSTaskRole"` | no |
| <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
| <a name="input_deploy_benchmark_organizational"></a> [deploy\_benchmark\_organizational](#input\_deploy\_benchmark\_organizational) | true/false whether benchmark module should be deployed on organizational or single-account mode (1 role per org accounts if true, 1 role in default aws provider account if false)</li></ul> | `bool` | `true` | no |
| <a name="input_deploy_beta_image_scanning_ecr"></a> [deploy\_beta\_image\_scanning\_ecr](#input\_deploy\_beta\_image\_scanning\_ecr) | true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported) | `bool` | `false` | no |
| <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
| <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
Expand Down
29 changes: 0 additions & 29 deletions examples/organizational/cloud-bench.tf

This file was deleted.

17 changes: 0 additions & 17 deletions examples/organizational/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -110,23 +110,6 @@ variable "deploy_image_scanning_ecs" {
}


#
# benchmark configuration
#

variable "deploy_benchmark" {
type = bool
description = "Whether to deploy or not the cloud benchmarking"
default = true
}

variable "deploy_benchmark_organizational" {
type = bool
default = true
description = "true/false whether benchmark module should be deployed on organizational or single-account mode (1 role per org accounts if true, 1 role in default aws provider account if false)</li></ul>"
}


#---------------------------------
# ecs, security group, vpc
#---------------------------------
Expand Down
2 changes: 0 additions & 2 deletions examples/single-account-apprunner/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,6 @@ $ terraform apply

| Name | Source | Version |
|------|--------|---------|
| <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench | n/a |
| <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector-apprunner | n/a |
| <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail | n/a |
| <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild | n/a |
Expand All @@ -100,7 +99,6 @@ $ terraform apply
| <a name="input_cloudtrail_is_multi_region_trail"></a> [cloudtrail\_is\_multi\_region\_trail](#input\_cloudtrail\_is\_multi\_region\_trail) | true/false whether cloudtrail will ingest multiregional events | `bool` | `true` | no |
| <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
| <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. If specified, sysdig deployment account and region must match with the specified SNS | `string` | `"create"` | no |
| <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
| <a name="input_deploy_beta_image_scanning_ecr"></a> [deploy\_beta\_image\_scanning\_ecr](#input\_deploy\_beta\_image\_scanning\_ecr) | true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported) | `bool` | `false` | no |
| <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
| <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
Expand Down
7 changes: 0 additions & 7 deletions examples/single-account-apprunner/benchmark.tf

This file was deleted.

10 changes: 0 additions & 10 deletions examples/single-account-apprunner/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -48,16 +48,6 @@ variable "deploy_image_scanning_ecs" {
default = false
}

#
# benchmark configuration
#

variable "deploy_benchmark" {
type = bool
description = "Whether to deploy or not the cloud benchmarking"
default = true
}

#
# general
#
Expand Down
2 changes: 0 additions & 2 deletions examples/single-account-ecs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,6 @@ $ terraform apply

| Name | Source | Version |
|------|--------|---------|
| <a name="module_cloud_bench"></a> [cloud\_bench](#module\_cloud\_bench) | ../../modules/services/cloud-bench | n/a |
| <a name="module_cloud_connector"></a> [cloud\_connector](#module\_cloud\_connector) | ../../modules/services/cloud-connector-ecs | n/a |
| <a name="module_cloudtrail"></a> [cloudtrail](#module\_cloudtrail) | ../../modules/infrastructure/cloudtrail | n/a |
| <a name="module_codebuild"></a> [codebuild](#module\_codebuild) | ../../modules/infrastructure/codebuild | n/a |
Expand All @@ -103,7 +102,6 @@ $ terraform apply
| <a name="input_cloudtrail_kms_enable"></a> [cloudtrail\_kms\_enable](#input\_cloudtrail\_kms\_enable) | true/false whether cloudtrail delivered events to S3 should persist encrypted | `bool` | `true` | no |
| <a name="input_cloudtrail_s3_bucket_expiration_days"></a> [cloudtrail\_s3\_bucket\_expiration\_days](#input\_cloudtrail\_s3\_bucket\_expiration\_days) | Number of days that the logs will persist in the bucket | `number` | `5` | no |
| <a name="input_cloudtrail_sns_arn"></a> [cloudtrail\_sns\_arn](#input\_cloudtrail\_sns\_arn) | ARN of a pre-existing cloudtrail\_sns. If defaulted, a new cloudtrail will be created. If specified, sysdig deployment account and region must match with the specified SNS | `string` | `"create"` | no |
| <a name="input_deploy_benchmark"></a> [deploy\_benchmark](#input\_deploy\_benchmark) | Whether to deploy or not the cloud benchmarking | `bool` | `true` | no |
| <a name="input_deploy_beta_image_scanning_ecr"></a> [deploy\_beta\_image\_scanning\_ecr](#input\_deploy\_beta\_image\_scanning\_ecr) | true/false whether to deploy the beta image scanning on ECR pushed images (experimental and unsupported) | `bool` | `false` | no |
| <a name="input_deploy_image_scanning_ecr"></a> [deploy\_image\_scanning\_ecr](#input\_deploy\_image\_scanning\_ecr) | true/false whether to deploy the image scanning on ECR pushed images | `bool` | `false` | no |
| <a name="input_deploy_image_scanning_ecs"></a> [deploy\_image\_scanning\_ecs](#input\_deploy\_image\_scanning\_ecs) | true/false whether to deploy the image scanning on ECS running images | `bool` | `false` | no |
Expand Down
7 changes: 0 additions & 7 deletions examples/single-account-ecs/benchmark.tf

This file was deleted.

11 changes: 0 additions & 11 deletions examples/single-account-ecs/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -99,17 +99,6 @@ variable "deploy_image_scanning_ecs" {
default = false
}


#
# benchmark configuration
#

variable "deploy_benchmark" {
type = bool
description = "Whether to deploy or not the cloud benchmarking"
default = true
}

#
# cloud connector connector configuration
#
Expand Down
7 changes: 0 additions & 7 deletions examples/single-account-k8s/benchmark.tf

This file was deleted.

9 changes: 0 additions & 9 deletions examples/single-account-k8s/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -61,15 +61,6 @@ variable "deploy_image_scanning_ecs" {
}


#
# benchmark configuration
#
variable "deploy_benchmark" {
type = bool
description = "Whether to deploy or not the cloud benchmarking"
default = true
}

#
# aws iam user configuration
#
Expand Down
Loading

0 comments on commit aa1e597

Please sign in to comment.