Using policies and triggering events

When you install for the first time the Cloudformation template, a new disabled Runtime Policy for cloud threat detection will appear in your Sysdig account called “Sysdig AWS Best Practices”.

Only rules that are part of an active Runtime Policy can be triggered by audit events. To enable it, visit “Policies”, then “Runtime Policies” section of your Sysdig Secure dashboard, and click on the switch to the left of its name.

Setting encryption

This Policy includes several rules that trigger for events that are serious security concerns you should be aware of:

You can also create your own policies that includes different rules, see the bundled rules section to learn more about all the rules at your disposal and the Runtime Policies Sysdig documentation.

Triggering events to test the policy

The easiest way to test that the policy is working and events are triggering, is to create an S3 bucket with encryption, and then remove it (the policy will not trigger if the bucket is created without encryption in the first place).

Setting encryption

To do that, visit the AWS console website, navigate to the Amazon S3 section and create a bucket with Server-side encryption, and encryption key type “Amazon S3 key (SSE-S3)”

Disabling encryption

Then, after the bucket has been created, click on its Properties, and on the Default encryption section click the “Edit” button, disable it and save your changes.

After that, you have to wait until AWS emits the CloudTrail event so it can be detected. The official CloudTrail documentation states that “CloudTrail typically delivers logs within an average of about 15 minutes of an API call. This time is not guaranteed.”.

After enough time has passed, visit Sysdig Secure, click on “Events”, and you should be able to see the security event for “Delete Bucket Encryption”.

Delete bucket encryption event

Continue to next sections

Do you want to check the full list of bundled CloudTrail Falco rues?

Visit the Rules bundled section.

Do you want to set up integration with AWS Security Hub?

Visit the AWS Security Hub integration section

Ready to learn more about all of the security capabilities?

Visit the Threat Detection based on CloudTrail section.
Visit the Cloud Security Posture Management and Compliance.
Visit the ECR Image Registry Scanning.
Visit the Fargate Image Scanning.

Please visit any of the following sections for more information: