Using policies and triggering events
When you install for the first time the Cloudformation template, a new disabled Runtime Policy for cloud threat detection will appear in your Sysdig account called “Sysdig AWS Best Practices”.
Only rules that are part of an active Runtime Policy can be triggered by audit events. To enable it, visit “Policies”, then “Runtime Policies” section of your Sysdig Secure dashboard, and click on the switch to the left of its name.
This Policy includes several rules that trigger for events that are serious security concerns you should be aware of:
- Disable Security Hub
- Deactivate Hardware MFA for Root User
- Stop Configuration Recorder
- CloudTrail Trail Deleted
- Create IAM Policy that Allows All
- Deactivate MFA for User Access
- CloudTrail Multi-region Disabled
- Logged in without Using MFA
- Disable CMK Rotation
- Create Access Key for Root User
- CloudWatch Delete Alarms
- Security Hub Delete Members
- Console Root Login Without MFA
- Create Security Group Rule Allowing SSH Ingress
- Root User Executing AWS Command
- Attach Administrator Policy
- Delete Action Target
- Put Inline Policy in Group to Allow Access to All Resources
- Security Hub Disassociate From Master Account
- Delete Bucket Encryption
- Delete Virtual MFA for Root User
- Console Login Without MFA
- Delete Bucket CORS
- CloudTrail Logging Disabled
- Disable EBS Encryption by Default
- CloudTrail Logfile Encryption Disabled
- Delete Bucket Public Access Block
- Remove KMS Key Rotation
- Batch Disable Standards
- Deactivate MFA for Root User
- Get Password Data
- Delete DB Security Group
- Delete WAF Rule Group
- Create Lambda Function Not Using Latest Runtime
- Make EBS Snapshot Public
- Delete Detector
- Disable GuardDuty
- Create Customer Master Key
- Security Hub Disassociate Members
- Deactivate Virtual MFA for Root User
- Disable Import Findings for Product
Triggering events to test the policy
The easiest way to test that the policy is working and events are triggering, is to create an S3 bucket with encryption, and then remove it (the policy will not trigger if the bucket is created without encryption in the first place).
To do that, visit the AWS console website, navigate to the Amazon S3 section and create a bucket with Server-side encryption, and encryption key type “Amazon S3 key (SSE-S3)”
Then, after the bucket has been created, click on its Properties, and on the Default encryption section click the “Edit” button, disable it and save your changes.
After that, you have to wait until AWS emits the CloudTrail event so it can be detected. The official CloudTrail documentation states that “CloudTrail typically delivers logs within an average of about 15 minutes of an API call. This time is not guaranteed.”.
After enough time has passed, visit Sysdig Secure, click on “Events”, and you should be able to see the security event for “Delete Bucket Encryption”.
Continue to next sections
Do you want to check the full list of bundled CloudTrail Falco rues?
Do you want to set up integration with AWS Security Hub?
Ready to learn more about all of the security capabilities?
Please visit any of the following sections for more information:
- Sysdig Secure for cloud
- Amazon Web Services