AWS Security Hub integration

Threat Detection events from Sysdig Secure for cloud can be integrated in AWS Security Hub, so they also appear in its findings feed.

To activate this integration, follow these steps:

1. Enable AWS Security Hub

To enable AWS Security Hub, visit this link in the same region that you have deployed Sysdig Secure for Cloud, click “Go to Security Hub”, and then at the end of the next page, click “Enable Security Hub”.

Enable AWS Security Hub screen

Welcome to AWS Security Hub

2. Accept findings from Sysdig Secure

In Security Hub, click on “integrations”, search for “Sysdig Secure for Cloud”, and click “Accept findings”

Accept findings from Sysdig in Security

In the next screen, click again on “Accept Findings”

Confirm Sysdig integration

3. Enable AWS Security Hub in the configuration file

To enable the AWS Security Hub integration, look for the S3 bucket with the Sysdig Secure for cloud configuration named sysdig-cloudvision-s3configbucket-XXXXXXXX and edit the cloud-connector.yaml file to remove the commented lines for the integration. You also have to change the region id of us-east-1 in the productArn for the region where you have deployed Sysdig Secure for cloud.

  - cloudwatch:
      logGroup: Sysdig-CloudVision-CloudConnectorStack-KTOYERFV4BFH
      logStream: alerts
#  - securityhub:
#     productArn: arn:aws:securityhub:us-east-1::product/sysdig/sysdig-cloud-connector

To do so, you have to download the cloud-connector.yaml file to your computer, change it, and upload it to the bucket with the same name, so it overwrites the existing one.

4. Restart Sysdig Cloud Connector to load the new configuration

You have to restart the Sysdig Cloud Connector component so it takes the new configuration into consideration. Visit the ECS section in AWS console website, and click on the cluster named Sysdig-CloudVision-ECSFargateClusterStack-XXXXXXXX. Then click on the “Tasks” tab, click the checkbox besides the Sysdig-CloudVision-CloudConnectorStack-XXXXXXX task and click the “Stop” button. Wait some seconds and click on the “Reload” icon to see a new equivalent task being created, now with the updated configuration.

Restart Cloud Connector task

Integration ready

That’s all! Wait some minutes for AWS to complete routing the findings, and CloudTrail detections from Sysdig Secure will start appearing in the “findings” section.

Alert on AWS Security Hub

When you click on a CloudTrail finding, you will see the details associated with it, like rule triggered, service affected, user that executed the command, its IP address, etc.

Alert on AWS Security Hub

Although you may have CloudTrail enabled for more than one AWS region, you have to visit Security Hub in the same AWS region you have deployed Sysdig Secure for cloud, then you will see there all findings, with an indication in details to the AWS region they belong to.

Continue to next sections

Ready to learn more about all of the security capabilities?

Visit the Threat Detection based on CloudTrail section.
Visit the Cloud Security Posture Management and Compliance section.
Visit the ECR Image Registry Scanning section.
Visit the Fargate Image Scanning section.

Please visit any of the following sections for more information: